Serious security vulnerability in WorldEdit GUI

User avatar
rubenwardy
Moderator
 
Posts: 5545
Joined: Tue Jun 12, 2012 18:11
Location: United Kingdom
GitHub: rubenwardy
IRC: rubenwardy
In-game: rubenwardy

Serious security vulnerability in WorldEdit GUI

by rubenwardy » Sun May 14, 2017 14:51

Server owners are advised to update their worldedit mods in order to patch a remote code execution vulnerability.


The Vulnerability


Before this patch, any player could run arbitrary Lua code. This allowed them to do anything a mod can do -
such as granting privs, changing settings, or shutting down the server.

If mod security is disabled, they would be able to run terminal commands and gain access to the user on the
server running Minetest.

This is due to the mod not correctly checking player privileges.


Affected Parties


This only affects you if your server is open to the public (even if unlisted), and has an unpatched version of worldedit_gui mod installed.


Solution


To fix, simply install the most recent version, or disable the mod.

You should also check for any out of place privileges, and run a scan on your server for rootkits and other malware.


To Others


Do not attempt to reproduce or use this on a server you do not own. Even with good intentions, it's still illegal to do so without permission, and may open you up to legal action.
Last edited by rubenwardy on Sun May 14, 2017 20:34, edited 3 times in total.
 

IhrFussel
Member
 
Posts: 53
Joined: Tue Nov 22, 2016 12:54
GitHub: IhrFussel
IRC: IhrFussel
In-game: IhrFussel

Re: Serious vulnerabilty in WorldEdit: Server ops need to up

by IhrFussel » Sun May 14, 2017 15:26

Here a command to recursively check which files have been last modified on a Linux system:

find [MOTHERPATH] -type f -exec stat --format '%Y :%y %n' "{}" \; | sort -nr | cut -d: -f2- | less

Disclaimer: The headers of your files could've been modified as well so it's not 100% accurate but should give you a quick overview.
 

User avatar
Hybrid Dog
Member
 
Posts: 2684
Joined: Thu Nov 01, 2012 12:46

Re: Serious vulnerabilty in WorldEdit: Server ops need to up

by Hybrid Dog » Sun May 14, 2017 19:29

Please remove the /lua chatcommand from WE: WE requires disabled mod security to save its schematics, so it's not possible to have /lua with enabled security. (correct me if l'm wrong)
There's a specific mod adding the lua chatcommand anyway. It's also more elaborate/convenient because it adds "me" as reference to the player who run the command.

IhrFussel, proper servers have an own user with its own home directory. And dirty COW was fixed.

‮‪‮
‮‪‮
‮‪‮
‮‪‮
‮‪‮
‮‪‮
‮‪‮
‮‪‮
‮‪
 

User avatar
CraigyDavi
Member
 
Posts: 582
Joined: Sat Aug 10, 2013 13:08
Location: Hampshire, UK
GitHub: davisonio
IRC: davisonio
In-game: CraigyDavi

Re: Serious vulnerabilty in WorldEdit: Server ops need to up

by CraigyDavi » Sun May 14, 2017 20:53

Hybrid Dog wrote:Please remove the /lua chatcommand from WE: WE requires disabled mod security to save its schematics, so it's not possible to have /lua with enabled security. (correct me if l'm wrong)
There's a specific mod adding the lua chatcommand anyway. It's also more elaborate/convenient because it adds "me" as reference to the player who run the command.

IhrFussel, proper servers have an own user with its own home directory. And dirty COW was fixed.


I agree I have no idea how this feature relates to being in the world edit_gui mod. I say move it into a separate mod and tab in sfinv. Shall be called "lua_ingame/sandbox/whatever".
 

Sporax
Member
 
Posts: 124
Joined: Mon Jul 11, 2016 16:33
Location: France
GitHub: Sporax
IRC: Sporax
In-game: Sporax
 

User avatar
Wuzzy
Member
 
Posts: 3243
Joined: Mon Sep 24, 2012 15:01
GitHub: Wuzzy2
IRC: Wuzzy
In-game: Wuzzy

Re: Serious security vulnerability in WorldEdit GUI

by Wuzzy » Tue May 16, 2017 08:06

Code: Select all
-   name = "Run Lua",
+   name = "Run Lua", privs = minetest.chatcommands["/clearobjects"].privs,

Ahahahahaha! Are you fucking serious? OMG.

The mod which adds the “/lua” command is called “luacmd”:
http://wiki.minetest.net/Mods/LuaCmd

I agree, the “/lua” command (and related commands) has no place in WorldEdit or WorldEdit GUI.

If mod security is disabled, they would be able to run terminal commands and gain access to the user on the
server running Minetest.

It's a shame that mod security is still broken enough so it is disabled most of the time.
My creations. I gladly take any bitcoins you have lying around: 17fsUywHxeMHKG41UFfu34F1rAxZcrVoqH
 

User avatar
Linuxdirk
Member
 
Posts: 1659
Joined: Wed Sep 17, 2014 11:21
Location: Germany
In-game: Linuxdirk

Re: Serious security vulnerability in WorldEdit GUI

by Linuxdirk » Tue May 16, 2017 08:32

Wuzzy wrote:I agree, the “/lua” command (and related commands) has no place in WorldEdit or WorldEdit GUI.

QFE.
 

User avatar
Wuzzy
Member
 
Posts: 3243
Joined: Mon Sep 24, 2012 15:01
GitHub: Wuzzy2
IRC: Wuzzy
In-game: Wuzzy

Re: Serious security vulnerability in WorldEdit GUI

by Wuzzy » Fri May 19, 2017 18:16

Is the mod from this thread affected as well?:

viewtopic.php?t=3112

The mod above seems to be old as worldedit_gui seems to be part of the official WorldEdit modpack.

If this is the case, I strongly recommend to move this thread into Old Mods.
My creations. I gladly take any bitcoins you have lying around: 17fsUywHxeMHKG41UFfu34F1rAxZcrVoqH
 

User avatar
rubenwardy
Moderator
 
Posts: 5545
Joined: Tue Jun 12, 2012 18:11
Location: United Kingdom
GitHub: rubenwardy
IRC: rubenwardy
In-game: rubenwardy

Re: Serious security vulnerability in WorldEdit GUI

by rubenwardy » Fri May 19, 2017 18:20

Wuzzy wrote:Is the mod from this thread affected as well?:

viewtopic.php?t=3112

The mod above seems to be old as worldedit_gui seems to be part of the official WorldEdit modpack.

If this is the case, I strongly recommend to move this thread into Old Mods.


No, it has no lua function.
 


Return to News



Who is online

Users browsing this forum: No registered users and 2 guests