Just to explain this better, I am NOT accusing Mr Phobik of anything and I trust him.
Consider this post more of a PSA on what can be done remotely with this script, that ANY server, not just Mr Phobik's, can use.
-------------------------
As much as I like the idea, there is a reason why something similar wasn't done before (for example, in ACAS) since it simplifies the install process for client-side scripts a lot...
Looking at the .dso file, in a couple seconds, I was automatically able to "decompile" the file:
Code: Select all
removed
Eval, for the less technical among us, executes ANY code. Eval is a function that should only be used very sparingly when there's no alternative, and it should be protected so that it can not just run any code sent from the server.
Making it so that it can be executed remotely by ANY server is a pretty idea, especially without any kind of checks for trusted servers (even though they'd be quite easy to avoid).
Basically, ANY server you join after you install this scripts can execute ANY TorqueScript code on your ThinkTanks client.
This could be used to automatically install client-side scripts, of course.
This means that (from what I remember about TorqueScript):
- they are free to edit any file on the ThinkTanks folder (or even delete all files on it).
- they can easily grab your admin password for YOUR server and send it back to their server.
- they can upload any file it has access to back to the server or to an HTTP server.
- they can make connections through ThinkTanks to any server through your computer. This includes any computers or devices (i.e. routers) on your network.
- they can log your chat through ThinkTanks (including admin commands), your IP, IPs of servers you join, etc
- send chat through you to any server, that could result on you getting banned for insults or whatever
- they could edit one of the .dll files on the main ThinkTanks folder, that would then execute when ThinkTanks is launched. This would allow the remote server to achieve real remote code execution without that much extra work, and basically do whatever he wanted with your computer.
All that said, as Mr Phobik himself stated, it should be impossible (it never is, but that's another subject entirely) to actually access anything on your own computer outside of the ThinkTanks directory.
Just so that everybody knows all the details before installing a script that allows ANY server a backdoor into your game and network.
tl;dr: If you install this script, avoid joining untrustworthy servers!
----------------------
On a slightly different topic, I must say, after looking at what exactly Mr Phobik's server is executing remotely, I actually found the way he used CCAFragment and CCAEval quite interesting.
I have a small question for him tough: Why would your server need to close a player's game remotely? It's more a question out of curiosity than anything else since I don't play ThinkTanks anymore and I can't think of any legitimate uses for this:
Code: Select all
function clientCmdcloseit() { quit(); }
My suggestions is to lock the execution of evals to your server (through Server Name and IP or domain) since it'd remove pretty much all possible complaints.