UPDATE Jan 15 09 - exploits actively abused
Moderators: Forum moderators, developers
Well, we will see.
Typo: The LUA interpreter doesn't complain about this additional ;
Who knows... !blame
You are writing a lot of post, but I get this feeling you 1. Don't read the other things carefully or 2. You just dont' get it.
Concerning this:
-->
You are looking for the appearance of \, but why? We should take care of \r and \n. Carriage return & and newline! They are C-like escape sequences.
Why should one forbid the use of an ;?
[btw: actually it should be string.find(args,";").
%x (where x is any non-alphanumeric character) --- represents the character x. This is the standard way to escape the magic! characters. The ; isn't needed here.]
This character is exchanged by a malicious client. IT WON'T REACH THE SERVER. On the other hand, assuming a standard client, this is my patented emo guit vote> /callvote mute "Bennz;quit"
If it passes it will quit MY CLIENT!!! and NOT the server.
I'm sorry, it doesn't make any sense, but fortunately! you were lucky enough to catch this vulnerability. Because when counting space characters, \r and \n are taken as space characters. So the other two conditions are useless/doesn't apply.
So long
Typo: The LUA interpreter doesn't complain about this additional ;
Who knows... !blame
You are writing a lot of post, but I get this feeling you 1. Don't read the other things carefully or 2. You just dont' get it.
Concerning this:
Code: Select all
if cmd == "callvote" or cmd == "ref" or cmd == "sa" or cmd == "semiadmin" then
local _, counts = string.gsub (args, "%s", "") -- count spaces
if counts > 1 then
msg = string.format("cpm \"Remove additional spaces!\n")
et.trap_SendServerCommand(cno, msg)
return 1
end
if string.find(args,"%\\") or string.find(args,"%;") then
msg = string.format("cpm \"Invalid string!\n")
et.trap_SendServerCommand(cno, msg)
return 1
end
return 0
end
Code: Select all
string.find(args,"%\\")
Code: Select all
string.find(args,"%;")
[btw: actually it should be string.find(args,";").
%x (where x is any non-alphanumeric character) --- represents the character x. This is the standard way to escape the magic! characters. The ; isn't needed here.]
This character is exchanged by a malicious client. IT WON'T REACH THE SERVER. On the other hand, assuming a standard client, this is my patented emo guit vote> /callvote mute "Bennz;quit"
If it passes it will quit MY CLIENT!!! and NOT the server.
I'm sorry, it doesn't make any sense, but fortunately! you were lucky enough to catch this vulnerability. Because when counting space characters, \r and \n are taken as space characters. So the other two conditions are useless/doesn't apply.
So long
Well, i saw it when u said to me to get new glasses. If you replied me like now instead of flamming i would say nothing or respect your comments. Now, we will see if your comments are really worth.
So long.....
------------------------------NEW UPDATE--------------------
yes, it doesnt but i said the WHOLE bug fix for callvote doesn't work. Second of all one typo ";" can change the signature of lua which is neccesary to have a valid league cfg. Third of all we should keep the standard of lua language.Typo: The LUA interpreter doesn't complain about this additional ;
Who knows... !blame
Im writting a lot of posts coz i want to help other ppl, not as u flamming them without reason. And sometimes i can make a mistake. Yes, is it really something new to people? I want to learn man and u are not helping me/others by posting a shit about glasses...You are writing a lot of post, but I get this feeling you 1. Don't read the other things carefully or 2. You just dont' get it.
coz as i said b4 the bugfix code doesnt work at all. And imo such chars shouldnt be allowed in callvotes (for what?). Thats why i want to get rid of all problems (i dnt care if its \n or \r - yes i know the meaning of them). But u r not 100% if there is no any extra bug with \ (like everything in programming)Code:
string.find(args,"%\\")
You are looking for the appearance of \, but why? We should take care of \r and \n. Carriage return & and newline! They are C-like escape sequences.
yes, u r right. But did u test it? I guess not (same with combinedfixes by reyalp)...I want to forbid them coz.......ET is already doing this! You didnt check it either...Also the char ; is mentioned on aligi board as subtitue to \n ...You are not 100% sure too that with hacked client it will work like u described...Code:
string.find(args,"%;")
Why should one forbid the use of an ;?
[btw: actually it should be string.find(args,";").
%x (where x is any non-alphanumeric character) --- represents the character x. This is the standard way to escape the magic! characters. The ; isn't needed here.]
This character is exchanged by a malicious client. IT WON'T REACH THE SERVER. On the other hand, assuming a standard client, this is my patented emo guit vote> /callvote mute "Bennz;quit"
If it passes it will quit MY CLIENT!!! and NOT the server.
So long.....
------------------------------NEW UPDATE--------------------
Download: http://acpro.wolfteam.pl//category.php?id=1function et_ClientCommand(cno,cmd)
local msg = ""
cmd = string.lower(cmd)
if cmd == "ws" then
local n = tonumber(et.trap_Argv(1))
if not n then
et.G_LogPrint(string.format("wsfix: client %d bad ws not a number [%s]\n",cno,tostring(et.trap_Argv(1))))
return 1
end
if n < 0 or n > 21 then
et.G_LogPrint(string.format("wsfix: client %d bad ws %d\n",cno,n))
return 1
end
return 0
end
if cmd == "callvote" or cmd == "ref" or cmd == "sa" or cmd == "semiadmin" then
local args=et.ConcatArgs(1)
-- et.G_LogPrint(string.format("combinedfixes: client %d %s [%s]\n",cno,cmd,args))
if string.find(args,"%\\") or string.find(args,"%;") then
et.G_LogPrint(string.format("combinedfixes: client %d bad %s [%s]\n",cno,cmd,args))
msg = string.format("cpm \"Invalid string!\n")
et.trap_SendServerCommand(cno, msg)
return 1
end
return 0
end
return 0
end
-- prevent various borkage by invalid userinfo
-- version: 4
-- history:
-- 4 - check length and IP
-- 3 - check for name exploit against guidcheck
-- 2 - fix nil var ref if kicked in RunFrame
-- fix incorrect clientNum in log message for ClientConnect kick
-- 1 - initial release
-- names that can be used to exploit some log parsers
-- note: only console log parsers or print hooks should be affected,
-- game log parsers don't see these at the start of a line
-- "^etpro IAC" check is required for guid checking
-- comment/uncomment others as desired, or add your own
-- NOTE: these are patterns for string.find
badnames = {
-- '^ShutdownGame',
-- '^ClientBegin',
-- '^ClientDisconnect',
-- '^ExitLevel',
-- '^Timelimit',
-- '^EndRound',
'^etpro IAC',
'\\', -- we should kick such players on connect otherwise they cant be kicked in game due to callvote bugfix
';',
'^^',
-- '^etpro privmsg',
-- "say" is relatively likely to have false positives
-- but can potentially be used to exploit things that use etadmin_mod style !commands
-- '^say',
-- '^Callvote',
-- '^broadcast'
}
wolFTeam.pl
I don't think we need a Who-rulez-teh-str33t-contest, as well as, you I'm here to help. I can't help you if you do not listen to me.
Please tell me, why did you remove the only line of code, that saved you from being exploited?
It is not necessary to catch that in a 'collvote' but of course you have to check:
Oh lord... otherwise you are going to be fucked :/
Just leave the combindesfixes code as it is, except the ;
I don't deny ReyalP's guilt, he will blames the booze
How does it happen that you say the callvote fix is not working & why are you sure I didn't test it?
Please note: You may not allow certain names or charakters, ok. But if someone joins with the nick "^1Luke", he will get kicked, because he has a caret as first character. If you would like to kick a player with a caret followed by another caret somewhere in his name you may use> '%^%^',
or set the fourth argument of 'string.find' to true if you dont wan't to use patterns at all. (http://www.lua.org/manual/5.0/manual.html#5.3 --> A value of true as a fourth, optional argument plain turns off the pattern matching facilities, so the function does a plain "find substring" operation, with no characters in pattern being considered "magic".)
No offence
Please tell me, why did you remove the only line of code, that saved you from being exploited?
Code: Select all
if string.find(args,"%\\") or string.find(args,"%;") then
Code: Select all
if string.find(args,"[\r\n]") then
Oh lord... otherwise you are going to be fucked :/
Just leave the combindesfixes code as it is, except the ;
I don't deny ReyalP's guilt, he will blames the booze
How does it happen that you say the callvote fix is not working & why are you sure I didn't test it?
Please note:
Code: Select all
badnames = {
...
'^^',
...
or set the fourth argument of 'string.find' to true if you dont wan't to use patterns at all. (http://www.lua.org/manual/5.0/manual.html#5.3 --> A value of true as a fourth, optional argument plain turns off the pattern matching facilities, so the function does a plain "find substring" operation, with no characters in pattern being considered "magic".)
No offence
I removed count spaces because otherwise gamers cant kick/mute a player with spaces in nick. So we should take care of players name too. The only way is to deny any parametr with \\. I tested the Reyalp's code and it doesnt work with \r\n (there is no debug line in log file). And how r u so sure that its working?bennz wrote:I don't think we need a Who-rulez-teh-str33t-contest, as well as, you I'm here to help. I can't help you if you do not listen to me.
Please tell me, why did you remove the only line of code, that saved you from being exploited?
It is not necessary to catch that in a 'collvote' but of course you have to check:Code: Select all
if string.find(args,"%\") or string.find(args,"%;") then
Code: Select all
if string.find(args,"[\r\n]") then
Oh lord... otherwise you are going to be fucked :/
Just leave the combindesfixes code as it is, except the ;
I don't deny ReyalP's guilt, he will blames the booze
How does it happen that you say the callvote fix is not working & why are you sure I didn't test it?
Nope, it will kick only players with ^^ or more carats. I tested it also and u propably not as usual? No offence ;pbennz wrote: Please note:You may not allow certain names or charakters, ok. But if someone joins with the nick "^1Luke", he will get kicked, because he has a caret as first character. If you would like to kick a player with a caret followed by another caret somewhere in his name you may use> '%^%^',Code: Select all
badnames = { ... '^^', ...
or set the fourth argument of 'string.find' to true if you dont wan't to use patterns at all. (http://www.lua.org/manual/5.0/manual.html#5.3 --> A value of true as a fourth, optional argument plain turns off the pattern matching facilities, so the function does a plain "find substring" operation, with no characters in pattern being considered "magic".)
No offence
wolFTeam.pl
Anyway, here is a sample code to demonstrate the two patterns '^^' and '%^%^'.
I hope the link works: http://www.file-upload.net/download-149 ... e.lua.html
The output is>
Your intentions are good, but it's the wrong pattern. Same for '$$$', it matches the name 'Luke$$' or 'Luke$$$'. It doesn't match 'Luke$$$asf', BECAUSE: (http://www.lua.org/manual/5.0/manual.html#5.3)
Patterns
A pattern is a sequence of pattern items. A `^´ at the beginning of a pattern anchors the match at the beginning of the subject string. A `$´ at the end of a pattern anchors the match at the end of the subject string. At other positions, `^´ and `$´ have no special meaning and represent themselves.
Your words:
Enough is enough. You don't seem to listen, unconvincable luke. At first i thought you were just kidding... To make this come to an end> Someone joined the server ET.GamesNet.pl OBJ, changed the rconpassword and added the ip ban mask '4.3.2.1'.
(+ 'killserver' to restart the et server with original rconpw, nobody was hurt)
You encourage others to use a version of the fix that doesn't work. I hope you will realize that a mistake was made.
I hope the link works: http://www.file-upload.net/download-149 ... e.lua.html
The output is>
Code: Select all
----------------------------------------
badname '^1Luke' matching pattern '^^'
badname '^^Luke' matching pattern '^^'
badname '^^Luke' matching pattern '%^%^'
badname 'L^^uke' matching pattern '%^%^'
badname 'Luke^^' matching pattern '%^%^'
----------------------------------------
Patterns
A pattern is a sequence of pattern items. A `^´ at the beginning of a pattern anchors the match at the beginning of the subject string. A `$´ at the end of a pattern anchors the match at the end of the subject string. At other positions, `^´ and `$´ have no special meaning and represent themselves.
Your words:
Mmm kay...Luk4ward wrote:Third of all we should keep the standard of lua language.
...
I tested it also and u propably not as usual?
Enough is enough. You don't seem to listen, unconvincable luke. At first i thought you were just kidding... To make this come to an end> Someone joined the server ET.GamesNet.pl OBJ, changed the rconpassword and added the ip ban mask '4.3.2.1'.
(+ 'killserver' to restart the et server with original rconpw, nobody was hurt)
You encourage others to use a version of the fix that doesn't work. I hope you will realize that a mistake was made.
ACpro:bennz wrote:Anyway, here is a sample code to demonstrate the two patterns '^^' and '%^%^'.
I hope the link works: http://www.file-upload.net/download-149 ... e.lua.html
The output is>Your intentions are good, but it's the wrong pattern. Same for '$$$', it matches the name 'Luke$$' or 'Luke$$$'. It doesn't match 'Luke$$$asf', BECAUSE: (http://www.lua.org/manual/5.0/manual.html#5.3)Code: Select all
---------------------------------------- badname '^1Luke' matching pattern '^^' badname '^^Luke' matching pattern '^^' badname '^^Luke' matching pattern '%^%^' badname 'L^^uke' matching pattern '%^%^' badname 'Luke^^' matching pattern '%^%^' ----------------------------------------
Patterns
A pattern is a sequence of pattern items. A `^´ at the beginning of a pattern anchors the match at the beginning of the subject string. A `$´ at the end of a pattern anchors the match at the end of the subject string. At other positions, `^´ and `$´ have no special meaning and represent themselves.
Code: Select all
----------------------------------------
badname '^1Luke' DOES NOT match pattern '^^'
badname '^^Luke' matching pattern '^^'
badname '^^Luke' matching pattern '^^'
badname 'L^^uke' matching pattern '^^'
badname 'Luke^^' matching pattern '^^'
----------------------------------------
You dont read what im trying to say...Well...And nothing like that happened if u want to know. If You try i will report your IP.Your words:Mmm kay...Luk4ward wrote:Third of all we should keep the standard of lua language.
...
I tested it also and u propably not as usual?
Enough is enough. You don't seem to listen, unconvincable luke. At first i thought you were just kidding... To make this come to an end> Someone joined the server ET.GamesNet.pl OBJ, changed the rconpassword and added the ip ban mask '4.3.2.1'.
(+ 'killserver' to restart the et server with original rconpw, nobody was hurt)
Im not encouring anyone. I just fixed the code and shared it with others. But i understand u dnt get it like the rest of what i said.You encourage others to use a version of the fix that doesn't work. I hope you will realize that a mistake was made.
wolFTeam.pl
Semicolon is optional in lua. Yes it's a mistake on my part, but it's not incorrect according the The Fine ManualLuk4ward wrote:I heard that some ET server got hacked because of the vote exploit. So its working, but with hacked client. Btw i think i found a little typo in your code Reyalp :
as benzz points out searching for a \ will not correctly find CR or LF chars (which are represented by \r and \n). Actually, I should check for \0A and \0D, but the current code worked correctly in all my tests.The unit of execution of Lua is called a chunk. A chunk is simply a sequence of statements, which are executed sequentially. Each statement can be optionally followed by a semicolon
If you can actually trigger the exploit with the current code (edit my current code, yours is horribly broken) in place, please send me your test case.
AFAIK, you cannot send a CR or LF char in a command without a hacked client. Sending a \r or \n sequence will not trigger the exploit.
I would strongly suggest that you make sure you have a firm understanding of the problem before posting "fixes" in this thread.
send lawyers, guns and money
yea, okReyalP wrote:Semicolon is optional in lua. Yes it's a mistake on my part, but it's not incorrect according the The Fine ManualLuk4ward wrote:I heard that some ET server got hacked because of the vote exploit. So its working, but with hacked client. Btw i think i found a little typo in your code Reyalp :
The unit of execution of Lua is called a chunk. A chunk is simply a sequence of statements, which are executed sequentially. Each statement can be optionally followed by a semicolon
Why its incorrect?as benzz points out searching for a \ will not correctly find CR or LF chars (which are represented by \r and \n). Actually, I should check for \0A and \0D, but the current code worked correctly in all my tests.
Yes i tested the exploit on test server with hacked client, but got kicked by ET engine. Can I somehow test my and your code to be sure whats going on? I was just making tests with normal client with /n and /r or any / command and only my modified code worked. I really understand the problem and C code from aluigi's board.If you can actually trigger the exploit with the current code (edit my current code, yours is horribly broken) in place, please send me your test case.
AFAIK, you cannot send a CR or LF char in a command without a hacked client. Sending a \r or \n sequence will not trigger the exploit.
I would strongly suggest that you make sure you have a firm understanding of the problem before posting "fixes" in this thread.
wolFTeam.pl
That's what I'm talking about, since 3 posts. In addition it's useless to debate, if everyone talks about his own, different code.
Short example from ac2pro.luaLine 1: That's a big difference to cmobinedfixes. In line 2 there is the right pattern, it kicks all names containing 2 or more ^. But when looking thru badnamepatters the names have been stripped off all ^. (--> Line 3: First every ^ followed by something except ^ is removed, after that every remaining ^ is removed) That means it's useless to put '^^' in badnames table as there are no ^ left!
Hint:
- Lowering the badname patterns isn't really necessary. Intended use: case sensivity. It doesn't hurt in this case, but false positives...
- Put the combinedfixes as first to load in the chain. Merging security related checks is likely to cause trouble. (PEBCAK; Maintainability; Signatures you mentioned...)
We sure can discuss further checks in Enemy Territory -> ET Modding. Back to the most important bug:
You didn't understand the problem from aluigi's board, because
We don't have to care about ;! --> string.find(args,"%;") in function et_ClientCommand(cno, cmd) is useless.
We HAVE to check \n and \r. They include a backslash, but you can't find them with string.find(args,"%\\"). Escape sequence!
I'm helping to bring light into the darkness and you're speaking down to me? Nevernmind, I got used to it. I still recommend to fix your code.
ReyalP:
Am i blind and there is no \0A like hex escape? string.format instead :/
but no don't need to check it twice?
Short example from ac2pro.lua
Code: Select all
1. local stripped_name = trim ( uncol ( name ) )
2. if string.find (name,"%^^") or etadmin_name_exploit == "^" then
3. string.gsub(string.gsub(arg, "%^[^%^]", ""), "%^", "") -- function uncol
4. local mstart,mend,cno = string.find(stripped_name,string.lower(badnamepat))
Hint:
- Lowering the badname patterns isn't really necessary. Intended use: case sensivity. It doesn't hurt in this case, but false positives...
- Put the combinedfixes as first to load in the chain. Merging security related checks is likely to cause trouble. (PEBCAK; Maintainability; Signatures you mentioned...)
We sure can discuss further checks in Enemy Territory -> ET Modding. Back to the most important bug:
You didn't understand the problem from aluigi's board, because
Code: Select all
so theoretically if a client sends the command ' callvote map "mp_leo;quit" ' and the vote passes, quit will be executed after "map mp_leo".
to prevent this Cmd_CallVote_f does the following check:
if( strchr( arg1, ';' ) || strchr( arg2, ';' ) ) {
trap_SendServerCommand( ent-g_entities, "print \"Invalid vote string.\n\"" );
return;
}
but ofc this isn't enough, since the other separators ('\r' and '\n') can also be sent in client commands.
sending such a callvote command from a game client isn't possible without a dll injection/hook/debugger afaik.
We HAVE to check \n and \r. They include a backslash, but you can't find them with string.find(args,"%\\"). Escape sequence!
I'm helping to bring light into the darkness and you're speaking down to me? Nevernmind, I got used to it. I still recommend to fix your code.
ReyalP:
Am i blind and there is no \0A like hex escape? string.format instead :/
Code: Select all
if string.find(args, string.format("%x", 010)) then -- new line
-- or both decimal (MUST have exactly 3 digits)
if string.find(args, "[\013\010]") then
Because the exploit doesn't involve the characters '\' and 'n'. I suggest you learn the difference between an escape sequence and the value it represents.Luk4ward wrote: Why its incorrect?
But your code checks for the wrong thing.I was just making tests with normal client with /n and /r or any / command and only my modified code worked.
This is demonstrably untrue.I really understand the problem and C code from aluigi's board.
@bennz
You are correct, lua appears to only accepts decimal values.
send lawyers, guns and money
Ok, thanks for the help m8s. Now i fully understand all. Next time i will contact with Reyalp immediately and w8 for the response.
@ bennz
I have nothing to You really. If You had answered me like in last posts i would have a more respect for You. What about a fresh start?
p.s ACpro updated with first Reyalp's code.
@ bennz
I have nothing to You really. If You had answered me like in last posts i would have a more respect for You. What about a fresh start?
p.s ACpro updated with first Reyalp's code.
wolFTeam.pl