Serious security vulnerability in WorldEdit GUI

Locked
User avatar
rubenwardy
Moderator
Posts: 6972
Joined: Tue Jun 12, 2012 18:11
GitHub: rubenwardy
IRC: rubenwardy
In-game: rubenwardy
Location: Bristol, United Kingdom
Contact:

Serious security vulnerability in WorldEdit GUI

by rubenwardy » Post

Server owners are advised to update their worldedit mods in order to patch a remote code execution vulnerability.

The Vulnerability

Before this patch, any player could run arbitrary Lua code. This allowed them to do anything a mod can do -
such as granting privs, changing settings, or shutting down the server.

If mod security is disabled, they would be able to run terminal commands and gain access to the user on the
server running Minetest.

This is due to the mod not correctly checking player privileges.

Affected Parties

This only affects you if your server is open to the public (even if unlisted), and has an unpatched version of worldedit_gui mod installed.

Solution

To fix, simply install the most recent version, or disable the mod.

You should also check for any out of place privileges, and run a scan on your server for rootkits and other malware.

To Others

Do not attempt to reproduce or use this on a server you do not own. Even with good intentions, it's still illegal to do so without permission, and may open you up to legal action.
Last edited by rubenwardy on Sun May 14, 2017 20:34, edited 3 times in total.
Renewed Tab (my browser add-on) | Donate | Mods | Minetest Modding Book

Hello profile reader

IhrFussel
Member
Posts: 78
Joined: Tue Nov 22, 2016 12:54
GitHub: IhrFussel
IRC: IhrFussel
In-game: IhrFussel

Re: Serious vulnerabilty in WorldEdit: Server ops need to up

by IhrFussel » Post

Here a command to recursively check which files have been last modified on a Linux system:

find [MOTHERPATH] -type f -exec stat --format '%Y :%y %n' "{}" \; | sort -nr | cut -d: -f2- | less

Disclaimer: The headers of your files could've been modified as well so it's not 100% accurate but should give you a quick overview.

User avatar
Hybrid Dog
Member
Posts: 2828
Joined: Thu Nov 01, 2012 12:46
GitHub: HybridDog

Re: Serious vulnerabilty in WorldEdit: Server ops need to up

by Hybrid Dog » Post

Please remove the /lua chatcommand from WE: WE requires disabled mod security to save its schematics, so it's not possible to have /lua with enabled security. (correct me if l'm wrong)
There's a specific mod adding the lua chatcommand anyway. It's also more elaborate/convenient because it adds "me" as reference to the player who run the command.

IhrFussel, proper servers have an own user with its own home directory. And dirty COW was fixed.

‮‪‮
‮‪‮
‮‪‮
‮‪‮
‮‪‮
‮‪‮
‮‪‮
‮‪‮
‮‪

User avatar
CraigyDavi
Member
Posts: 582
Joined: Sat Aug 10, 2013 13:08
GitHub: davisonio
IRC: davisonio
In-game: CraigyDavi
Location: Hampshire, UK
Contact:

Re: Serious vulnerabilty in WorldEdit: Server ops need to up

by CraigyDavi » Post

Hybrid Dog wrote:Please remove the /lua chatcommand from WE: WE requires disabled mod security to save its schematics, so it's not possible to have /lua with enabled security. (correct me if l'm wrong)
There's a specific mod adding the lua chatcommand anyway. It's also more elaborate/convenient because it adds "me" as reference to the player who run the command.

IhrFussel, proper servers have an own user with its own home directory. And dirty COW was fixed.
I agree I have no idea how this feature relates to being in the world edit_gui mod. I say move it into a separate mod and tab in sfinv. Shall be called "lua_ingame/sandbox/whatever".

Sporax
Member
Posts: 149
Joined: Mon Jul 11, 2016 16:33
GitHub: Sporax
IRC: Sporax
In-game: Sporax
Location: France

Re: Serious security vulnerability in WorldEdit GUI

by Sporax » Post

I agree with that too ;-)

User avatar
Wuzzy
Member
Posts: 4786
Joined: Mon Sep 24, 2012 15:01
GitHub: Wuzzy2
IRC: Wuzzy
In-game: Wuzzy
Contact:

Re: Serious security vulnerability in WorldEdit GUI

by Wuzzy » Post

Code: Select all

-	name = "Run Lua",
+	name = "Run Lua", privs = minetest.chatcommands["/clearobjects"].privs,
Ahahahahaha! Are you fucking serious? OMG.

The mod which adds the “/lua” command is called “luacmd”:
http://wiki.minetest.net/Mods/LuaCmd

I agree, the “/lua” command (and related commands) has no place in WorldEdit or WorldEdit GUI.
If mod security is disabled, they would be able to run terminal commands and gain access to the user on the
server running Minetest.
It's a shame that mod security is still broken enough so it is disabled most of the time.

User avatar
Linuxdirk
Member
Posts: 3217
Joined: Wed Sep 17, 2014 11:21
In-game: Linuxdirk
Location: Germany
Contact:

Re: Serious security vulnerability in WorldEdit GUI

by Linuxdirk » Post

Wuzzy wrote:I agree, the “/lua” command (and related commands) has no place in WorldEdit or WorldEdit GUI.
QFE.

User avatar
Wuzzy
Member
Posts: 4786
Joined: Mon Sep 24, 2012 15:01
GitHub: Wuzzy2
IRC: Wuzzy
In-game: Wuzzy
Contact:

Re: Serious security vulnerability in WorldEdit GUI

by Wuzzy » Post

Is the mod from this thread affected as well?:

viewtopic.php?t=3112

The mod above seems to be old as worldedit_gui seems to be part of the official WorldEdit modpack.

If this is the case, I strongly recommend to move this thread into Old Mods.

User avatar
rubenwardy
Moderator
Posts: 6972
Joined: Tue Jun 12, 2012 18:11
GitHub: rubenwardy
IRC: rubenwardy
In-game: rubenwardy
Location: Bristol, United Kingdom
Contact:

Re: Serious security vulnerability in WorldEdit GUI

by rubenwardy » Post

Wuzzy wrote:Is the mod from this thread affected as well?:

viewtopic.php?t=3112

The mod above seems to be old as worldedit_gui seems to be part of the official WorldEdit modpack.

If this is the case, I strongly recommend to move this thread into Old Mods.
No, it has no lua function.
Renewed Tab (my browser add-on) | Donate | Mods | Minetest Modding Book

Hello profile reader

Locked

Who is online

Users browsing this forum: No registered users and 5 guests