Serious security vulnerability in WorldEdit GUI

[rubenwardy]

Server owners are advised to update their worldedit mods in order to patch a remote code execution vulnerability.

The Vulnerability

Before this patch, any player could run arbitrary Lua code. This allowed them to do anything a mod can do -
such as granting privs, changing settings, or shutting down the server.

If mod security is disabled, they would be able to run terminal commands and gain access to the user on the
server running Minetest.

This is due to the mod not correctly checking player privileges.

Affected Parties

This only affects you if your server is open to the public (even if unlisted), and has an unpatched version of worldedit_gui mod installed.

Solution

To fix, simply install the most recent version, or disable the mod.

You should also check for any out of place privileges, and run a scan on your server for rootkits and other malware.

To Others

Do not attempt to reproduce or use this on a server you do not own. Even with good intentions, it's still illegal to do so without permission, and may open you up to legal action.

[IhrFussel]

Here a command to recursively check which files have been last modified on a Linux system:

find [MOTHERPATH] -type f -exec stat --format '%Y :%y %n' "{}" \; | sort -nr | cut -d: -f2- | less

Disclaimer: The headers of your files could've been modified as well so it's not 100% accurate but should give you a quick overview.

[Hybrid Dog]

Please remove the /lua chatcommand from WE: WE requires disabled mod security to save its schematics, so it's not possible to have /lua with enabled security. (correct me if l'm wrong)
There's a specific mod adding the lua chatcommand anyway. It's also more elaborate/convenient because it adds "me" as reference to the player who run the command.

IhrFussel, proper servers have an own user with its own home directory. And dirty COW was fixed.

[CraigyDavi]

Please remove the /lua chatcommand from WE: WE requires disabled mod security to save its schematics, so it's not possible to have /lua with enabled security. (correct me if l'm wrong)
There's a specific mod adding the lua chatcommand anyway. It's also more elaborate/convenient because it adds "me" as reference to the player who run the command.

IhrFussel, proper servers have an own user with its own home directory. And dirty COW was fixed.

I agree I have no idea how this feature relates to being in the world edit_gui mod. I say move it into a separate mod and tab in sfinv. Shall be called "lua_ingame/sandbox/whatever".

[Sporax]

I agree with that too ;-)

[Wuzzy]

Code: Select all

-	name = "Run Lua",
+	name = "Run Lua", privs = minetest.chatcommands["/clearobjects"].privs,

Ahahahahaha! Are you fucking serious? OMG.

The mod which adds the “/lua” command is called “luacmd”:
http://wiki.minetest.net/Mods/LuaCmd

I agree, the “/lua” command (and related commands) has no place in WorldEdit or WorldEdit GUI.

If mod security is disabled, they would be able to run terminal commands and gain access to the user on the
server running Minetest.

It's a shame that mod security is still broken enough so it is disabled most of the time.

[Linuxdirk]

I agree, the “/lua” command (and related commands) has no place in WorldEdit or WorldEdit GUI.

QFE.

[Wuzzy]

Is the mod from this thread affected as well?:

viewtopic.php?t=3112

The mod above seems to be old as worldedit_gui seems to be part of the official WorldEdit modpack.

If this is the case, I strongly recommend to move this thread into Old Mods.

[rubenwardy]

Is the mod from this thread affected as well?:

viewtopic.php?t=3112

The mod above seems to be old as worldedit_gui seems to be part of the official WorldEdit modpack.

If this is the case, I strongly recommend to move this thread into Old Mods.

No, it has no lua function.