UPDATE Jan 15 09 - exploits actively abused

Discussion for Admins of ETPro/BayonET servers.
If you don't run a server, please don't post here...

Moderators: Forum moderators, developers

User avatar
Luk4ward
Posts: 236
Joined: Sun Jul 30, 2006 1:55 pm
Location: Poland
Contact:

Post by Luk4ward »

Hi

i got this combinedfixes.lua and today on server was some guy who was asking players to lag the server ?! After some rude response the server crashed, kicked players and new campaign was executed. Im an admin from 2.60b server, info from logs:

Code: Select all

map: Adlernest final
blabla...

voice: ^7'^0Gr^723^0chu^7' Negative ^0N^73^0gativ^73
********************
ERROR: G_Scripting: alertentity cannot find targetname "sidewall"

********************
----- Server Shutdown -----
Sending heartbeat to etmaster.idsoftware.com
Sending heartbeat to master.gamespy.com:27900
Sending heartbeat to master0.gamespy.com
==== ShutdownGame ====
ShutdownGame:
------------------------------------------------------------
etpro: Lua module [announcekillershealth.lua] [4D533E6C362EA88AEE893EA27CA7480120CD9035] unloaded.
---------------------------
^3PunkBuster Server&#58; Lost Connection &#40;slot #4&#41; 80.54.134.1&#58;27960 8d4b14edfcaf33e92c1f2a8c32abf5ee&#40;?&#41; ^7V^dn^7D^d' &#40; <- this guy&#41;

WARNING&#58; watchdog will trigger in 4 seconds
Idle Server with no map - triggering watchdog
------ Server Initialization ------
Server&#58; oasis

etc....
wtf he was managed to do? I meant how....Tought im running a server with latest patches/fixes..Pls help,

thx in advance
wolFTeam.pl
User avatar
ReyalP
Posts: 1663
Joined: Fri Jul 25, 2003 11:44 am

Post by ReyalP »

ERROR: G_Scripting: alertentity cannot find targetname "sidewall"
This is a map script error. It is possible that some action in the map can trigger it, but the fault still lies with the map. I have a vague memory of a script fix for this map, but I'm not certain.
send lawyers, guns and money
jump3r
Posts: 159
Joined: Sun Apr 18, 2004 1:11 am

Post by jump3r »

ReyalP wrote:
ERROR: G_Scripting: alertentity cannot find targetname "sidewall"
This is a map script error. It is possible that some action in the map can trigger it, but the fault still lies with the map. I have a vague memory of a script fix for this map, but I'm not certain.
do you mean this one?
http://bani.anime.net/banimod/forums/vi ... 4926#64926
User avatar
Luk4ward
Posts: 236
Joined: Sun Jul 30, 2006 1:55 pm
Location: Poland
Contact:

Post by Luk4ward »

thanks for explanation and fast response :), i tought so but wasnt sure how it is possible,

hope the script will fix this, thanks again for help :)
wolFTeam.pl
User avatar
-neX-
Posts: 12
Joined: Fri Mar 11, 2005 1:49 pm

Post by -neX- »

much appreciated ReyalP!
Dersaidin
Posts: 197
Joined: Fri Aug 06, 2004 1:55 pm
Location: Australia

Post by Dersaidin »

Yeah, that script error was my mistake. :<

The wall which the tank blows at the start of the map (my pro cinematic intro) was able to be destroyed if allied players were fast enough to shoot a panza or some explosives at it before the tank. Then when the tank tries to shoot it, the entity has already gone, and it can't find anything :/


Theres a link to the fix (which gives the wall enough health to hold out until the tank shoots it) on the thread jump3r linked.
User avatar
ReyalP
Posts: 1663
Joined: Fri Jul 25, 2003 11:44 am

Post by ReyalP »

I've corrected a couple bugs userinfocheck.lua (and the corresponding part of combinedfixes.lua.)

Updated files at the original URLs.

Thanks to DoGoD and benny for bringing to my attention that the wrong var was used in the RunFrame userinfo check.

I also found and fixed a bug where the wrong client number was printed in the log messages for the clienconnect check.

Finally, I've added a check for newlines in userinfo. This has the potential to do very bad things to log parsers such as etadmin_mod (thanks benny for pointing this out.)

I would strongly suggest not using any log parser. If you must use a log parser, make sure that it safely handles any possible newlines malicious clients could inject into your log.

The check added to userinfocheck.lua does NOT make this safe, it merely kicks people for certain attempts to do bad things. This may not happen soon enough to protect your log parser, since the game and engine print various things themselves.
send lawyers, guns and money
User avatar
ReyalP
Posts: 1663
Joined: Fri Jul 25, 2003 11:44 am

Post by ReyalP »

Another exploit, another bump. See first post.
send lawyers, guns and money
User avatar
Luk4ward
Posts: 236
Joined: Sun Jul 30, 2006 1:55 pm
Location: Poland
Contact:

Post by Luk4ward »

Thanks for another fixes and nice support. Btw can u explain maybe by example what is all about those exploits with log parsers ?

Its smth like this:

1) mod is looking for 'shutdown' line
2) players is connecting with the nick 'shutdown'
3) mod thinks its an end of the map

or maybe its smth worst? Im asking about this to know how to defend or maybe help, as for priv abuse im using modified chat system from kmod

@ Nick abusing

Nicks with extra "^" like:

Code: Select all

et^^7player
can be kicked (or whatever) only by punkbuster. The game is going crazy, so every such player has to be filtered out by cleaning the name or kicking maybe, im using the code from Hadro ( i just modified rename function) :
function RenameUser(clientNum, newname)

local userinfo, bname, info, msg
userinfo = et.trap_GetUserinfo(clientNum)
bname = (unfoVal(et.trap_GetUserinfo(clientNum), "name"))

if (newname == "clean") then
newname = uncol ( bname )
info = "Your nick has been cleaned ! ^1Use standard keys !"
local msg = string.format("cpm \"" .. info .. "\n")
et.trap_SendServerCommand(clientNum, msg)
elseif (newname == "cutnick") then
newname = cut_nick (bname)
info = "Your nick has been cut ! ^1Use nick with normal length !"
local msg = string.format("cpm \"" .. info .. "\n")
et.trap_SendServerCommand(clientNum, msg)
end

userinfo = et.Info_SetValueForKey(userinfo, "name", newname)
et.trap_SetUserinfo(clientNum, userinfo)
et.ClientUserinfoChanged(clientNum)

end

function uncol(arg) -- this one leaves weird ascii, unlike et.Q_CleanStr
return string.gsub(string.gsub(arg, "%^[^%^]", ""), "%^", "")
end

function unfoVal(unfo, key) -- more secure version gets value from the end of the info-string, thanks ReyalP
local index = 0
local oldcap = ""
local d, cap
while 1 do
index, d, cap = string.find(unfo, "\\"..key.."\\([^\\]+)", index+1)
if not index then return oldcap end
oldcap = cap
end
return ""
end
Last edited by Luk4ward on Mon Mar 24, 2008 6:55 am, edited 2 times in total.
wolFTeam.pl
User avatar
ReyalP
Posts: 1663
Joined: Fri Jul 25, 2003 11:44 am

Post by ReyalP »

Luk4ward wrote:Thanks for another fixes and nice support. Btw can u explain maybe by example what is all about those exploits with log parsers ?

Its smth like this:

1) mod is looking for 'shutdown' line
2) players is connecting with the nick 'shutdown'
3) mod thinks its an end of the map
Exactly. Think about what happens if a log parser looks for !kick in chat (in lua, you can intercept the command instead of reading the prints, which is much safer.)

The basic problem is that if I do

Code: Select all

/say blah
in the client console, what shows up in the server console is:

Code: Select all

say&#58; &#91;NW&#93;reyalP&#58; blah
&#91;NW&#93;reyalP&#58; blah
If your log parser is looking for the "say" line (for example), someone named "say" can do something on behalf of any other player.

Note that the second line goes to the console and console log (and goes through et_Print), but not the game log.

In the case of guidcheck, it was looking for message starting with etpro IAC and some other stuff that could be put in a name.

If you are using lua, I'd suggest avoiding using et_Print callbacks if at all possible. If you must use them, think very carefully about how players could manipulate it with creative naming.

I'm not sure about the ^^7 names, I thought all those issues were already dealt with, but I guess I'll have to look at that.
send lawyers, guns and money
jump3r
Posts: 159
Joined: Sun Apr 18, 2004 1:11 am

Post by jump3r »

keep up the good work. :thumbs:

btw, does that "player's name log exploit" affects game log in any way? i ask because i made my own server stats parser...
User avatar
ReyalP
Posts: 1663
Joined: Fri Jul 25, 2003 11:44 am

Post by ReyalP »

jump3r wrote:keep up the good work. :thumbs:

btw, does that "player's name log exploit" affects game log in any way? i ask because i made my own server stats parser...
No, all it does kick users who attempt to use names that could trigger the exploit. This is NOT a general fix, it just prevents guidcheck from being exploited in that way.
send lawyers, guns and money
User avatar
ReyalP
Posts: 1663
Joined: Fri Jul 25, 2003 11:44 am

Post by ReyalP »

Another day, another bump.
send lawyers, guns and money
crazyfrag
Posts: 105
Joined: Fri Oct 01, 2004 1:17 pm

Post by crazyfrag »

Code: Select all

etpro&#58; et_RunFrame error running lua script&#58; &#91;string "combinedfixes.lua"&#93;&#58;127&#58; attempt to call field `match' &#40;a nil value&#41;
User avatar
Luk4ward
Posts: 236
Joined: Sun Jul 30, 2006 1:55 pm
Location: Poland
Contact:

Post by Luk4ward »

heh, while i was posting about the code for catching IP You have already updated the code, many thanks ! :D

edit:

one more code should be changed imo:

Code: Select all

if not string.match&#40;ip,"^%d+%.%d+%.%d+%.%d+&#58;%d+$"&#41; then
		return "malformed ip"
	end
to smth like this

Code: Select all

if &#40;string.find&#40;ip,"^%d+%.%d+%.%d+%.%d+&#58;%d+$"&#41; == nil&#41; then
		return "malformed ip"
	end
regards
wolFTeam.pl
Post Reply