[WARNING] RCON Exploit - Compromising a Machine

FiveM Server Development Server Tutorials
1

Hello! Today we’re going to be talking about your rcon password, before you read this; please visit the following page, and find out if your password is in any of these lists. If so, change it, or disable RCON all together, as what I’m going to be explaining could be rather detrimental to your server.

The following is all hypothetical; I would never involve myself in this, I am also not recommending you test this yourself - and I am specifically stating that should you try to reproduce the following, your ‘rights’ to technology will probably be revoked.

rant

if you don’t have anything nice to say go away, I don’t care if you think .ioerror is 'big bad hacker omg ham mafia plz ban him nao - read the post, you’ll be a better person for it…

Quite a few servers; well over 100 - some holding a constantly high population, are at risk because the owners have decided to set their rcon password to ‘password’ or similar. Some owners have put themselves at risk by allowing un-trustworthy folks into their server.cfg files.

Here’s the issue; anyone worth their salt can easily use the tools FiveM has given them to gain access to your virtual machine through Remote Desktop Connection with nothing more than your RCON password.

This is made possible for the following reasons;

  • Bad management of group policy on VPS machines
  • Running your FiveM server off of the root(linux) or account within the Administrator localgroup on your windows machine
  • os.execute()

The exploit works as follows; first, you gain access to the rcon of the server. Once you’ve gained access to the remote console, you can start ‘runcode’ - a base FiveM resource found on almost every single FiveM server. RunCode is a resource that allows for web/command based remote execution of code. With it, you can execute code on the server, on a specific client, or all clients at once.

Second; the juicy part. In order to return the output of the command line, and see what’s going on in the server-side command line, we create a tempfile using os.tmpname() and define that path as a variable. We then use os.execute() with a ‘>’ operator to dump our output to that file. Using io.lines in a for loop, we can roll through that file and pick up its contents ( the output of our command line ) and then return them back to RunCode’s web interface. This allows an intruder to find your current user account, perhaps it’s not named Administrator; in this case Jones.

Third; breaking in. We now know we’ve got a user account named Jones, and he’s the one running the server. We can use ‘net user’ operations through os.execute to change his password, and access Jones’ account through Remote Desktop Connection. However, this method isn’t very stealthy - and is easily detectable should the watchful Jones be on his box, while he rants in the FiveM discord about a lack of resource support. Using the same ‘net’ operations, we can create a new user account, and add that user to Administrators localgroup, and log in via Remote Desktop Connection. From there, we simply navigate to Jones’ user folder, grab all his files, or do whatever we want to the machine.

side note

You can also enable Remote Desktop Connection if it is disabled ( cough cough, home pc hosters ) through registry commands.

In addition to simply taking over the entire machine, the following can also be done -

  • Infection of resources with ServerEvent code that can be triggered from a client to do remote execution
  • Infection of the machine with a keylogger/trojan in order to log sensitive information about the users accessing the machine.
  • Infection of the machine with a host controller, used for carrying out DoS attacks.

So; change your RCON passwords folks, or disable it entirely. There are some methods that you can put in place to combat this, however - and honestly should be standard procedure when hosting anything on the web.

Proper Group Policy Configuration

Group Policy is a very powerful tool that you’ll be able to access on any Windows Server machine. Proper group policy will dis-allow users to carry out these sorts of attacks by limiting the access that a specific user account has to making modifications to system properties.

In order for group policy to function correctly, you need to separate your user accounts correctly. In a perfect setup, the Administrator account has reign over all the files, and the user accounts - where the server executables are ran, have access to nothing other than the files they need specifically. In addition to this, should you store more than just a singular servers information in a MySQL database, use multiple user accounts. Do not ever, for the love of god, connect using ‘localhost’ ‘root’ to the SQL database. You should always be using a sub-user account, with read/write access to only the information that specific server needs.

tl;dr

don’t set your rcon password to ‘password’ or else your server will end up on wikileaks.

11 Likes
2

Hi there and thanks very much for the indepth explanation of what can be done with a known rcon password on a Windows machine.

I have a question, all things being the same(known rcon password), can I ask what the risks are if this is on a linux machine. Are the repercussions the same, less or more?

3

So Linux is relatively safe as long as you’re not on the Root account - due to the way ‘sudo’ works on linux. However, there’s the possibility that if someone REALLY hates you, they could install a ‘local’ brute force task onto that linux machine to attempt to brute force the sudo password with the full force of that physical server.

1 Like
4

Fantastic info, thanks so much!

5

So would this be the explanation for my server randomly getting spouts of…
"The server must set rcon_password to be able to use this command"?

I mean, I don’t personally use any other resources than my own on this particular server, so it was and continues to be a slight concern when I see something attempting to do unauthorized commands.

6

That’s someone trying to brute force rcon passwords; not sure who, just keep your password long and complex and you’ll be fine.

7

Isn’t that also dumb? the rcon port is shared with the game server and we can’t place that behind a firewall.

I had my server console spammed with “Invalid Password” within minutes just over a week ago and i couldn’t do shit, because the attacker used proxies so …

1 Like
8

If you’re using Linux, iptables does have some ability to help with logging/dropping it. You could utilize a shell script to manage an ACL to permit or deny CIDRs or specific IP addresses.

As for generally speaking for it all, most if not all people don’t have first hand experience or understanding of systems administrations, so this whole separate user or remotely doing things, backing up, or self awareness/understanding of security principles/practices are out of the window, it’s those with knowledge that are coming here and taking advantage of all these people that’re the issue.

9

IS there a way to remove the line of code that sends the message to the console “The server must set rcon_password to be able to use this command.” because I have rcon disabled so im not worried if i could just code out the line that send the warring im good to go. but it not in any of the 3 rcon files in the resource folder

10

Change your Server ports… fiveM and rcon use same default port If you change it to say 30720 it should stop it.