[Vulnerability] Unrestricted loader.

[RenardDev]

If an attacker gains access to executing server commands, then he will be able to upload and execute the backdoor because MM:S does not have plugin loading restrictions factors like SourceMod.

PoC: https://github.com/RenardDev/DLangMMSPExploit

[dvander]

Thanks for the report. "meta load" should be changed to follow whatever extension restrictions plugin_load has.

I'm skeptical to call this an exploit as it requires enabling two things widely known to be exploitable. (1) rcon fundamentally is not secure, and should never be enabled. (2) sv_allowupload is notoriously problematic and probably deserves the same recommendation.

[dvander]

I uploaded a quick patch for this, but, to reinforce the "never enable rcon or sv_allowupload" point: plugin_load does no checks whatsoever that I can see, and we have no control over that.