Crack me: launching shell scripts from arma config files

Help test release candidates for the next release
Post Reply
User avatar
God & Project Admin
Posts: 11427
Joined: Sun Jan 23, 2005 6:01 pm
Location: Cologne

Crack me: launching shell scripts from arma config files

Post by Z-Man »

If you ever ran a server that relied on an external script, you know it can be quite a timesink to get it working properly. You need to launch server and script together, you need to feed the script's command output into the server, the script will sometimes read too much or too little data at the start. And most annoyingly, the script will often refuse to die properly when it should.

bzr+ssh://[email protected]/~armagetronad-dev/armagetronad/0.2.8-armagetronad-scriptlaunch/
This allows you to launch scripts from within configuration files. Put some shell or python script into the "scripts" subdirectory of your data directory (any of them) and use

Code: Select all

casacl 0 -1
spawn_script <script name> <arguments>
It'll search for the script and launch '<path>/<script name> <arguments>' in the background. It'll feed ladderlog output to the script's input and interpret its output as commands. When the server quits or the script is stopped with kill_script, the pipes are closed and any orderly script would terminate on reading the resulting EOF. If the script exits early, the server notices and closes the pipes. Scripts can run simultaneously and their output won't accidentally interfere.

There's also respawn_script, works the same as spawn_script, but doesn't do anything if the script with the same command and arguments is already running.

Aaand, of course, the whole thing is potentially a huge security risk. Right now, there are three layers of protection:
1. the script commands are only executable at the new access level -1 (Shell). You'll need to CASACL your level up. This one is probably going to be dropped, it's cumbersome and doesn't add real security, because it doesn't add anything on top of the next level.
2. the script commands can ONLY be executed from local configuration files. Not via /admin, not from RINCLUDE, not from maps.
3. You can't execute arbitrary shell commands. Most special characters are forbidden, among them &, ; and | which could be used to chain commands; the first word needs to be a script from a scripts directory and the path is then manually added.

What I want you to do: try to find holes, especially in 2. and 3. Try to get the commands executed in any non-include context or find a way to exploit them them. Assuming you have access to the commands, make them do nasty things.

Needless to say, anything you think may compromise existing servers should be sent via PM, and don't even think about running this code on a server open to the net yet.

(Got an idea myself. Oh boy, is needed.)

Post Reply