Solutions for a security issue

Discussions about Coding and Scripting
nogardilaref
Masterful
Posts: 577
Joined: Tue Jun 20, 2017 1:00 pm
Personal rank: ⚋⚊⚌☰⚞⌖⚟☰⚌⚊⚋

Re: Solutions for a security issue

Post by nogardilaref » Tue Dec 12, 2017 8:53 pm

Aldebaran wrote:Perhaps it is possible to code an external program that helps admins to easily check new files (.unr/.u) if there exists commands like StatLogFinal or other potentially dangerous commands in them. So admins know where they should have a closer look into before adding them to the server.
Yeah, an external program to check minimally what you install in your own server might be something to consider.
It wouldn't be as trivial as you think, but definitely possible.

However, this might protect a server which a honest admin wants to run, and by extent this makes it safe for players to join in.
The bigger problem however is when either the admin doesn't give a damn or is clueless or actually wants to fuck players up when they join his/her server, since then players have almost no way to prevent anything from their side, other than perhaps launching the game from a launcher instead and have such run in background afterwards (while the game is running) and check the local files and cache itself, which might just work out quite well, hmmm...

Aldebaran
Masterful
Posts: 672
Joined: Thu Jan 28, 2016 7:30 pm

Re: Solutions for a security issue

Post by Aldebaran » Tue Dec 12, 2017 10:18 pm

nogardilaref wrote:since then players have almost no way to prevent anything from their side
Yes, if the client cache can be checked with this tool too there will be perhaps the possibility to see afterwards what file causes the damage and the file can be saved. Also it would be wise if that tool exists for all operating systems that comes in question (Windows, Linux, Mac).

User avatar
PrinceOfFunky
Godlike
Posts: 1160
Joined: Mon Aug 31, 2015 10:31 pm

Re: Solutions for a security issue

Post by PrinceOfFunky » Tue Dec 12, 2017 11:31 pm

nogardilaref wrote:check the local files and cache itself
Unless they get deleted to leave no trace.
Aldebaran wrote:Perhaps it is possible to code an external program that helps admins to easily check new files (.unr/.u) if there exists commands like StatLogFinal or other potentially dangerous commands in them. So admins know where they should have a closer look into before adding them to the server.
What about the servertravel command which any admin can already use to run clients stuff, well at least it shouldn't be able to delete and write stuff yet.

So it would need to:
+ Check if these functions have been used(include MyLevel package):
|_ StatLogFile.BrowseRelativeLocation();
|_ PlayerPawn.ClientTravel()(and actually all the travel functions in LevelInfo, GameInfo, Teleporter etc);
|_ check the file manimulator functions in StatLogFile.uc;
+ Check the Teleporter URLs in a map;
"Your stuff is known to be buggy and unfinished/not properly tested"

nogardilaref
Masterful
Posts: 577
Joined: Tue Jun 20, 2017 1:00 pm
Personal rank: ⚋⚊⚌☰⚞⌖⚟☰⚌⚊⚋

Re: Solutions for a security issue

Post by nogardilaref » Wed Dec 13, 2017 1:31 am

Perhaps you misunderstood what I and Aldebaran meant: the idea here is actually to flag and prevent packages from being executed altogether if they're found to have within their package anything suspicious, such as the usage of the file class or the usage of one of those functions.

So, as long they are prevented from even running in the first place, it doesn't matter what the package could have done, it simply won't do anything at all to begin with.
It's a vaccine, not an antidote.

User avatar
sektor2111
Godlike
Posts: 5336
Joined: Sun May 09, 2010 6:15 pm
Location: On the roof.

Re: Solutions for a security issue

Post by sektor2111 » Wed Dec 13, 2017 9:59 pm

And we were speaking about honest developers before. I'm curious why do we need to share and speak about this bad content rather than doing something more productive.
But we can start to debate other evil stuff if exist a valid purpose of such a debate about making a mess with poor player.
After reading this thread for some a plenty of players are not gonna be interested in playing ON-LINE unless server is a well known one...

nogardilaref
Masterful
Posts: 577
Joined: Tue Jun 20, 2017 1:00 pm
Personal rank: ⚋⚊⚌☰⚞⌖⚟☰⚌⚊⚋

Re: Solutions for a security issue

Post by nogardilaref » Thu Dec 14, 2017 12:21 am

Yeah, players who read this will be more wary about which servers they join in, even me.
However, I can say that I have been working on "stuff" (let's call it that way for now), but given my free time and how much work it's going to take, I won't have anything to show for it in the next 6 months to another year, and that's if I don't suddenly start to change direction at some point (not in the current stage, but at a later stage of development).

So, speaking only for me here, but the only thing I can do here for now is to speak, or perhaps contribute more by not speaking at all (as I may have done so too much with even code itself, which I will refrain from doing so from now on to at least not help to speed these kinds of exploits up).
There's also a glimmer of hope if Higor keeps at it doing engine fixes and closing exploits himself, but then all we need is to figure out a way to properly spread it, and that might be partially where I may enter the scene later on to at least try to help with, provided that I manage to finish at all what I am currently working on.

Therefore, no worries, some of us might be doing something, although you might not see results from it yet for a long time. ;)