Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Anticheese, and why you should do more to secure your Server. #15

Open
Blumlaut opened this issue Aug 15, 2021 · 4 comments
Open

Anticheese, and why you should do more to secure your Server. #15

Blumlaut opened this issue Aug 15, 2021 · 4 comments
Labels

Comments

@Blumlaut
Copy link
Owner

Blumlaut commented Aug 15, 2021

Intro

Hi! I'm Blumlaut, but you can call me Blu.
I'm the main and currently sole developer of Anticheese, a free anticheat for FiveM which attempts to patch exploits left behind by other Resources, while also using a few own detection methods to detect cheats.

When running a FiveM Server, it is essential to know what you are installing, what it can do, and what it can allow hackers to do.

You should always read the code of the resources you are installing, or having someone with enough knowledge do it for you, to find possible exploits.

You should never assume that players will act in good faith on your server, instead, assume every event is a target for exploitation.

While many players will most likely never cheat, those that will cheat will ruin your day, having insecure resources is one of the main reasons servers are plagued by cheaters nowadays.

What is an insecure Resource?

To differentiate between "Safe" and "Insecure" Resources, one first has to consider the possibilities a Resource gives you, as a Cheater.

Ideally, your Resource will double, triple and quadruple check input sent by Clients, in reality, input is often accepted without giving it a 2nd thought, often going so far as to allow executing arbitrary code on your server.

But wait! You might think, isn't executing code harmless? What evil things could they possibly do?

Well, let me demonstrate, here is a quick and easy way to stop a Linux-Based Server (the ENTIRE server, not the FiveM Server!), if the FXServer is ran via Administrative Privileges, using the exploit linked above.

TriggerServerEvent("RunCode:RunStringRemotelly", "os.execute('shutdown now')")

Yes, it's that simple.

But of course, remote code execution isn't the only thing you can do, what if a cheater wants to do something more harmless, like say, give themselves money?

Well,

for i=1, 100 do
    TriggerServerEvent("esx_slotmachine:sv:1", 5000, "cheated", "cheated")
end

There are a ton of ways to do things like that, many resources, even frequently updated ones, even nowadays, allow cheaters to do almost anything by triggering mere events.

But wait, what if i...

...run the server as a normal user?

You should, absolutely, if you are running your FiveM Server under a user with Admin Privileges, change that right now.

However, an insecure resource can still ruin your day very quickly, remote code execution can also allow one attacker to simply modify the user files on your Server, as such, changing the password and contacting a botnet controller with the new login infos is perfectly within the scope of what the code execution exploit above allows.

But wait, what if i...

.. Scramble Events?

Scrambling events is a workaround to an inherent issue, there are already cheats out there which match specific patterns in code to attempt to extract event names, so scrambling events is just a temporary solution for a problem that should be addressed immediately, do not rely on this to secure you, it won't.

Scrambling events will only scare away the most basic of cheaters, anyone with actual malicious intent will be able to work around it.

But wait, what if i...

Install a billion anticheats??

You are delaying the inevitable, anticheat resources can only do so much, i have nothing to sell so i'm going to be outright.

Anticheats are not a solution for an attacker that is willing to dig in your resource code for exploits. That is not what it is designed for, you cannot blame it if it does not detect a malicious actor abusing exploits you introduced on your server, that is your fault, and your fault alone.

How many resources are actually affected by such exploits?

Too many to count, i can name a few less extreme examples than the one above which do allow a certain degree nastiness.

Kashacters allows SQL Injection in certain functions
Versions of esx_license do not check if adding a certain license is valid, will cause the script to brick itself
CHEM!CAL T0Ж!N allows anyone to kick/ban anyone, no permission checks.

There are many more which are vulnerable like this, these are just a few examples

Ok, but how do i find out if my resources are vulnerable?

That's the hard part. Generally, if you are not familiar with coding, i would strongly recommend getting someone who is capable of it on board, and then auditing your Resources, there is no "one-check-finds-all" of course, every resource requires its own way of securing it against cheaters and hackers, but simply not accepting random input like so, so, so, so many resources do goes a long way in making sure your server is free of cheaters.

A good example in how to properly use the Inbuilt FiveM Permission system is vMenu and EasyAdmin, these double check each and every event with the ACE Natives, ensuring that no one can do things they shouldn't be able to do.

Ok.. But i have a question?

Sure! Ask away, i'll keep this thread pinned for anyone that has questions about Resource security and security flaws in general, i hope this guide somewhat helped you understand the dangers of running a FiveM Server without the proper knowledge.

I will update this thread with more examples and infos when they come up
Last Change: 16/08/21

Greetings and good night.

@Blumlaut Blumlaut added the guide label Aug 15, 2021
@Blumlaut Blumlaut pinned this issue Aug 15, 2021
@kc1nn4y
Copy link

kc1nn4y commented Aug 24, 2021

Great guide, thanks!

@Ademo93
Copy link

Ademo93 commented Feb 7, 2022

How do i know that my server is running as a normal user or not? do the directory where my server is located matters?

@Blumlaut
Copy link
Owner Author

Blumlaut commented Feb 7, 2022

How do i know that my server is running as a normal user or not? do the directory where my server is located matters?

the user you are running the server binary under is the user the server runs under, so if you are logged in as root on linux and run the server, it will also be under root, with the same permissions, it works the same on windows.

ideally you'd create a seperate, non elevated user just for running the fivem server.

@Ademo93
Copy link

Ademo93 commented Feb 7, 2022

How do i know that my server is running as a normal user or not? do the directory where my server is located matters?

the user you are running the server binary under is the user the server runs under, so if you are logged in as root on linux and run the server, it will also be under root, with the same permissions, it works the same on windows.

ideally you'd create a seperate, non elevated user just for running the fivem server.

Thank you a lot ! you made me realize how insecure my server actually was, and those mistakes are actually unforgettable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants