admincmd.sma exploits fix (#822)

* [admincmd.sma] Fix typo in isCommandArgSafe ' * [admincmd.sma] Update amx_cvar command handler - Fix exploiting of "mapchangecfgfile" cvar to execute potentially dangerous console commands - Add newline delimiter check and restrict for ****cfgfile cvars values * Restrict having ".." character sequence in amx_map command argument Fixes exploit on Windows servers that allows executing potentially dangerous console commands * Do not allow admins to change cvars with FCVAR_SPONLY flag when not in singleplayer via amx_cvar 1. Make amx_cvar command obey FCVAR_SPONLY flag. 2. Fix exploiting of amx_nextmap cvar value which is used in nextmap plugin.
alliedmodders · Jun 3, 2020 · bdeb2a1 · bdeb2a1
1 parent 936c947
commit bdeb2a1
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/plugins/admincmd.sma b/plugins/admincmd.sma
@@ -222,13 +222,13 @@ public cmdKick(id, level, cid)
 }
 
 /**
- * ';' and '\n' are command delimiters. If a command arg contains these 2
+ * ';' and '^n' are command delimiters. If a command arg contains these 2
  * it is not safe to be passed to server_cmd() as it may be trying to execute
  * a command.
  */
 isCommandArgSafe(const arg[])
 {
-	return contain(arg, ";") == -1 && contain(arg, "\n") == -1;
+	return contain(arg, ";") == -1 && contain(arg, "^n") == -1;
 }
 
 public cmdUnban(id, level, cid)
@@ -668,7 +668,7 @@ public cmdMap(id, level, cid)
 	new arg[32]
 	new arglen = read_argv(1, arg, charsmax(arg))
 
-	if (!is_map_valid(arg))
+	if (!is_map_valid(arg) || contain(arg, "..") != -1)
 	{
 		console_print(id, "[AMXX] %L", id, "MAP_NOT_FOUND")
 		return PLUGIN_HANDLED
@@ -788,13 +788,23 @@ public cmdCvar(id, level, cid)
 		return PLUGIN_HANDLED
 	}
 
-	if (equali(arg, "servercfgfile") || equali(arg, "lservercfgfile"))
+	if ((get_pcvar_flags(pointer) & FCVAR_SPONLY) && MaxClients != 1)
+	{
+		console_print(id, "[AMXX] %L", id, "CVAR_NO_ACC")
+		return PLUGIN_HANDLED
+	}
+
+	if (equali(arg, "servercfgfile") || equali(arg, "lservercfgfile") || equali(arg, "mapchangecfgfile"))
 	{
 		new pos = contain(arg2, ";")
 		if (pos != -1)
 		{
 			arg2[pos] = '^0'
 		}
+		else if ((pos = contain(arg2, "^n")) != -1)
+		{
+			arg2[pos] = '^0'
+		}
 	}
 
 	new authid[32], name[MAX_NAME_LENGTH]