[Mod] shell_mod

Post Reply
User avatar
InterVi
Member
Posts: 32
Joined: Wed Jul 05, 2017 08:22
GitHub: InterVi
IRC: InterVi
In-game: InterVi
Location: Russia, Moscow
Contact:

[Mod] shell_mod

by InterVi » Post

Image

This mod add game terminal for execute shell commands. Please, use screen or other utility for long execute.

WARNING! This mod creates a potential backdoor! Do not give users of privileges for this mod!

Commands and privs
  • /shell - open terminal window (need shell_cmd priv)
  • /shell-clear - clear terminal history (need shell_clear priv)
Depends
  • initlib?
Links

User avatar
azekill_DIABLO
Member
Posts: 7507
Joined: Wed Oct 29, 2014 20:05
GitHub: azekillDIABLO
In-game: azekill_DIABLO
Location: OMICRON
Contact:

Re: [Mod] shell_mod

by azekill_DIABLO » Post

Awesome! I'll try to merge it to computers mod!
Gone, but not dead. Contact me on discord: azekill_DIABLO#6565
DMs are always open if you want to get in touch!

User avatar
rubenwardy
Moderator
Posts: 6972
Joined: Tue Jun 12, 2012 18:11
GitHub: rubenwardy
IRC: rubenwardy
In-game: rubenwardy
Location: Bristol, United Kingdom
Contact:

Re: [Mod] shell_mod

by rubenwardy » Post

azekill_DIABLO wrote:Awesome! I'll try to merge it to computers mod!
No no no no no. No. NO. NOOOOOOOO.

N O N O N O
O
N
O
N
O
Renewed Tab (my browser add-on) | Donate | Mods | Minetest Modding Book

Hello profile reader

User avatar
TumeniNodes
Member
Posts: 2941
Joined: Fri Feb 26, 2016 19:49
GitHub: TumeniNodes
IRC: tumeninodes
In-game: TumeniNodes
Location: in the dark recesses of the mind
Contact:

Re: [Mod] shell_mod

by TumeniNodes » Post

rubenwardy wrote: No no no no no. No. NO. NOOOOOOOO.

N O N O N O
O
N
O
N
O
translation: No

Definition of No: To not
A Wonderful World

twoelk
Member
Posts: 1482
Joined: Fri Apr 19, 2013 16:19
GitHub: twoelk
IRC: twoelk
In-game: twoelk
Location: northern Germany

Re: [Mod] shell_mod

by twoelk » Post

TumeniNodes wrote:
rubenwardy wrote: No no no no no. No. NO. NOOOOOOOO.

N O N O N O
O
N
O
N
O
translation: No

Definition of No: To not
looks like a pattern to fill area with liquids in minetest to me

the mod yells danger ! though
how secure is it?

User avatar
azekill_DIABLO
Member
Posts: 7507
Joined: Wed Oct 29, 2014 20:05
GitHub: azekillDIABLO
In-game: azekill_DIABLO
Location: OMICRON
Contact:

Re: [Mod] shell_mod

by azekill_DIABLO » Post

rubenwardy wrote:
azekill_DIABLO wrote:Awesome! I'll try to merge it to computers mod!
No no no no no. No. NO. NOOOOOOOO.

N O N O N O
O
N
O
N
O
Yes yes yes yes yes. Yes! Yes! YES! YEEEEEES!

Y E S Y E S
E E S Y E S
S S S Y E S
Y Y Y Y E S
E E E E E S
S S S S S S
Gone, but not dead. Contact me on discord: azekill_DIABLO#6565
DMs are always open if you want to get in touch!

sofar
Developer
Posts: 2146
Joined: Fri Jan 16, 2015 07:31
GitHub: sofar
IRC: sofar
In-game: sofar

Re: [Mod] shell_mod

by sofar » Post

rm -f map.sqlite

sofar
Developer
Posts: 2146
Joined: Fri Jan 16, 2015 07:31
GitHub: sofar
IRC: sofar
In-game: sofar

Re: [Mod] shell_mod

by sofar » Post

Post updated to reflect this mod had a vulnerability before

This mod had a significant code vulnerability, and, when installed on a server, could allow any attacker without the needed privileges to execute any shell command on the server.
sofar wrote: I haven't verified my claims, but it is obvious that the formspec code does not bother to validate the permissions in the code that handles the formspec recieve data, and thus, it is wide open to any attacker. It would take me 15 minutes to build an exploit, at most.

This needs to be fixed immediately, or else people running this code on a server will lose all their data.

Code: Select all

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

User avatar
InterVi
Member
Posts: 32
Joined: Wed Jul 05, 2017 08:22
GitHub: InterVi
IRC: InterVi
In-game: InterVi
Location: Russia, Moscow
Contact:

Re: [Mod] shell_mod

by InterVi » Post

fixed

sofar
Developer
Posts: 2146
Joined: Fri Jan 16, 2015 07:31
GitHub: sofar
IRC: sofar
In-game: sofar

Re: [Mod] shell_mod

by sofar » Post

I agree that should be a proper fix. I have not validated that it fixes the problem, since I have not created a working exploit either, so I can't validate it. However, based on code inspection this does the correct thing.

Anyone running this mod should immediately update to the latest version, or remove the old version.

User avatar
sorcerykid
Member
Posts: 1841
Joined: Fri Aug 26, 2016 15:36
GitHub: sorcerykid
In-game: Nemo
Location: Illinois, USA

Re: [Mod] shell_mod

by sorcerykid » Post

It is cases like this that I really wish Lua had data tainting options like Perl.

Post Reply

Who is online

Users browsing this forum: No registered users and 16 guests