DAZZLE'S UPGRADE PACK

If you haven't already done so, upgrade your game by downloading Dazzle's all-in-one upgrade pack. It comes with everything you need for today's servers. Does your blue bar freeze when joining servers? Do you lag in games? Do you get an annoying siren in Phobik's Servers? This is what you need. CLICK HERE TO DOWNLOAD.

CLIENT RECEIVE SCRIPT - Required for Phobik's Servers

Army related threads only

Moderators: Moderator, Admin, Army Leaders

ArtCrazy
Veteran Member
Veteran Member
Posts: 290
Joined: Fri Dec 29, 2006 10:14 am

Re: Please install this script..

Post by ArtCrazy »

EDIT:
Just to explain this better, I am NOT accusing Mr Phobik of anything and I trust him.

Consider this post more of a PSA on what can be done remotely with this script, that ANY server, not just Mr Phobik's, can use.

-------------------------

As much as I like the idea, there is a reason why something similar wasn't done before (for example, in ACAS) since it simplifies the install process for client-side scripts a lot...

Looking at the .dso file, in a couple seconds, I was automatically able to "decompile" the file:

Code: Select all

removed
Anyone with a little knowledge of TorqueScript already has enough information to use this on their own server

Eval, for the less technical among us, executes ANY code. Eval is a function that should only be used very sparingly when there's no alternative, and it should be protected so that it can not just run any code sent from the server.

Making it so that it can be executed remotely by ANY server is a pretty idea, especially without any kind of checks for trusted servers (even though they'd be quite easy to avoid).

Basically, ANY server you join after you install this scripts can execute ANY TorqueScript code on your ThinkTanks client.

This could be used to automatically install client-side scripts, of course.

This means that (from what I remember about TorqueScript):
- they are free to edit any file on the ThinkTanks folder (or even delete all files on it).
- they can easily grab your admin password for YOUR server and send it back to their server.
- they can upload any file it has access to back to the server or to an HTTP server.
- they can make connections through ThinkTanks to any server through your computer. This includes any computers or devices (i.e. routers) on your network.
- they can log your chat through ThinkTanks (including admin commands), your IP, IPs of servers you join, etc
- send chat through you to any server, that could result on you getting banned for insults or whatever
- they could edit one of the .dll files on the main ThinkTanks folder, that would then execute when ThinkTanks is launched. This would allow the remote server to achieve real remote code execution without that much extra work, and basically do whatever he wanted with your computer.

All that said, as Mr Phobik himself stated, it should be impossible (it never is, but that's another subject entirely) to actually access anything on your own computer outside of the ThinkTanks directory.

Just so that everybody knows all the details before installing a script that allows ANY server a backdoor into your game and network.

tl;dr: If you install this script, avoid joining untrustworthy servers!

----------------------

On a slightly different topic, I must say, after looking at what exactly Mr Phobik's server is executing remotely, I actually found the way he used CCAFragment and CCAEval quite interesting.

I have a small question for him tough: Why would your server need to close a player's game remotely? It's more a question out of curiosity than anything else since I don't play ThinkTanks anymore and I can't think of any legitimate uses for this:

Code: Select all

function clientCmdcloseit() { quit(); }

My suggestions is to lock the execution of evals to your server (through Server Name and IP or domain) since it'd remove pretty much all possible complaints.
Last edited by Cloud on Thu Aug 01, 2013 10:15 am, edited 5 times in total.
Reason: removed source
User avatar
Cloud
Site Admin
Site Admin
Posts: 921
Joined: Thu Dec 28, 2006 7:38 pm
Location: Utah

Re: Please install this script..

Post by Cloud »

^ yeah...?

His script is there to help enhance the game. Sure this script gives access to some TT files, but why is that risky? This is Mr. Phobik we are talking about. You take risks all the time when you are online however Phobik has done nothing but help the community. He is willing to help anybody to make TT more enjoyable. So yes, you may be right, but in the end does it matter. If you are not willing to take that risk, then so be it.
//()*()*()*()*--[][][][]-^-^)(CLOUD)(^-^-[][][][]--()*()*()*()\\
ArtCrazy
Veteran Member
Veteran Member
Posts: 290
Joined: Fri Dec 29, 2006 10:14 am

Re: Please install this script..

Post by ArtCrazy »

I guess my post above needs some more explanation and I've edited it a bit. I wasn't accusing Mr Phobik of anything and I also trust him. I've worked on various projects with him in the past (oh, the good old days...).

I was interested on the technical side of how he set this up and noticed what could for some people be a problem, but I didn't see it mentioned anywhere:
Just so that everybody knows before installing a script that allows ANY server a backdoor into your game.
I'm not saying Mr Phobik will use it like these examples. The thing is, it won't be just his server that will have the ability to use the backdoor
I wanted to warn everybody of what can happen if you have that script installed and join an untrustworthy server. Nothing more. It's just a kind of PSA.

I could in 5 minutes write a script that would give me your admin password immediately once you joined my server with that script installed, and more harmful stuff could probably be done if I wanted to.

Now that I think about it, it should actually be possible, with my current knowledge, to edit one of the .dll files on your ThinkTanks folder and achieve real remote code execution (i.e. infect your computer) without much extra work. I could even build you a proof of concept for windows that shows a message if you don't believe me.

Notice that, at the end of the post, I suggested adding something to lock the script to his server through IP/domain, to solve the "any server can use it" problem once and for all!
User avatar
Cloud
Site Admin
Site Admin
Posts: 921
Joined: Thu Dec 28, 2006 7:38 pm
Location: Utah

Re: Please install this script..

Post by Cloud »

I wanted to warn everybody of what can happen if you have that script installed and join an untrustworthy server. Nothing more. It's just a kind of PSA.
a BIG if. Thankfully, this is not what is going on here. Thank you for the technical lesson AC as it may be useful for future downloading/installing, but obviously none of this is going on here. There are plenty of hackers out there that can get into your files with much less than what Phobik has provided. Again, you take a risk, but the output tends to be good if you know the source (ie trusted), such as this case as Phobik has done nothing but help the community. If you don't trust Phobik, then don't do it. He isn't an admin on this site for nothing.

But thanks AC. Phobik and I uses team viewer to help people with TT folder stuff all the time. People play in his server for a reason. Low ping, good maps, a nice CPU.

@ Everyone else. In simple terms, Phobik has enhanced your TT experience but can also make changes to the server without asking you to install anything else. AC just pointed out that there are risks installing such a file, but since it is from a trusted source, there won't be any problem and will only help.
//()*()*()*()*--[][][][]-^-^)(CLOUD)(^-^-[][][][]--()*()*()*()\\
ArtCrazy
Veteran Member
Veteran Member
Posts: 290
Joined: Fri Dec 29, 2006 10:14 am

Re: Please install this script..

Post by ArtCrazy »

Great, maybe you don't join servers randomly, only those from trustworthy players like Mr Phobik.

But maybe someone else does and didn't know they were taking a risk at all...

I agree it's a BIG if, but it's not as big as you think (you only need basic knowledge of .dlls and moderate knowledge of TorqueScript).

Still, I believe people should be informed what a script's capabilities are before installing. Also, they should be informed that it works on any server other than Mr Phobik's (you didn't seem to notice that was my single problem with it)

And this BIG if could be completely removed with some changes to lock the script to trusted servers, including Mr. Phobik's - some easier than others (from easiest to hardest: lock through Server Name+OS, lock through IP, lock through domain). That's all I'm suggesting.

If you don't want to go through the small trouble to at least lock it by Server Name and OS, then don't, I won't be using it anyway since I rarely play ThinkTanks (and when I do, it's at a LAN party)
User avatar
Downgrade
Need Major Repair
Need Major Repair
Posts: 1307
Joined: Thu Dec 28, 2006 9:40 pm

Re: Please install this script..

Post by Downgrade »

Since nobody answered my question, I'll ask again.
I installed the scrip and updated the master server config, but I still can't join any server. I keep getting "no servers found".
Anyone know what might be the problem?
The memories will never die.
Jerry
Need Major Repair
Need Major Repair
Posts: 716
Joined: Mon Mar 19, 2007 7:47 pm
Location: Independence, MO
Contact:

Re: Please install this script..

Post by Jerry »

This one doesn't affect the server list. I'm betting you may need to redo the master server install in your prefs file and delete the dso file after the change
Image

Good at everything!
Perfect at nothing!

as confused as a baby in a topless bar
ArtCrazy
Veteran Member
Veteran Member
Posts: 290
Joined: Fri Dec 29, 2006 10:14 am

Re: Please install this script..

Post by ArtCrazy »

I had some free time and attempted to build a proof of concept (since my study area includes computer security), to see if such a script was easily exploitable in order to achieve remote code execution.

I was able to do so in a couple hours hours, but it seems I didn't need Mr Phobik's script at all.

While attempting to do so, I stumbled upon a security hole that allows any server to achieve remote code execution once the user restarts the game.

That said, if the user has any kind of "Never Ending Download bar" installed and is somewhat computer literate, it's quite obvious what is happening since and there's more than enough time to disconnect before the exploit can be applied (it has to download a 10KB ".dll" file from the server).

Mr. Phobik's script is only "needed" in that it allows the server operator to mask that process so that it's basically undetectable until it's too late.

Note that this would be REAL remote code execution, as in, it's the same as if you ran an .exe file you downloaded from the internet, but all you have to do is join a malicious server and restart the game.

It currently only works on Windows, but I don't see why it wouldn't work elsewhere with some changes. This is something that CAN'T be fixed without the C++ source, or some skilled reverse-engineering (way beyond what I'm capable of).

In summary, avoid joining unknown servers even if you don't use this script! If you join a server and it starts downloading a ".dll" file, disconnect immediately.
Mr Phobik
Site Mechanic
Site Mechanic
Posts: 283
Joined: Wed Apr 30, 2008 2:35 pm
Location: Toronto, CANADA

Re: Please install this script..

Post by Mr Phobik »

Wow..

Hi AC..
I think a simple PM would have been fine - or even a post WITHOUT the source to the script, and stating all the POSSIBLE problems to get the paranoid folks even more paranoid.

Initially I had an IP check included with the script, but removed it as I move my server around a lot. I was planning on adding a domain check, but decided to do it later on.

I suppose out of all the problems you posted, the only real issue would be a .dll exploit - which I have no interest in. There is no such thing as an "untrusted" server on TT. As far as I know, none of the current players have any knowledge of programming - and I doubt a "hacker" would come to TT to have some fun. This game has been around for 10(?) years, and not once has there been any incident of hacking.

I'm only trying to improve the game as much as possible without the source. This script helps a lot, as players don't have to worry about installing anything.

The quit function is from some testing I was doing a while back, and it seems I forgot to remove it.
Image
User avatar
Downgrade
Need Major Repair
Need Major Repair
Posts: 1307
Joined: Thu Dec 28, 2006 9:40 pm

Re: Please install this script..

Post by Downgrade »

Jerry wrote:This one doesn't affect the server list. I'm betting you may need to redo the master server install in your prefs file and delete the dso file after the change
Alright, I got it to work. :D
The memories will never die.
Post Reply