Register
Events
Popular
More
Post #1
So I just realized that a leather mod is not sandboxed at all and can do pretty much anything the owning process controls, and since everything appears to be on windows with most GSPs, you are wide open to exploitation and data gathering, and even kernel exploits can be executed at ease at this point.
So pretty much my recommendation is to use a method of sandboxing for your server mods, or else you can pay the price.
Code:Loading mods... (Filename: C:/BuildAgent/work/d3d49558e4d408f4/artifacts/StandalonePlayerGenerated/UnityEngineDebug.cpp Line: 53) Attempting to scan Assembly: C:\TCAFiles\Users\xxxxxx\xxxxxx\rust_server_Data\mods\LeatherPoC_mod (Filename: C:/BuildAgent/work/d3d49558e4d408f4/artifacts/StandalonePlayerGenerated/UnityEngineDebug.cpp Line: 53) Non platform assembly: C:\TCAFiles\Users\xxxxxx\xxxxxx\rust_server_Data\mods\LeatherPoC_mod (this message is harmless) Located mod 'LOL HAX' with 1 MonoBehaviours to bootstrap. (Filename: C:/BuildAgent/work/d3d49558e4d408f4/artifacts/StandalonePlayerGenerated/UnityEngineDebug.cpp Line: 53) Finished scanning for mods. (Filename: C:/BuildAgent/work/d3d49558e4d408f4/artifacts/StandalonePlayerGenerated/UnityEngineDebug.cpp Line: 53) --- Dirs: --- C:\TCAFiles\Users\xxxxxx C:\TCAFiles\Users\xxxxxx C:\TCAFiles\Users\xxxxxx C:\TCAFiles\Users\xxxxxx C:\TCAFiles\Users\xxxxxx C:\TCAFiles\Users\xxxxxx C:\TCAFiles\Users\xxxxxx C:\TCAFiles\Users\xxxxxx --- Doneski --- --- User Accounts with RDP --- xxxxxx/Administrator xxxxxx/xxxxxx xxxxxx/xxxxxx xxxxxx/xxxxxx --- Doneski ---
-
-
well "LeatherPoC_mod" is not default Leather mod or atleast not mentioned in this forum., it's definetly some "virus" who hacks yours information.Try to remove LeatherPoC_mod
For now better install leather from here http://facepunch.com/showthread.php?t=1339912
By the way, can I get all rust_server_data folder? I may check about this one and tell you maybe here is something else too.
-
I wrote the mod as a proof of concept. What it means is that a malicious server owner can exploit the parent server it is hosted on.
-
Then you should email this to garry.Because everybody can edit leather source as they want to.
-
It was known from the first day. Thanks for proving!
-
Not a problem, I wonder how the server files keep leaking as well... Leather.
-
You could just download from some hosters. Unfortunately.
-
Aw.... But some users would love to test server too :| for example I want to learn how to make some plugins but I don't want to pay for hosting while I could launch local server on mine pc.Seems Zidonuke has those Leaked Files(Because he has spoke about it)
Or it really printed out all directories ?
So.. I think it's really bad thing, because they can do something for other servers too :|
-
I don't think we are staying on track of this topic, remember this topic is here to ensure GSPs and the General Public know that 'Leather' can be used to exploit GSPs and gain information that shouldn't be available to others.
-b3ck
-
If you're not already sandboxing your servers manually (i.e. running them under users who only have permissions for what they're supposed to be doing), you're not a very good GSP.
-
Neolith (Leather v2) coming out soon will have these security features. and ^
-
As the LeatherLoader guys use us for their testing server, I can assure you they are not the ones leaking server files. Also Leather just gives you the tools, you should always check if mod files are legitimate. This is nothing new.
-
most of the code comes bundled inside the client, i don't think they really care if server files get leaked at the moment. pretty easy to cut them off anyway.
-
Yes, we've been very straightforward about what Leather does- it runs arbitrary C# code with the same permissions as rust. GSPs are already aware, which is why many of them are examining which leather mods to permit individually, why ideal-hosting has chosen not to carry us for the moment, and why I've tried to open source everything I can. As mentioned, CoreCLR integration to provide better sandboxing is a planned feature for Leather.
THAT SAID, as HFB servers pointed out to me, anyone with access to my source, and whom has access to the mainData file via their GSP, can put together a non-sandboxing version and install it themselves, even once sandboxing is implemented. It's really not an easy thing to keep the server files secure, and servers should take lengths to make sure that their own sensitive data is protected from the games they run.
-
So is there any gsp with proper measures/security providing mod access then?
-
It depends what you consider an "exploit" I guess. If the idea of a hacker creating a Rust mod that downloads the server files really concerns you (the one thing a properly-configured GSP server is currently allowing leather mods to do), then FPSPlayers and HFBServers both have proper measures installed: users do not have the ability to upload arbitrary mods, and instead can choose from a list of approved mods to install from the cPanel.
If downloading server files doesn't bother you, then most GSPs have proper security measures in place. The OP was apparently running Rust in an environment where Rust_server.exe had administrator access or something, which is, well, bad IT practice.
EDIT: To put it another way, it's a good thing that the OP didn't list his GSP, as I'm sure there are several hackers reading this board who would like to know which GSP doesn't know how to configure their servers properly.
-
so basically, if you want to be extremely safe just disallow access to the rust_server_data folder and have a mod manager to install our mods for you (which are all open source)
or (which GSP's should be doing anyway) launching rust as a user with no permissions to any other directory except it's own, therefore nobody can exploit it even if they have their own dll's. well, other than downloading the rust server files.
-
To illustrate my point, here is a thread wherein a user does the exact same thing with Oxide: http://facepunch.com/showthread.php?t=1345525
-
Just so people know, Zidonuke is a scaremongerer and shit stirrer in just about every community where modding is possible. Also he's a furry who plays SecondLife.
Hopefully we all learn from this thread.
http://en.wikifur.com/wiki/Zidonuke
Some hilights:
-
Well, this is incredibly interesting. Will I be gaining access to my rust_server_data folder again on HFBServers or is that a thing of the past?
-
most likely not wich is why me/hubby are nolonger bothering with rust. i shoulden't have to wait on half assed GSP's to add crap.
-
The problem with GAPs only installing approved mods, is that I'm a developer and I want to make my own mods (which I have been doing) but I have absolutely no way to test these mods now without getting the content approved by my GSP. It is a super annoying process. I guess I just need to lease my services to oxide or rust++ or something, because trying to be an individual modder is working about as well as playing rust solo.
-
I think they're jammed up with the sheer amount of requests they have, but I know that BMRF gives enough permissions to do mod testing, so I'd try to rent from them.
-
3:29 *** Jackx quit (Ping timeout: 240 seconds)
13:30 *** IceFrog quit (Quit: http://www.mibbit.com ajax IRC Client)
13:39 *** Refreshmant quit ()
13:55 *** Ziegenpeter joined #ArtificialAiming
13:57 *** Ziegenpeter quit ()
14:00 *** Theocrat joined #ArtificialAiming
14:01 *** fuckthisname joined #ArtificialAiming
14:01 +++ Rizon has given halfop to fuckthisname
14:16 Zidonuke So I've noticed something about VAC, it doesn't seem to ban smart people
14:16 Zidonuke its such an odd effect!
-
Wow, reporting a possible exploit in the way GSPs handle permissions! Such a shit stirrer!
You forgot the rest of the quote:
No, he didn't make a malicious build, it was already in Minecraft vanilla. Here's some more quotes from the exact same page:
He's a guy who exploits bugs to get them fixed. Ethical? Questionably, but it's not as evil as you make it out to be (keep in mind he reported all the exploits he found). And who the hell cares if he's a furry or he plays Second Life? It seems you're trying to stir shit more than he is.
-
He could've approached GSPs about it in private, like we did when we found a gamebreaking exploit, but no. He decided first thing to leak files and post it openly. If that isn't malicious then I don't know what is.
Also being a furry who plays second life makes ALL the difference.
EDIT: Also it wasn't "fixed". Most GSPs simply closed everything down completely wrecking the modding scene because they had to scramble, instead of being given a way to actually fix it.
-
He did it to make it get fixed faster. Think, what's going to get fixed faster: an exploit that, as far as the GSP knows, only one person knows (but many more people might be exploiting it), or an exploit that everyone knows, and the GSP knows everyone knows? Sure, it might not be the most ethically sound (grey-hat), but garry doesn't care and it really didn't break anything.
It's not his fault that they didn't set their servers up right in the first place. Create a user only for running the server and chroot them to the server directory (or whatever the equivalent is on windows, though Rust has linux builds and they should really be using those). They can't touch anything but the server and any other files in that directory. If they bothered to set their servers up right in the first place, this would've been a non-issue.
No, it doesn't.
Edited:
If you're still at a point in your life where you judge people on what they like to do, you're not really at a point where you can judge what someone else does.
-
Sorry but never knew what a furry was OR second life for that matter lol :O So i google it ! I Find this http://www.youtube.com/watch?v=Tm8NNhA4ydg
-
What are your excuses for the logger he installed in F-List so he could jerk off to peoples private conversations? Or the fact he adminned everyone in a fit when caught?
-
What's your excuse for bringing unrelated furry drama shit onto Facepunch when the situation is already handled (this exploit is already known, according to Ideal-Hosting)? Stop being a concern troll.
-
It's not about fixing it faster, it caused a kneejerk reaction by most GSP's (they had no choice) ruining the modding community. Now we're at the point where BMRF is the only one providing enough access to developers to get anything done and we're completely full now. It has done NOTHING positive and NOTHING has been fixed.
This part is true, it's not his fault GSPs haven't been sandboxing properly.
I definitely can, and most certainly will judge him for his actions, and anyone is free to judge me on mine. Being a secondlife playing furry is most definitely a red flag in my book.
He asked me for a development server, I shot him down, his kind has no place in development communities, all he did was halt 90% of modding work being done when he had the chance to do it the proper way. All he has caused is grief. What he did was not constructive in any way, shape or form.
Edited:
If by handled you mean the modding scene mostly halted then yes.
-
So why blame him? Why is it his fault that this exploit existed in the first place? You could blame Leather (though I wouldn't), or blame the GSPs. It's good that he found an exploit - there's an entire subforum for posting exploits.
Red flag for what?
It's not constructive to get an exploit fixed?
You know that you can just download the server from everyone's favorite linux distro source, right?
-
Finding an exploit is good, this is not the way to release it, unless you think ruining the modding scene is good I guess.
If you don't get it, it probably means you're either a furry or play second life :^)
Tell me what's fixed. Because the exploit isn't that's for sure.
You know the rust server doesn't run on Linux right? Wait no you don't. Shows how much you know about rust hosting.
-
"I judge people entirely by their fetishes and am proudly bigoted. So much so I will wear it on my sleeve."
Of course, this is like 60% of golds.
GSPs weren't properly sandboxing the server and mods. Welcome to Alpha. Shit's gonna happen.
-
I don't play second life, and you're going to have to define what makes up a furry.
I didn't say it is fixed yet, but it's not going to get fixed if no one knows about it.
There are Linux builds, but that's not what I meant by 'everyone's favorite linux distro source'.
-
Good thing I'm not a gold member then. Then again I can see you're a furry by your name. Obviously you feel attacked :^)
These would be the proper steps to fixing an exploit.
1. Message GSP's that you found an exploit and that you will release it in 3 days.
2. Wait 3 days
3. Release it
This way you give them the chance to fix it, something that hasn't been done as they were forced to shut everything down instantly (besides us as we were already sandboxing).
Edited:
Telling EVERYONE without any chance to prepare for GSPs is not the right way.
As I said you obviously have no clue about rust hosting, I advise you stop speaking about issues you don't understand.
-
That's my title, not my name.
So instead of releasing the exploit, they should be threatened with the release of an exploit?
Just download the server yourself and run it. It's not hard.
You think that calling me a furry who plays second life is a good insult.
Edited:
And yes, there are linux builds.
-
Like someone named MULTIBEAR has any grounds for calling someone a furry.
I'd suggest Googling "responsible disclosure" before continuing that line of argument, I'm just gonna say.
-
Obviously it's not really a threat, but this is an alpha. You should expect bugs and exploits, and you should expect them to be publicly known. That's why there's an entire subforum for people to publicly post exploits.
-
Wasn't quoting you bud.
Yes, as it gives them time to respond. It's industry standard.
What?
No there aren't. The Linux build is non-functional, if you don't believe me read the SCREENSHOT DIRECTLY FROM AN EMAIL I RECEIVED FROM GARRY.
x 7
x 3
x 1
x 1
x 1
x 1
Zing x 1
