banimod / etpro / ettv forums Forum Index banimod / etpro / ettv forums
Bani's Discussion Forums
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

UPDATE Jan 15 09 - exploits actively abused
Goto page 1, 2, 3, 4, 5  Next
 
Post new topic   Reply to topic    banimod / etpro / ettv forums Forum Index -> ET Server Admins
View previous topic :: View next topic  
Author Message
ReyalP



Joined: 25 Jul 2003
Posts: 1663

PostPosted: Thu Apr 26, 2007 10:40 pm    Post subject: UPDATE Jan 15 09 - exploits actively abused Reply with quote

UPDATE July 23 2010
wwwdl drop all clients exploit. See http://bani.anime.net/banimod/forums/viewtopic.php?t=6777&start=60

UPDATE January 15 2009
Specially crafted vote and similar commands (using a hacked client) can be used to execute console commands on the server. http://aluigi.freeforums.org/quake3-engine-callvote-bug-t686.html

combinedfixes.lua updated.

UPDATE August 1 2008
etadmin_mod can be tricked into giving people with certain names admin access. See http://www.snl-clan.com/forum/viewtopic.php?f=9&t=9789 for a workaround.

ty SNL|Lucel|STA

UPDATE May 16 2008
Updated hash for combinedfixes.

UPDATE April 21 2008
Fixed
Code:

etpro: et_RunFrame error running lua script: [string "combinedfixes.lua"]:127: attempt to call field `match' (a nil value)

error.

combinedfixes.lua now uses string.find instead of string.match.

UPDATE April 1 2008
Individual modules retired, combined fixes is the only one being maintained from now on.

Updated to prevent some more userinfo abuse, which allowed players to bypass the fakeplayer prevention, among other things. Thanks again DoGoD

UPDATE Mar 23 2008
userinfocheck.lua combindedfixes.lua updated to prevent an exploit in guidcheck.lua.

If you want to use the guidcheck fix, you MUST either update your combinedfixes.lua or run both userinfocheck.lua and guidcheck.lua

Note lua mod authors
The exploit relies on the fact that chat (or /m) with well chosen player names allows almost arbitrary strings to be sent to the et_Print function. Lua mod authors are urged to treat the text sent to et_Print with extreme caution.

Note to etadmin_mod users
Similar exploits likely exist against other log parsers such as etadmin_mod. The updated version of userinfocheck.lua may be used to prevent some abuse of this sort, but you must uncomment some lines in the file yourself. This is untested, and very likely does not eliminate all such exploits against etadmin_mod.

edit Mar 24 2008:
The name vulnerability should only apply to log parsers which read the game console or console log, not the game log.

Thanks to Hadr0 for bringing the guidcheck problem to my attention.

-- earlier post follows--
edit:
Updated Mar 2 2008
- fix nil var ref if kicked in RunFrame
- fix incorrect clientNum in log message for ClientConnect kick
thanks to DoGoD and benny.

--original post--
Several significant exploits against ET and ETPro have recently been brought to our attention.

  • the "ws" clientcommand can be used to crash servers, or with a modified client, obtain arbitrary information such as passwords from server memory. Since tvgame does not support lua, a fixed tvgame is available here: tvgame-update.zip. This should work with beta13. People who already have my ettv test builds don't need this, it's the same tvgame.
  • clients can send malformed userinfo which can confuse some game functions about their IP.
  • Cheats which spoof etpro guids can crash servers.
  • q3fill DOS program to fill up servers with bogus players.

All of these exploits have been observed in the wild. It is strongly recommended that you run combinedfixes.lua

The ws and infostring exploits affect all ET versions and mods. The authors of noquarter, jaymod, and etpub have been informed. The guid exploit obviously only affects etpro.

To install lua modules:
copy the .lua file to your etpro directory and add
Code:
set lua_modules "somemodule.lua anothermodule.lua"

to your server cfg. lua_modules takes effect after a map change or map_restart. You can check whether your mod was loaded using the lua_status command, on either a client or the server console.

For leagues that wish to use these modules with their certified configs, you should also setl lua_allowedmodules to the hash of the module you wish to use. You can obtain this hash with lua_status. Because of length limitations, you can only allow one module in a .config, so use of combinedfixes.lua or your own custom module is recommended. The hash of combinedfixes.lua is
Code:
1D864F1C022DD8E4F2103C5CCBF468FB9A84E39E


By default the combinedfixes.lua limits users to 3 connections per IP. You may want to adjust this using the cvar ip_max_clients if you expect a lot of players to connect from the same IP.

Thanks to McSteve and pants for bringing these to our attention. As always, we appreciate the help of the community in identifying this sort of thing.
_________________
send lawyers, guns and money


Last edited by ReyalP on Thu Aug 12, 2010 8:18 pm; edited 14 times in total
Back to top
View user's profile Send private message
Nail



Joined: 02 Jan 2004
Posts: 425

PostPosted: Thu Apr 26, 2007 10:54 pm    Post subject: Reply with quote

Thank you very much
_________________
Improvise, Adapt, Overcome
Back to top
View user's profile Send private message Visit poster's website
nedd3h



Joined: 14 Jan 2005
Posts: 67
Location: Australia

PostPosted: Fri Apr 27, 2007 2:43 am    Post subject: Reply with quote

Thanks for this, I've added the combinedfixes script to my server.
Back to top
View user's profile Send private message Visit poster's website
Pantaloons



Joined: 17 Nov 2004
Posts: 6

PostPosted: Fri Apr 27, 2007 3:07 am    Post subject: Reply with quote

thanks for your time & effort reyal thumbs up
_________________
www.fatalpunishers.com

[fP]Demolition Centre Too

81.169.171.73:29960
Back to top
View user's profile Send private message Visit poster's website
Luk4ward



Joined: 30 Jul 2006
Posts: 236
Location: Poland

PostPosted: Fri Apr 27, 2007 1:43 pm    Post subject: Reply with quote

thx:), so all cheaters with spoofed etpro guids like 13333333337 are kicking out, nice. McSteve was working of such thing as on many g8 things:P. I wonder if u can add to this lua the cl_guid checking,

cheers
_________________
wolFTeam.pl
Back to top
View user's profile Send private message Visit poster's website
SoupDragon



Joined: 16 Feb 2005
Posts: 1

PostPosted: Fri Apr 27, 2007 1:50 pm    Post subject: Reply with quote

Nice to see, tvm

But why not a small increment and release of etpro instead? I feel the uptake of this fix will be slower.


Last edited by SoupDragon on Fri Apr 27, 2007 1:54 pm; edited 1 time in total
Back to top
View user's profile Send private message
ReyalP



Joined: 25 Jul 2003
Posts: 1663

PostPosted: Fri Apr 27, 2007 1:52 pm    Post subject: Reply with quote

Luk4ward wrote:
thx:), so all cheaters with spoofed etpro guids like 13333333337 are kicking out, nice. McSteve was working of such thing as on many g8 things:P. I wonder if u can add to this lua the cl_guid checking,

cheers

This module does NOT make etpro GUIDs any more reliable than they were. They are still broken and can still be spoofed, and so should not be used for just about anything. All it does is prevent some obviously malformed ones (including particular ones that have bad side effects) from being used.

You could do similar checking on the cl_guid in userinfo, but I don't see the point.

Note that if you want to gather IPs of people who are ~100% sure trying to cheat, search your server log for guidcheck: messages.
_________________
send lawyers, guns and money
Back to top
View user's profile Send private message
Luk4ward



Joined: 30 Jul 2006
Posts: 236
Location: Poland

PostPosted: Fri Apr 27, 2007 2:05 pm    Post subject: Reply with quote

ReyalP wrote:
Luk4ward wrote:
thx:), so all cheaters with spoofed etpro guids like 13333333337 are kicking out, nice. McSteve was working of such thing as on many g8 things:P. I wonder if u can add to this lua the cl_guid checking,

cheers

This module does NOT make etpro GUIDs any more reliable than they were. They are still broken and can still be spoofed, and so should not be used for just about anything. All it does is prevent some obviously malformed ones (including particular ones that have bad side effects) from being used.

You could do similar checking on the cl_guid in userinfo, but I don't see the point.

Note that if you want to gather IPs of people who are ~100% sure trying to cheat, search your server log for guidcheck: messages.


I understand and knows about it, but @ cl_guid, sometimes some pr0 cheaters got spoofed cl_guid not etpro so the command !ban cheater can do nothing to them, but u will say propably that this is the problem of etadmin mod users ;p and lua patch is only to prevent from crashing / exploiting the servers,

regards
_________________
wolFTeam.pl
Back to top
View user's profile Send private message Visit poster's website
Tron



Joined: 18 Apr 2005
Posts: 22

PostPosted: Sat Apr 28, 2007 12:10 pm    Post subject: Reply with quote

Speaking of exploits, I witnessed a particular one some weeks ago. I don't know if it's a well known one or not, but with my limited server setup knowledge I guess you could stop it with flood protection (?). What happened was that some guy very rapidly switched teams for some seconds until the server seemingly crashed. The console log looks like this:

[skipnotify]kajohahahahaa^7 entered the game
kajohahahahaa^7 has joined the Axis team^7!
kajohahahahaa^7 has joined the Spectators^7!
[skipnotify]kajohahahahaa^7 entered the game
kajohahahahaa^7 has joined the Axis team^7!
kajohahahahaa^7 has joined the Spectators^7!
[skipnotify]kajohahahahaa^7 entered the game
kajohahahahaa^7 has joined the Axis team^7!
kajohahahahaa^7 has joined the Spectators^7!
...

I have a demo if required.
Back to top
View user's profile Send private message
Gobbo



Joined: 02 Oct 2006
Posts: 4

PostPosted: Sat Apr 28, 2007 12:49 pm    Post subject: Reply with quote

brilliant work .. had the ws lua but not the others ... We just had 2 days of server being crashed every few maps and then today we had someone connect and bring in something like 5 bots with 0 ping and when we looked close all same ip .
So guess you have fixed all my problems ..
And all i was looking for was if i had missed a sv_command like max ip limit !

Really many thanks . Cool
Back to top
View user's profile Send private message
ReyalP



Joined: 25 Jul 2003
Posts: 1663

PostPosted: Sat Apr 28, 2007 10:01 pm    Post subject: Reply with quote

Tron wrote:
Speaking of exploits, I witnessed a particular one some weeks ago. I don't know if it's a well known one or not, but with my limited server setup knowledge I guess you could stop it with flood protection (?). What happened was that some guy very rapidly switched teams for some seconds until the server seemingly crashed. The console log looks like this:

[skipnotify]kajohahahahaa^7 entered the game
kajohahahahaa^7 has joined the Axis team^7!
kajohahahahaa^7 has joined the Spectators^7!
[skipnotify]kajohahahahaa^7 entered the game
kajohahahahaa^7 has joined the Axis team^7!
kajohahahahaa^7 has joined the Spectators^7!
[skipnotify]kajohahahahaa^7 entered the game
kajohahahahaa^7 has joined the Axis team^7!
kajohahahahaa^7 has joined the Spectators^7!
...

I have a demo if required.

The floodkick stuff in 3.2.6 should prevent this. That is why it was implemented. Perhaps the server admin changed the the default values ?

@SoupDragon
These fixes will be in the next etpro release. These scripts allow us to address the issues right away, without the usual beta cycle that goes with a full release, or the delays that leagues usually have adopting updates. If admins decide not to use the workarounds provided, that is their choice and certainly not my problem.
_________________
send lawyers, guns and money
Back to top
View user's profile Send private message
Tron



Joined: 18 Apr 2005
Posts: 22

PostPosted: Sun Apr 29, 2007 2:46 am    Post subject: Reply with quote

ReyalP wrote:
Perhaps the server admin changed the the default values ?


I guess b_floodMaxCommands is the cvar to be checked (?). '/pb_cvarval b_floodMaxCommands' on that server says '3' now, but I didn't check this when the server got crashed 4 weeks ago. Sad
Back to top
View user's profile Send private message
ReyalP



Joined: 25 Jul 2003
Posts: 1663

PostPosted: Sun Apr 29, 2007 11:54 am    Post subject: Reply with quote

see here:
http://bani.anime.net/banimod/forums/viewtopic.php?p=65298#65298
_________________
send lawyers, guns and money
Back to top
View user's profile Send private message
h3ll



Joined: 13 Apr 2007
Posts: 3
Location: The Netherlands

PostPosted: Tue May 08, 2007 11:47 pm    Post subject: Reply with quote

nice, now lets see how long it takes for CB to update their configs
_________________
#GamesTV.org
Back to top
View user's profile Send private message Visit poster's website
Lagger



Joined: 29 Sep 2003
Posts: 333

PostPosted: Thu May 10, 2007 8:51 am    Post subject: Reply with quote

h3ll wrote:
nice, now lets see how long it takes for CB to update their configs
not very long, apparently
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    banimod / etpro / ettv forums Forum Index -> ET Server Admins All times are GMT - 8 Hours
Goto page 1, 2, 3, 4, 5  Next
Page 1 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group