Script Injection Vulnerability


#50

To provide some more details about this vulnerability such as how it happens and what @Christbru01’s detection plugin is doing (it feels like the best way to combat this sort of injection is to be transparent):

  • Backpacks currently run scripts that are descendants of them. This is so that scripts can run while they’re parented to Players

  • This vulnerability is caused because Plugins can create Backpacks and Scripts and place them inside of Services that can’t be seen normally in the Roblox explorer.

  • Some services, such as the CSGDictionaryService, cannot be accessed by scripts, Plugins, or the Command Bar. Due to an oddity with how Roblox works, there are means to place things within these services but not get them out

  • Due to this, and how Backpacks allow scripts to run, a vulnerability is created by putting a script in these services.

  • Christbru01’s plugin uses some some more obscure methods to detect and remove these Instances. These include GetDescendant, pcall, and Insert.

Hopefully this better educates people on what’s going on here. I can absolutely vouch for Christbru01’s plugin. You can also do the trick Seranok suggested up at the top of the thread, as that’s a guaranteed method.


#51

Specific to the injection done by the fake “Terrain Save and Load” plugin, scripts are also injected randomly in the Workspace, so make sure to check more than just scripts in Backpack objects.


#52

Just as a tip for anyone checking plugin source code: If the image for the plugin button (the one that shows up in the toolbar along the top of Studio) isn’t uploaded by the same person who uploaded the plugin that’s using it, that’s usually a pretty good indicator that the plugin you have isn’t the original/genuine version.


#53

This unfortunately cannot search scripts outside of normal locations. If a plugin injected a backdoor script into a protected service such as CSGDictionaryService then nothing you can do in studio or command bar (save for a few very tricky and sorta hacky methods) will be able to obtain an instance memory pointer much less be able to view the source or remove the infection. This is why I created the plugin as plugins have the highest execution authority and using the tricky/hacky methods (See above reply by @Dekkonot for a good explanation on what my plugin is doing) I am able to not only detect but also obtain the instance memory pointer and relocate or remove these hidden scripts or backdoors that are otherwise nearly impossible to detect without going into a place xml save file and reading line for line for anything that looks out of place (Which the exploiter has taken methods to make that method more tedious and irritating to do.)

tl;dr: CTRL+Shift+F won’t find nor search the source of the majority of the plugin backdoors.


#57

Plugins insert scripts pretty frequently, perhaps a permissions system? When you install a plugin, it tells you exactly what the plugin will be allowed to do - insert scripts, edit instances in your game etc

Having said that, a good, well developed plugin shouldn’t have much need to insert scripts into the workspace unless it’s a very specific use case, so this could be very helpful in the case of most plugins.


#60

Backpacks shouldn’t run code. This kind of script-running was superseded by the PlayerScripts container. The only qualm I can foresee is that legacy games may break, but that’s no excuse for making a reasonable patch. Rather than checking for descendants, just have them stop running code altogether.

For those who are still using Backpacks as containers, stop. Use folders. They were added for a reason.


Removing Support for Third Party Closed Source Modules
#61

Backpacks need to run code so that tools don’t break when they’re placed within them. There’s a good reason for it.

A better solution might just to make it so you can’t create them anymore. I have no idea why you can actively create them but it’s probably not a good idea.


#62

Unequipped tools don’t run code, unless I’m missing something. What reason would you have to keep the scripts of unequipped tools running? Doesn’t make sense to me.


#63

I’m not sure what you mean by this, unequipped tools in backpack do run code both scripts and localscripts, and I can think of a lot of reasons:

I’m sure there are a lot more usecases but these are the few I can come up with now anyway.


#64

Can Roblox not offer a way to cleanse infected places?

  1. I don’t know how to manually edit a published game.
  2. I tried the plugin mentioned, but one of my games is too large to be scanned by it.

#65

It will scan, just takes time. You can also lower the scan delay chance if you have a decent CPU. (It will increase lag the lower the delay chance gets)


#66

I’m sure I clarified what I meant when I said that. In either case, this answers my use case question. Disabling the creation of Backpack tools, as Dekkonot suggested, would probably be ideal then.


#67

3 posts were merged into an existing topic: Off-topic and bump posts


#68

wish I would’ve known this technique earlier with the script, I had a malicious plugin once. It’s all good now but one of my games was breached and I had to close it down. :wink:


#69

The button to show hidden services should only show them if you are searching for them or if the service has children. A fix could also be to potentially alert the user when a script is parented from a plugin to one of those services for the first time.


#70

A post was merged into an existing topic: Off-topic and bump posts


#71

Check all your plugins, and check their authors. If it’s some really reputable name (i.e. Quenty, Crazyman32, etc.), then keep it; else, check their profile. See if they have some kind of developer role in a group or are in the Dev Forum Community group.

Look up the name of the plugins from authors you’re not exactly sure of on the library, especially ones you got off the first few pages of the library. If there’s duplicates, there may be a chance that you got an illegitimate copy that’s a duplicate of the original except with backdoor code injected into it. Remove those plugins and install the originals.

If you want to take a look at the source code yourself, check the Plugins folder, go up a folder on the file tree, then check InstalledPlugins. You can find every plugin you have installed and their source code in .rbxm format. You can import these into Studio to check the source code. It’d be smart to run Chris’s scanner on these or check for any script that looks suspicious and/or contains obfuscated or suspicious code. Uninstall these as well.

I was stuck with some backdoor prompting model purchases for a solid week until I read somewhere here that I should try inspecting plugin code by hand. You probably should to; you’d be surprised by how many times people (myself included) install malicious duplicates of popular plugins.


#72

This vulnerability is now patched. Scripts which were executing only because they were parented to a Backpack in some obscure location will no longer execute. The fix applies to both Studio and live games.


#73

Thank you for the speedy fix. I’ll be sure to update tonight.


#74

Can you mark this post as a solution to the OP?