banimod / etpro / ettv forums Forum Index banimod / etpro / ettv forums
Bani's Discussion Forums
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

UPDATE Jan 15 09 - exploits actively abused
Goto page Previous  1, 2, 3, 4, 5  Next
 
Post new topic   Reply to topic    banimod / etpro / ettv forums Forum Index -> ET Server Admins
View previous topic :: View next topic  
Author Message
bennz



Joined: 06 Feb 2007
Posts: 9

PostPosted: Fri Feb 20, 2009 10:33 am    Post subject: Reply with quote

Luk4ward, you need new glasses. Confused
Back to top
View user's profile Send private message
Luk4ward



Joined: 30 Jul 2006
Posts: 236
Location: Poland

PostPosted: Fri Feb 20, 2009 10:57 am    Post subject: Reply with quote

bennz wrote:
Luk4ward, you need new glasses. Confused

and u need a new brain -.-'
_________________
wolFTeam.pl
Back to top
View user's profile Send private message Visit poster's website
bennz



Joined: 06 Feb 2007
Posts: 9

PostPosted: Wed Feb 25, 2009 11:38 am    Post subject: Reply with quote

Well, we will see.

Typo: The LUA interpreter doesn't complain about this additional ;
Who knows... !blame

You are writing a lot of post, but I get this feeling you 1. Don't read the other things carefully or 2. You just dont' get it.

Concerning this:
Code:
  if cmd == "callvote" or cmd == "ref" or cmd == "sa" or cmd == "semiadmin" then
    local _, counts = string.gsub (args, "%s", "")  -- count spaces
   
    if counts > 1 then
       msg = string.format("cpm  \"Remove additional spaces!\n")
       et.trap_SendServerCommand(cno, msg)
       return 1
    end
   
     if string.find(args,"%\\") or string.find(args,"%;") then
       msg = string.format("cpm  \"Invalid string!\n")
       et.trap_SendServerCommand(cno, msg)
       return 1
     end
     
  return 0
  end


-->
Code:
  string.find(args,"%\\")

You are looking for the appearance of \, but why? We should take care of \r and \n. Carriage return & and newline! They are C-like escape sequences.

Code:
  string.find(args,"%;")

Why should one forbid the use of an ;?
[btw: actually it should be string.find(args,";").
%x (where x is any non-alphanumeric character) --- represents the character x. This is the standard way to escape the magic! characters. The ; isn't needed here.]
This character is exchanged by a malicious client. IT WON'T REACH THE SERVER. On the other hand, assuming a standard client, this is my patented emo guit vote> /callvote mute "Bennz;quit"
If it passes it will quit MY CLIENT!!! and NOT the server.



I'm sorry, it doesn't make any sense, but fortunately! you were lucky enough to catch this vulnerability. Because when counting space characters, \r and \n are taken as space characters. So the other two conditions are useless/doesn't apply.

So long
Back to top
View user's profile Send private message
Luk4ward



Joined: 30 Jul 2006
Posts: 236
Location: Poland

PostPosted: Thu Feb 26, 2009 9:35 am    Post subject: Reply with quote

Well, i saw it when u said to me to get new glasses. If you replied me like now instead of flamming i would say nothing or respect your comments. Now, we will see if your comments are really worth.

Quote:
Typo: The LUA interpreter doesn't complain about this additional ;
Who knows... !blame


yes, it doesnt but i said the WHOLE bug fix for callvote doesn't work. Second of all one typo ";" can change the signature of lua which is neccesary to have a valid league cfg. Third of all we should keep the standard of lua language.

Quote:
You are writing a lot of post, but I get this feeling you 1. Don't read the other things carefully or 2. You just dont' get it.


Im writting a lot of posts coz i want to help other ppl, not as u flamming them without reason. And sometimes i can make a mistake. Yes, is it really something new to people? I want to learn man and u are not helping me/others by posting a shit about glasses...

Quote:
Code:
string.find(args,"%\\")

You are looking for the appearance of \, but why? We should take care of \r and \n. Carriage return & and newline! They are C-like escape sequences.


coz as i said b4 the bugfix code doesnt work at all. And imo such chars shouldnt be allowed in callvotes (for what?). Thats why i want to get rid of all problems (i dnt care if its \n or \r - yes i know the meaning of them). But u r not 100% if there is no any extra bug with \ (like everything in programming)

Quote:
Code:
string.find(args,"%;")

Why should one forbid the use of an ;?
[btw: actually it should be string.find(args,";").
%x (where x is any non-alphanumeric character) --- represents the character x. This is the standard way to escape the magic! characters. The ; isn't needed here.]
This character is exchanged by a malicious client. IT WON'T REACH THE SERVER. On the other hand, assuming a standard client, this is my patented emo guit vote> /callvote mute "Bennz;quit"
If it passes it will quit MY CLIENT!!! and NOT the server.


yes, u r right. But did u test it? I guess not (same with combinedfixes by reyalp)...I want to forbid them coz.......ET is already doing this! You didnt check it either...Also the char ; is mentioned on aligi board as subtitue to \n ...You are not 100% sure too that with hacked client it will work like u described...

So long.....

------------------------------NEW UPDATE--------------------

Quote:
function et_ClientCommand(cno,cmd)
local msg = ""
cmd = string.lower(cmd)
if cmd == "ws" then
local n = tonumber(et.trap_Argv(1))
if not n then
et.G_LogPrint(string.format("wsfix: client %d bad ws not a number [%s]\n",cno,tostring(et.trap_Argv(1))))
return 1
end

if n < 0 or n > 21 then
et.G_LogPrint(string.format("wsfix: client %d bad ws %d\n",cno,n))
return 1
end
return 0
end
if cmd == "callvote" or cmd == "ref" or cmd == "sa" or cmd == "semiadmin" then
local args=et.ConcatArgs(1)
-- et.G_LogPrint(string.format("combinedfixes: client %d %s [%s]\n",cno,cmd,args))
if string.find(args,"%\\") or string.find(args,"%;") then
et.G_LogPrint(string.format("combinedfixes: client %d bad %s [%s]\n",cno,cmd,args))
msg = string.format("cpm \"Invalid string!\n")
et.trap_SendServerCommand(cno, msg)
return 1
end
return 0
end
return 0
end


-- prevent various borkage by invalid userinfo
-- version: 4
-- history:
-- 4 - check length and IP
-- 3 - check for name exploit against guidcheck
-- 2 - fix nil var ref if kicked in RunFrame
-- fix incorrect clientNum in log message for ClientConnect kick
-- 1 - initial release

-- names that can be used to exploit some log parsers
-- note: only console log parsers or print hooks should be affected,
-- game log parsers don't see these at the start of a line
-- "^etpro IAC" check is required for guid checking
-- comment/uncomment others as desired, or add your own
-- NOTE: these are patterns for string.find
badnames = {
-- '^ShutdownGame',
-- '^ClientBegin',
-- '^ClientDisconnect',
-- '^ExitLevel',
-- '^Timelimit',
-- '^EndRound',
'^etpro IAC',
'\\', -- we should kick such players on connect otherwise they cant be kicked in game due to callvote bugfix
';',
'^^',
-- '^etpro privmsg',
-- "say" is relatively likely to have false positives
-- but can potentially be used to exploit things that use etadmin_mod style !commands
-- '^say',
-- '^Callvote',
-- '^broadcast'
}


Download: http://acpro.wolfteam.pl//category.php?id=1
_________________
wolFTeam.pl
Back to top
View user's profile Send private message Visit poster's website
bennz



Joined: 06 Feb 2007
Posts: 9

PostPosted: Sat Feb 28, 2009 4:11 pm    Post subject: Reply with quote

I don't think we need a Who-rulez-teh-str33t-contest, as well as, you I'm here to help. I can't help you if you do not listen to me.

Please tell me, why did you remove the only line of code, that saved you from being exploited?

Code:
if string.find(args,"%\\") or string.find(args,"%;") then
It is not necessary to catch that in a 'collvote' but of course you have to check:
Code:
if string.find(args,"[\r\n]") then

Oh lord... otherwise you are going to be fucked :/
Just leave the combindesfixes code as it is, except the ;
I don't deny ReyalP's guilt, he will blames the booze Laughing

How does it happen that you say the callvote fix is not working & why are you sure I didn't test it?




Please note:
Code:
badnames = {
...
'^^',
...
You may not allow certain names or charakters, ok. But if someone joins with the nick "^1Luke", he will get kicked, because he has a caret as first character. If you would like to kick a player with a caret followed by another caret somewhere in his name you may use> '%^%^',
or set the fourth argument of 'string.find' to true if you dont wan't to use patterns at all. (http://www.lua.org/manual/5.0/manual.html#5.3 --> A value of true as a fourth, optional argument plain turns off the pattern matching facilities, so the function does a plain "find substring" operation, with no characters in pattern being considered "magic".)


No offence Cool
Back to top
View user's profile Send private message
Luk4ward



Joined: 30 Jul 2006
Posts: 236
Location: Poland

PostPosted: Mon Mar 02, 2009 1:37 am    Post subject: Reply with quote

bennz wrote:
I don't think we need a Who-rulez-teh-str33t-contest, as well as, you I'm here to help. I can't help you if you do not listen to me.

Please tell me, why did you remove the only line of code, that saved you from being exploited?

Code:
if string.find(args,"%\\") or string.find(args,"%;") then
It is not necessary to catch that in a 'collvote' but of course you have to check:
Code:
if string.find(args,"[\r\n]") then

Oh lord... otherwise you are going to be fucked :/
Just leave the combindesfixes code as it is, except the ;
I don't deny ReyalP's guilt, he will blames the booze Laughing

How does it happen that you say the callvote fix is not working & why are you sure I didn't test it?


I removed count spaces because otherwise gamers cant kick/mute a player with spaces in nick. So we should take care of players name too. The only way is to deny any parametr with \\. I tested the Reyalp's code and it doesnt work with \r\n (there is no debug line in log file). And how r u so sure that its working?


bennz wrote:

Please note:
Code:
badnames = {
...
'^^',
...
You may not allow certain names or charakters, ok. But if someone joins with the nick "^1Luke", he will get kicked, because he has a caret as first character. If you would like to kick a player with a caret followed by another caret somewhere in his name you may use> '%^%^',
or set the fourth argument of 'string.find' to true if you dont wan't to use patterns at all. (http://www.lua.org/manual/5.0/manual.html#5.3 --> A value of true as a fourth, optional argument plain turns off the pattern matching facilities, so the function does a plain "find substring" operation, with no characters in pattern being considered "magic".)


No offence Cool


Nope, it will kick only players with ^^ or more carats. I tested it also and u propably not as usual? No offence ;p
_________________
wolFTeam.pl
Back to top
View user's profile Send private message Visit poster's website
bennz



Joined: 06 Feb 2007
Posts: 9

PostPosted: Mon Mar 02, 2009 4:17 pm    Post subject: Reply with quote

Anyway, here is a sample code to demonstrate the two patterns '^^' and '%^%^'.
I hope the link works: http://www.file-upload.net/download-1495268/luke.lua.html

The output is>
Code:
----------------------------------------
badname '^1Luke' matching pattern '^^'
badname '^^Luke' matching pattern '^^'
badname '^^Luke' matching pattern '%^%^'
badname 'L^^uke' matching pattern '%^%^'
badname 'Luke^^' matching pattern '%^%^'
----------------------------------------

Your intentions are good, but it's the wrong pattern. Same for '$$$', it matches the name 'Luke$$' or 'Luke$$$'. It doesn't match 'Luke$$$asf', BECAUSE: (http://www.lua.org/manual/5.0/manual.html#5.3)

Patterns
A pattern is a sequence of pattern items. A `^´ at the beginning of a pattern anchors the match at the beginning of the subject string. A `$´ at the end of a pattern anchors the match at the end of the subject string. At other positions, `^´ and `$´ have no special meaning and represent themselves.


Your words:
Luk4ward wrote:
Third of all we should keep the standard of lua language.
...
I tested it also and u propably not as usual?

Mmm kay...


Enough is enough. You don't seem to listen, unconvincable luke. At first i thought you were just kidding... To make this come to an end> Someone joined the server ET.GamesNet.pl OBJ, changed the rconpassword and added the ip ban mask '4.3.2.1'.
(+ 'killserver' to restart the et server with original rconpw, nobody was hurt)

You encourage others to use a version of the fix that doesn't work. I hope you will realize that a mistake was made.

whipping
Back to top
View user's profile Send private message
Luk4ward



Joined: 30 Jul 2006
Posts: 236
Location: Poland

PostPosted: Tue Mar 03, 2009 10:45 am    Post subject: Reply with quote

bennz wrote:
Anyway, here is a sample code to demonstrate the two patterns '^^' and '%^%^'.
I hope the link works: http://www.file-upload.net/download-1495268/luke.lua.html

The output is>
Code:
----------------------------------------
badname '^1Luke' matching pattern '^^'
badname '^^Luke' matching pattern '^^'
badname '^^Luke' matching pattern '%^%^'
badname 'L^^uke' matching pattern '%^%^'
badname 'Luke^^' matching pattern '%^%^'
----------------------------------------

Your intentions are good, but it's the wrong pattern. Same for '$$$', it matches the name 'Luke$$' or 'Luke$$$'. It doesn't match 'Luke$$$asf', BECAUSE: (http://www.lua.org/manual/5.0/manual.html#5.3)

Patterns
A pattern is a sequence of pattern items. A `^´ at the beginning of a pattern anchors the match at the beginning of the subject string. A `$´ at the end of a pattern anchors the match at the end of the subject string. At other positions, `^´ and `$´ have no special meaning and represent themselves.


ACpro:

Code:
----------------------------------------
badname '^1Luke' DOES NOT match pattern '^^'
badname '^^Luke' matching pattern '^^'
badname '^^Luke' matching pattern '^^'
badname 'L^^uke' matching pattern '^^'
badname 'Luke^^' matching pattern '^^'
----------------------------------------


You are wrong again.

Quote:

Your words:
Luk4ward wrote:
Third of all we should keep the standard of lua language.
...
I tested it also and u propably not as usual?

Mmm kay...


Enough is enough. You don't seem to listen, unconvincable luke. At first i thought you were just kidding... To make this come to an end> Someone joined the server ET.GamesNet.pl OBJ, changed the rconpassword and added the ip ban mask '4.3.2.1'.
(+ 'killserver' to restart the et server with original rconpw, nobody was hurt)


You dont read what im trying to say...Well...And nothing like that happened if u want to know. If You try i will report your IP.

Quote:

You encourage others to use a version of the fix that doesn't work. I hope you will realize that a mistake was made.


Im not encouring anyone. I just fixed the code and shared it with others. But i understand u dnt get it like the rest of what i said.

whipping
_________________
wolFTeam.pl
Back to top
View user's profile Send private message Visit poster's website
ReyalP



Joined: 25 Jul 2003
Posts: 1663

PostPosted: Tue Mar 03, 2009 8:53 pm    Post subject: Reply with quote

Luk4ward wrote:
I heard that some ET server got hacked because of the vote exploit. So its working, but with hacked client. Btw i think i found a little typo in your code Reyalp Smile:


Semicolon is optional in lua. Yes it's a mistake on my part, but it's not incorrect according the The Fine Manual
Quote:

The unit of execution of Lua is called a chunk. A chunk is simply a sequence of statements, which are executed sequentially. Each statement can be optionally followed by a semicolon


as benzz points out searching for a \ will not correctly find CR or LF chars (which are represented by \r and \n). Actually, I should check for \0A and \0D, but the current code worked correctly in all my tests.

If you can actually trigger the exploit with the current code (edit my current code, yours is horribly broken) in place, please send me your test case.

AFAIK, you cannot send a CR or LF char in a command without a hacked client. Sending a \r or \n sequence will not trigger the exploit.

I would strongly suggest that you make sure you have a firm understanding of the problem before posting "fixes" in this thread.
_________________
send lawyers, guns and money
Back to top
View user's profile Send private message
Luk4ward



Joined: 30 Jul 2006
Posts: 236
Location: Poland

PostPosted: Wed Mar 04, 2009 3:12 am    Post subject: Reply with quote

ReyalP wrote:
Luk4ward wrote:
I heard that some ET server got hacked because of the vote exploit. So its working, but with hacked client. Btw i think i found a little typo in your code Reyalp Smile:


Semicolon is optional in lua. Yes it's a mistake on my part, but it's not incorrect according the The Fine Manual
Quote:

The unit of execution of Lua is called a chunk. A chunk is simply a sequence of statements, which are executed sequentially. Each statement can be optionally followed by a semicolon


yea, ok

Quote:

as benzz points out searching for a \ will not correctly find CR or LF chars (which are represented by \r and \n). Actually, I should check for \0A and \0D, but the current code worked correctly in all my tests.


Why its incorrect?

Quote:

If you can actually trigger the exploit with the current code (edit my current code, yours is horribly broken) in place, please send me your test case.

AFAIK, you cannot send a CR or LF char in a command without a hacked client. Sending a \r or \n sequence will not trigger the exploit.

I would strongly suggest that you make sure you have a firm understanding of the problem before posting "fixes" in this thread.


Yes i tested the exploit on test server with hacked client, but got kicked by ET engine. Can I somehow test my and your code to be sure whats going on? I was just making tests with normal client with /n and /r or any / command and only my modified code worked. I really understand the problem and C code from aluigi's board.
_________________
wolFTeam.pl
Back to top
View user's profile Send private message Visit poster's website
bennz



Joined: 06 Feb 2007
Posts: 9

PostPosted: Wed Mar 04, 2009 11:36 am    Post subject: Reply with quote

That's what I'm talking about, since 3 posts. In addition it's useless to debate, if everyone talks about his own, different code.

Short example from ac2pro.lua
Code:
1. local stripped_name = trim ( uncol ( name ) )
2. if string.find (name,"%^^") or etadmin_name_exploit == "^" then
3. string.gsub(string.gsub(arg, "%^[^%^]", ""), "%^", "")     -- function uncol
4. local mstart,mend,cno = string.find(stripped_name,string.lower(badnamepat))
Line 1: That's a big difference to cmobinedfixes. In line 2 there is the right pattern, it kicks all names containing 2 or more ^. But when looking thru badnamepatters the names have been stripped off all ^. (--> Line 3: First every ^ followed by something except ^ is removed, after that every remaining ^ is removed) That means it's useless to put '^^' in badnames table as there are no ^ left!


Hint:
- Lowering the badname patterns isn't really necessary. Intended use: case sensivity. It doesn't hurt in this case, but false positives...
- Put the combinedfixes as first to load in the chain. Merging security related checks is likely to cause trouble. (PEBCAK; Maintainability; Signatures you mentioned...)



We sure can discuss further checks in Enemy Territory -> ET Modding. Back to the most important bug:

You didn't understand the problem from aluigi's board, because
Code:
so theoretically if a client sends the command ' callvote map "mp_leo;quit" ' and the vote passes, quit will be executed after "map mp_leo".
to prevent this Cmd_CallVote_f does the following check:
  if( strchr( arg1, ';' ) || strchr( arg2, ';' ) ) {
     trap_SendServerCommand( ent-g_entities, "print \"Invalid vote string.\n\"" );
     return;
  }
but ofc this isn't enough, since the other separators ('\r' and '\n') can also be sent in client commands.
sending such a callvote command from a game client isn't possible without a dll injection/hook/debugger afaik.


We don't have to care about ;! --> string.find(args,"%;") in function et_ClientCommand(cno, cmd) is useless.
We HAVE to check \n and \r. They include a backslash, but you can't find them with string.find(args,"%\\"). Escape sequence!


I'm helping to bring light into the darkness and you're speaking down to me? Nevernmind, I got used to it. I still recommend to fix your code.




ReyalP:

Am i blind and there is no \0A like hex escape? string.format instead :/
Code:
if string.find(args, string.format("%x", 010)) then -- new line
-- or both decimal (MUST have exactly 3 digits)
if string.find(args, "[\013\010]") then

but no don't need to check it twice?
Back to top
View user's profile Send private message
ReyalP



Joined: 25 Jul 2003
Posts: 1663

PostPosted: Wed Mar 04, 2009 8:06 pm    Post subject: Reply with quote

Luk4ward wrote:

Why its incorrect?

Because the exploit doesn't involve the characters '\' and 'n'. I suggest you learn the difference between an escape sequence and the value it represents.

Quote:

I was just making tests with normal client with /n and /r or any / command and only my modified code worked.

But your code checks for the wrong thing.

Quote:
I really understand the problem and C code from aluigi's board.

This is demonstrably untrue.

@bennz
You are correct, lua appears to only accepts decimal values.
_________________
send lawyers, guns and money
Back to top
View user's profile Send private message
Luk4ward



Joined: 30 Jul 2006
Posts: 236
Location: Poland

PostPosted: Fri Mar 06, 2009 12:33 pm    Post subject: Reply with quote

Ok, thanks for the help m8s. Now i fully understand all. Next time i will contact with Reyalp immediately and w8 for the response.

@ bennz

I have nothing to You really. If You had answered me like in last posts i would have a more respect for You. What about a fresh start? Wink

p.s ACpro updated with first Reyalp's code.
_________________
wolFTeam.pl
Back to top
View user's profile Send private message Visit poster's website
bennz



Joined: 06 Feb 2007
Posts: 9

PostPosted: Sat Mar 07, 2009 10:10 am    Post subject: Reply with quote

Sure thumbs up
Back to top
View user's profile Send private message
mortis



Joined: 06 Jul 2004
Posts: 360
Location: at the center of the e-universe

PostPosted: Tue Apr 07, 2009 8:43 am    Post subject: Reply with quote

reyalp pwns all, as usual... Wink
_________________
http://forums.quakewarsterritory.com/
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    banimod / etpro / ettv forums Forum Index -> ET Server Admins All times are GMT - 8 Hours
Goto page Previous  1, 2, 3, 4, 5  Next
Page 4 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group