Punkbuster GUID, cl_guid ...

Discussion for any ET/ETPro/BayonET bugs or cheats you find...

Moderators: Forum moderators, developers

Post Reply
User avatar
nano
Posts: 5
Joined: Mon Sep 04, 2006 7:56 am

Punkbuster GUID, cl_guid ...

Post by nano »

Hi,

many LUA mods (including mine) make use of cl_guid do identify known players and to give them special rights. cl_guid does not contain the Punkbuster GUID and is spoofable (eth can do it). That means all mods using that method for identification are insecure and attackers may get advanced rights by faking cl_guid.

To fix that hole, coders should use the *real* Punkbuster GUID, but there isn't an api function to get that GUID. So the only way to get it would be dumping the output of pb_sv_plist and playing with some regex.

Or are there any other ways for authentication?
User avatar
ReyalP
Posts: 1663
Joined: Fri Jul 25, 2003 11:44 am

Re: Punkbuster GUID, cl_guid ...

Post by ReyalP »

nano wrote:Hi,

many LUA mods (including mine) make use of cl_guid do identify known players and to give them special rights. cl_guid does not contain the Punkbuster GUID
If it hasn't been tampered with it does.
and is spoofable (eth can do it). That means all mods using that method for identification are insecure and attackers may get advanced rights by faking cl_guid.
Correct.
To fix that hole, coders should use the *real* Punkbuster GUID, but there isn't an api function to get that GUID. So the only way to get it would be dumping the output of pb_sv_plist and playing with some regex.

Or are there any other ways for authentication?
Note that the 'real' pb GUID can be spoofed as well.

You can avoid impersonation by not exposing full PB GUIDs. In general client commands only show some of the GUID. Of course, any server admin can leak your full GUID.

There is no effective authentication, and there isn't ever likely to be one for ET.
send lawyers, guns and money
User avatar
Luk4ward
Posts: 236
Joined: Sun Jul 30, 2006 1:55 pm
Location: Poland
Contact:

Re: Punkbuster GUID, cl_guid ...

Post by Luk4ward »

Note that the 'real' pb GUID can be spoofed as well.
???!!!

p.s im using log (name/nick/cl_guid/guid/ip] lua by McSteve and should be fixed soon becuase of spoofing cl_guids, so if u got some similar luas (using pb_ command instead of cl_guid) pls share it with others :>

regards
wolFTeam.pl
User avatar
Hadr0
Posts: 5
Joined: Thu Dec 15, 2005 11:25 pm
Location: shiven

Post by Hadr0 »

HI, if cl_guid can be spoofed, i assume every part of the userinfo-string is unreliable. If so, then using et.Info_ValueForKey(et.trap_GetUserinfo(cno), "xxx"), where xxx can be ip, name, cl_guid,.. is totally unsafe.
Is this true?

If so, is et.gentity_get(cno, "pers.netname") a more robust way to get a client's name? Is there a way to reliably get a client's IP with Lua?
(without using et_Print(text) as a log-parsing tool ofc)

about config-strings,
Lua wiki: Configstrings are strings that are set on the server, and automatically sent to each client.
So this means they cannot be altered by clients to fool the server.. right?
My guess is the only 'safe' authentication are those where the client directly sends a password to the server via et_ClientCommand(cno, command) like \sal, \ref (?)

thank you
User avatar
ReyalP
Posts: 1663
Joined: Fri Jul 25, 2003 11:44 am

Post by ReyalP »

Yes, any information in the infostring can be spoofed, including the IP. In 2.60 and above, the engine actually always tacks the correct IP on the end, but this can be hidden by if the client puts another one on the front. 2.60 servers can also be tricked into getting the key/value pairs out of balance.

If you use lua string functions to get the IP:PORT of the end of the infostring, rather than using the infovalueforkey functions, that should always be right AFAIK.

I'm suspect you can't do anything interesting by spoofing name in the infostring, since the game keeps them in sync.

configstrings (which userinfo is NOT) are a server->client communication mechanism, so clients can't give them bogus values unless a particular config string gets it's value from untrusted client information.
send lawyers, guns and money
Post Reply