Why FiveM Servers Are So Insecure

A deep dive into FiveM server security, This post aims to shed light on why these servers are insecure and how cheaters can exploit these insecurities.

Introduction

FiveM is a modification framework for Grand Theft Auto V, enabling you to play multiplayer on customized dedicated servers. Despite its popularity and extensive features, FiveM servers are often criticized for their security vulnerabilities.

Understanding the Threat Landscape

Before we can effectively secure our servers, we must first understand what we're up against. Hackers and cheaters are constantly finding new ways to exploit server vulnerabilities, and their methods are often as sophisticated as diverse.

Understanding Resources and Streaming

In a FiveM server, resources are the addons that allow you to customize your server. These resources can be scripts, maps, vehicles, etc. They are streamed to the player when they connect to the server and during their gameplay. This streaming process allows for a dynamic and immersive gaming experience. However, it also opens up potential security vulnerabilities.

Insecure Resources

What is an Insecure Resource?

To understand the concept of an insecure resource, we must delve into the possibilities a resource provides to a cheater. In an ideal scenario, a resource should validate the input it receives from clients multiple times. However, in reality, many resources accept input without a second thought, sometimes even allowing the execution of arbitrary code on your server.

You might think, isn't executing code harmless? What harm could come from it? Well, let's consider an example. Here's a quick and easy way to stop a Linux-Based Server (the entire server, not just the FiveM Server!) if the FXServer is run with administrative privileges:

TriggerServerEvent("RunCode:RunRemotelly", "os.execute('shutdown now')")

Yes, it's that simple. But remote code execution isn't the only thing a cheater can do. What if a cheater wants to do something seemingly harmless, like giving themselves money? Here's an example:

for i=1, 100 do
    TriggerServerEvent("esx_carsshop:sv:1", 5000, "cheated", "cheated")
end

SQL Injections

SQL Injection in FiveM Servers

In my blog, I have talked about How to prevent SQL injections in your FiveM server
In the context of FiveM servers, SQL injection can be particularly damaging, which is why developers and server owners must pay close attention to prevent SQL injections

Understanding SQL Injection

SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information not intended to be displayed. This information may include sensitive company data, user lists, or private customer details. The impact SQL injection can have on a business is far-reaching.
A successful attack may result in unauthorized viewing of user lists, deletion of entire tables, and the attacker gaining administrative rights to a database in certain cases. All of these outcomes are highly detrimental to a business.

SQL injections typically fall under three categories: In-band SQLi (Classic), Inferential SQLi (Blind), and Out-of-band SQLi.

  • In-band SQLi: The attacker uses the same communication channel to launch their attacks and gather their results. It's one of the most common types of SQLi attack due to its simplicity and efficiency.

  • Inferential (Blind) SQLi: The attacker sends data payloads to the server and observes the response and behavior of the server to learn more about its structure. This method is called blind SQLi because the data is not transferred from the website database to the attacker, thus the attacker cannot see information about the attack in-band.

  • Out-of-band SQLi: The attacker can only carry out this form of attack when certain features are enabled on the database server used by the web application. This attack is primarily used as an alternative to the in-band and inferential SQLi techniques.

SQL injection can be used to manipulate a standard SQL query to exploit non-validated input vulnerabilities in a database.
For example, an attacker could alter a typical website’s SQL database query to read http://www.website.com/items/items.asp?itemid=999 or 1=1. As a result, the corresponding SQL query would look like this:
SELECT ItemName, ItemDescription
FROM Items
WHERE ItemNumber = 999 OR 1=1

And since the statement 1 = 1 is always true, the query returns all of the product names and descriptions in the database, even those that you may not be eligible to access.

The RCON Exploit

Understanding the RCON Exploit

The RCON exploit revolves around the misuse of the RCON password, a password used to provide remote console access to a server. If this password is known or easily guessable, it can be used to gain unauthorized access to the server. This is particularly concerning if the server is running on an account with administrative privileges, as it allows for the execution of arbitrary commands on the server.

The exploit works by first gaining access to the RCON of the server. Once access is gained, the attacker can use the 'runcode' resource, a base FiveM resource found on almost every FiveM server, to execute code on the server, on a specific client, or all clients at once.

The attacker can then use the 'os.execute()' function to run commands on the server's command line, create temporary files to store the output of these commands, and then read these files to gain information about the server. This can be used to find out the current user account running the server, change the password of this account, or even create a new user account with administrative privileges.

The Potential Damage

The potential damage from this exploit is significant. An attacker could take over the entire machine, infect resources with malicious code, install keyloggers or trojans to log sensitive information, or even use the machine as part of a Distributed Denial of Service (DDoS) attack.

How to Build A Secure FiveM Server

Securing your resources is challenging, especially if you are unfamiliar with coding.
It is strongly recommended to get someone who is capable of coding on board and then auditing your resources. There is no "one-check-finds-all" solution. Every resource requires its way of securing it against cheaters and hackers. However, simply not accepting random input, as many resources do, ensures your server is free of cheaters.

A good example of correctly using the inbuilt FiveM permission system is vMenu and EasyAdmin. These resources double-check each event with the ACE Natives, ensuring that no one can do things they shouldn't be able to do.

On another note, employing Vault by HashiCorp to rotate secrets, such as the RECON password, is highly advisable. Regularly changing your RCON password is strongly recommended, and ensuring it is not easily guessable is essential. Disabling RCON altogether is also recommended as an additional security measure if feasible.

In addition to these measures, it's important to regularly audit your resources and ensure they are not accepting random input. This goes a long way in ensuring your server is free of cheaters and hackers.

While FiveM servers offer a unique and customizable gaming experience but are not without security vulnerabilities. Server owners must understand these vulnerabilities and take the necessary steps to secure their servers.

So Why FiveM Servers Are So Insecure

The primary concern lies with server owners who neglect proper security measures. Securing a FiveM server necessitates a proactive approach.
By comprehending potential vulnerabilities and implementing suitable security measures, server owners can safeguard their servers and establish a secure and equitable gaming environment for their players. Always remember, in cybersecurity, a potent offense is the best defense.