tags:

views:

194

answers:

4

I wrote a game server plugin last night that allowed me to create a user account and set it as administrator, which is a huge problem. Of course the simple fix is to create a basic user account with limited privileges for the game servers, so they would not have access to do things like this.

I wanted to find out if there's anything else in the Windows API that would create such a huge vulnerability though? I guess I want to just make sure that when the client's game servers accounts are moved to limited access accounts, we won't have to worry about any of them using the windows API to sabotage the machines. There is already enough exploits in the game itself to worry about, without having to worry about client's taking over the machines with plugins lol.

Some of the questions relative would be... Can you disable/enable Remote Desktop from c++? Can you get a list of AD user groups from c++? (not that a user belongs to, but a complete list)

+4  A: 

I wrote a game server plugin last night that allowed me to create a user account and set it as administrator, which is a huge problem.

No, it's not. That's what running as an administrative account means: administrative permissions! If you don't want that to happen, don't run as an administrative user.

IMO, however, it seems quite unusual and bizarre that your game server allows plugins which subsequently are permitted to access local Windows API functions. That is quite unorthodox and would itself be considered a security vulnerability. Is there any particular reason for that? Why not just restrict access solely to whatever your game's library functions are instead of opening things wide?

Can you disable/enable Remote Desktop from c++?

Yes. Once you're an administrator, you probably have shell access, so it's trivial to execute netsh firewall set service remotedesktop enable as a process, for example.

John Feminella
I'm not sure if you can really restrict dll from accessing windows API. Only way to do that would be some kind of emulation, which is slow.
vava
Although, [this piece of software](http://dev.chromium.org/developers/design-documents/sandbox) can make it somehow easy.
vava
@vava: That is how all AMXX/Sourcemod plugins work; they are compiled to bytecode and JIT-ed, just like Java or .Net. Because of this, it's very fast, but at the same time the API offers no access to the Windows/Linux API, so server admins can install a (cross-platform!) plugin on their server without having to worry about things like viruses.
BlueRaja - Danny Pflughoeft
I did not write the game servers, they are the servers used for some of the most popular games using the source engine such as Counter-Strike, Team Fortress 2, Left 4 Dead, etc. I simply write modifications for these games, using the provided SDK. The games load these plugins (dll files) and really considering they are in c++, anything is doable through them.*Edit*I just saw the comments when I responded. BlueRaja is correct, although I am not writing SM plugins, I am using a VSP I wrote (valve server plugin) to do the testing.
Brett Powell
A: 

Normally if you want to restrict access to what a plugin in a server can do, you wouldn't use allow the plugins to be written in C++, you'd use a scripting language.

For C++ code, you should worry about more than just the Windows APIs that can be called - if you are letting plugin code, written in C++ by someone you don't trust, be run in the same process as your game server, that plugin code could trivially crash your game server, and perform any file access that the account the game server is running under is allowed to perform (possibly including modifying or deleting game data files).

A more typical solution is to have plugins written in a scripting language which only provides access to perform actions you want the plugin to be able to perform and certainly doesn't allow pointer operations that could allow a plugin to access things you don't expect it to.

doshea
Yup, im well aware lol, but this game engine is developed by Valve, not me. If you want to let me know how badly they screwed up, go for it.
Brett Powell
A: 

Whether a server plugin can create an account with Administrative privileges is actually not determined by your choice of language (C and C++ behave exactly the same) but whether the server process itself is already running with Administrator right. If the server process is running as a normal user, it can't can create Administrator accounts, and therefore none of its plugins can.

This is to say, it's not Valve or another game server author who's responsible for such problems, but the person who set up the server.

MSalters
A: 

Now that I understand you can't control what the game server software does (I am aware that various game developers aren't too concerned with the practical aspects of people hosting game servers):

Microsoft would certainly try to avoid having APIs in Windows that allowed limited user accounts to do Administrator-type things. In my experience, most Administrator-type changes require you to either (a) be a member of the Administrators group or (b) be a member of some group configured via the Local Security Policy or Group Policy to be allowed to make those changes. You should therefore be able to use ACLs to limit access to files and policies to essentially limit access to APIs. Generally when there is some way to use an API to get access you're not meant to have, that is normally considered a security bug that Microsoft will fix - see all the web search matches for "windows local privilege escalation".

doshea