UPDATE Jan 15 09 - exploits actively abused

Discussion for Admins of ETPro/BayonET servers.
If you don't run a server, please don't post here...

Moderators: Forum moderators, developers

bennz
Posts: 9
Joined: Tue Feb 06, 2007 10:24 am

Post by bennz »

Luk4ward, you need new glasses. :?
User avatar
Luk4ward
Posts: 236
Joined: Sun Jul 30, 2006 1:55 pm
Location: Poland
Contact:

Post by Luk4ward »

bennz wrote:Luk4ward, you need new glasses. :?
and u need a new brain -.-'
wolFTeam.pl
bennz
Posts: 9
Joined: Tue Feb 06, 2007 10:24 am

Post by bennz »

Well, we will see.

Typo: The LUA interpreter doesn't complain about this additional ;
Who knows... !blame

You are writing a lot of post, but I get this feeling you 1. Don't read the other things carefully or 2. You just dont' get it.

Concerning this:

Code: Select all

  if cmd == "callvote" or cmd == "ref" or cmd == "sa" or cmd == "semiadmin" then
    local _, counts = string.gsub (args, "%s", "")  -- count spaces
   
    if counts > 1 then
       msg = string.format("cpm  \"Remove additional spaces!\n")
       et.trap_SendServerCommand(cno, msg)
       return 1
    end
   
     if string.find(args,"%\\") or string.find(args,"%;") then
       msg = string.format("cpm  \"Invalid string!\n")
       et.trap_SendServerCommand(cno, msg)
       return 1
     end
     
  return 0
  end
-->

Code: Select all

  string.find(args,"%\\")
You are looking for the appearance of \, but why? We should take care of \r and \n. Carriage return & and newline! They are C-like escape sequences.

Code: Select all

  string.find(args,"%;")
Why should one forbid the use of an ;?
[btw: actually it should be string.find(args,";").
%x (where x is any non-alphanumeric character) --- represents the character x. This is the standard way to escape the magic! characters. The ; isn't needed here.]
This character is exchanged by a malicious client. IT WON'T REACH THE SERVER. On the other hand, assuming a standard client, this is my patented emo guit vote> /callvote mute "Bennz;quit"
If it passes it will quit MY CLIENT!!! and NOT the server.



I'm sorry, it doesn't make any sense, but fortunately! you were lucky enough to catch this vulnerability. Because when counting space characters, \r and \n are taken as space characters. So the other two conditions are useless/doesn't apply.

So long
User avatar
Luk4ward
Posts: 236
Joined: Sun Jul 30, 2006 1:55 pm
Location: Poland
Contact:

Post by Luk4ward »

Well, i saw it when u said to me to get new glasses. If you replied me like now instead of flamming i would say nothing or respect your comments. Now, we will see if your comments are really worth.
Typo: The LUA interpreter doesn't complain about this additional ;
Who knows... !blame
yes, it doesnt but i said the WHOLE bug fix for callvote doesn't work. Second of all one typo ";" can change the signature of lua which is neccesary to have a valid league cfg. Third of all we should keep the standard of lua language.
You are writing a lot of post, but I get this feeling you 1. Don't read the other things carefully or 2. You just dont' get it.
Im writting a lot of posts coz i want to help other ppl, not as u flamming them without reason. And sometimes i can make a mistake. Yes, is it really something new to people? I want to learn man and u are not helping me/others by posting a shit about glasses...
Code:
string.find(args,"%\\")

You are looking for the appearance of \, but why? We should take care of \r and \n. Carriage return & and newline! They are C-like escape sequences.
coz as i said b4 the bugfix code doesnt work at all. And imo such chars shouldnt be allowed in callvotes (for what?). Thats why i want to get rid of all problems (i dnt care if its \n or \r - yes i know the meaning of them). But u r not 100% if there is no any extra bug with \ (like everything in programming)
Code:
string.find(args,"%;")

Why should one forbid the use of an ;?
[btw: actually it should be string.find(args,";").
%x (where x is any non-alphanumeric character) --- represents the character x. This is the standard way to escape the magic! characters. The ; isn't needed here.]
This character is exchanged by a malicious client. IT WON'T REACH THE SERVER. On the other hand, assuming a standard client, this is my patented emo guit vote> /callvote mute "Bennz;quit"
If it passes it will quit MY CLIENT!!! and NOT the server.
yes, u r right. But did u test it? I guess not (same with combinedfixes by reyalp)...I want to forbid them coz.......ET is already doing this! You didnt check it either...Also the char ; is mentioned on aligi board as subtitue to \n ...You are not 100% sure too that with hacked client it will work like u described...

So long.....

------------------------------NEW UPDATE--------------------
function et_ClientCommand(cno,cmd)
local msg = ""
cmd = string.lower(cmd)
if cmd == "ws" then
local n = tonumber(et.trap_Argv(1))
if not n then
et.G_LogPrint(string.format("wsfix: client %d bad ws not a number [%s]\n",cno,tostring(et.trap_Argv(1))))
return 1
end

if n < 0 or n > 21 then
et.G_LogPrint(string.format("wsfix: client %d bad ws %d\n",cno,n))
return 1
end
return 0
end
if cmd == "callvote" or cmd == "ref" or cmd == "sa" or cmd == "semiadmin" then
local args=et.ConcatArgs(1)
-- et.G_LogPrint(string.format("combinedfixes: client %d %s [%s]\n",cno,cmd,args))
if string.find(args,"%\\") or string.find(args,"%;") then
et.G_LogPrint(string.format("combinedfixes: client %d bad %s [%s]\n",cno,cmd,args))
msg = string.format("cpm \"Invalid string!\n")
et.trap_SendServerCommand(cno, msg)
return 1
end
return 0
end
return 0
end


-- prevent various borkage by invalid userinfo
-- version: 4
-- history:
-- 4 - check length and IP
-- 3 - check for name exploit against guidcheck
-- 2 - fix nil var ref if kicked in RunFrame
-- fix incorrect clientNum in log message for ClientConnect kick
-- 1 - initial release

-- names that can be used to exploit some log parsers
-- note: only console log parsers or print hooks should be affected,
-- game log parsers don't see these at the start of a line
-- "^etpro IAC" check is required for guid checking
-- comment/uncomment others as desired, or add your own
-- NOTE: these are patterns for string.find
badnames = {
-- '^ShutdownGame',
-- '^ClientBegin',
-- '^ClientDisconnect',
-- '^ExitLevel',
-- '^Timelimit',
-- '^EndRound',
'^etpro IAC',
'\\', -- we should kick such players on connect otherwise they cant be kicked in game due to callvote bugfix
';',
'^^',
-- '^etpro privmsg',
-- "say" is relatively likely to have false positives
-- but can potentially be used to exploit things that use etadmin_mod style !commands
-- '^say',
-- '^Callvote',
-- '^broadcast'
}
Download: http://acpro.wolfteam.pl//category.php?id=1
wolFTeam.pl
bennz
Posts: 9
Joined: Tue Feb 06, 2007 10:24 am

Post by bennz »

I don't think we need a Who-rulez-teh-str33t-contest, as well as, you I'm here to help. I can't help you if you do not listen to me.

Please tell me, why did you remove the only line of code, that saved you from being exploited?

Code: Select all

if string.find&#40;args,"%\\"&#41; or string.find&#40;args,"%;"&#41; then
It is not necessary to catch that in a 'collvote' but of course you have to check:

Code: Select all

if string.find&#40;args,"&#91;\r\n&#93;"&#41; then

Oh lord... otherwise you are going to be fucked :/
Just leave the combindesfixes code as it is, except the ;
I don't deny ReyalP's guilt, he will blames the booze :lol:

How does it happen that you say the callvote fix is not working & why are you sure I didn't test it?




Please note:

Code: Select all

badnames = &#123;
...
'^^', 
...
You may not allow certain names or charakters, ok. But if someone joins with the nick "^1Luke", he will get kicked, because he has a caret as first character. If you would like to kick a player with a caret followed by another caret somewhere in his name you may use> '%^%^',
or set the fourth argument of 'string.find' to true if you dont wan't to use patterns at all. (http://www.lua.org/manual/5.0/manual.html#5.3 --> A value of true as a fourth, optional argument plain turns off the pattern matching facilities, so the function does a plain "find substring" operation, with no characters in pattern being considered "magic".)


No offence 8)
User avatar
Luk4ward
Posts: 236
Joined: Sun Jul 30, 2006 1:55 pm
Location: Poland
Contact:

Post by Luk4ward »

bennz wrote:I don't think we need a Who-rulez-teh-str33t-contest, as well as, you I'm here to help. I can't help you if you do not listen to me.

Please tell me, why did you remove the only line of code, that saved you from being exploited?

Code: Select all

if string.find&#40;args,"%\"&#41; or string.find&#40;args,"%;"&#41; then
It is not necessary to catch that in a 'collvote' but of course you have to check:

Code: Select all

if string.find&#40;args,"&#91;\r\n&#93;"&#41; then

Oh lord... otherwise you are going to be fucked :/
Just leave the combindesfixes code as it is, except the ;
I don't deny ReyalP's guilt, he will blames the booze :lol:

How does it happen that you say the callvote fix is not working & why are you sure I didn't test it?
I removed count spaces because otherwise gamers cant kick/mute a player with spaces in nick. So we should take care of players name too. The only way is to deny any parametr with \\. I tested the Reyalp's code and it doesnt work with \r\n (there is no debug line in log file). And how r u so sure that its working?

bennz wrote: Please note:

Code: Select all

badnames = &#123;
...
'^^', 
...
You may not allow certain names or charakters, ok. But if someone joins with the nick "^1Luke", he will get kicked, because he has a caret as first character. If you would like to kick a player with a caret followed by another caret somewhere in his name you may use> '%^%^',
or set the fourth argument of 'string.find' to true if you dont wan't to use patterns at all. (http://www.lua.org/manual/5.0/manual.html#5.3 --> A value of true as a fourth, optional argument plain turns off the pattern matching facilities, so the function does a plain "find substring" operation, with no characters in pattern being considered "magic".)


No offence 8)
Nope, it will kick only players with ^^ or more carats. I tested it also and u propably not as usual? No offence ;p
wolFTeam.pl
bennz
Posts: 9
Joined: Tue Feb 06, 2007 10:24 am

Post by bennz »

Anyway, here is a sample code to demonstrate the two patterns '^^' and '%^%^'.
I hope the link works: http://www.file-upload.net/download-149 ... e.lua.html

The output is>

Code: Select all

----------------------------------------
badname '^1Luke' matching pattern '^^'
badname '^^Luke' matching pattern '^^'
badname '^^Luke' matching pattern '%^%^'
badname 'L^^uke' matching pattern '%^%^'
badname 'Luke^^' matching pattern '%^%^'
----------------------------------------
Your intentions are good, but it's the wrong pattern. Same for '$$$', it matches the name 'Luke$$' or 'Luke$$$'. It doesn't match 'Luke$$$asf', BECAUSE: (http://www.lua.org/manual/5.0/manual.html#5.3)

Patterns
A pattern is a sequence of pattern items. A `^´ at the beginning of a pattern anchors the match at the beginning of the subject string. A `$´ at the end of a pattern anchors the match at the end of the subject string. At other positions, `^´ and `$´ have no special meaning and represent themselves.


Your words:
Luk4ward wrote:Third of all we should keep the standard of lua language.
...
I tested it also and u propably not as usual?
Mmm kay...


Enough is enough. You don't seem to listen, unconvincable luke. At first i thought you were just kidding... To make this come to an end> Someone joined the server ET.GamesNet.pl OBJ, changed the rconpassword and added the ip ban mask '4.3.2.1'.
(+ 'killserver' to restart the et server with original rconpw, nobody was hurt)

You encourage others to use a version of the fix that doesn't work. I hope you will realize that a mistake was made.

:whip:
User avatar
Luk4ward
Posts: 236
Joined: Sun Jul 30, 2006 1:55 pm
Location: Poland
Contact:

Post by Luk4ward »

bennz wrote:Anyway, here is a sample code to demonstrate the two patterns '^^' and '%^%^'.
I hope the link works: http://www.file-upload.net/download-149 ... e.lua.html

The output is>

Code: Select all

----------------------------------------
badname '^1Luke' matching pattern '^^'
badname '^^Luke' matching pattern '^^'
badname '^^Luke' matching pattern '%^%^'
badname 'L^^uke' matching pattern '%^%^'
badname 'Luke^^' matching pattern '%^%^'
----------------------------------------
Your intentions are good, but it's the wrong pattern. Same for '$$$', it matches the name 'Luke$$' or 'Luke$$$'. It doesn't match 'Luke$$$asf', BECAUSE: (http://www.lua.org/manual/5.0/manual.html#5.3)

Patterns
A pattern is a sequence of pattern items. A `^´ at the beginning of a pattern anchors the match at the beginning of the subject string. A `$´ at the end of a pattern anchors the match at the end of the subject string. At other positions, `^´ and `$´ have no special meaning and represent themselves.
ACpro:

Code: Select all

----------------------------------------
badname '^1Luke' DOES NOT match pattern '^^'
badname '^^Luke' matching pattern '^^'
badname '^^Luke' matching pattern '^^'
badname 'L^^uke' matching pattern '^^'
badname 'Luke^^' matching pattern '^^'
----------------------------------------
You are wrong again.
Your words:
Luk4ward wrote:Third of all we should keep the standard of lua language.
...
I tested it also and u propably not as usual?
Mmm kay...


Enough is enough. You don't seem to listen, unconvincable luke. At first i thought you were just kidding... To make this come to an end> Someone joined the server ET.GamesNet.pl OBJ, changed the rconpassword and added the ip ban mask '4.3.2.1'.
(+ 'killserver' to restart the et server with original rconpw, nobody was hurt)
You dont read what im trying to say...Well...And nothing like that happened if u want to know. If You try i will report your IP.
You encourage others to use a version of the fix that doesn't work. I hope you will realize that a mistake was made.
Im not encouring anyone. I just fixed the code and shared it with others. But i understand u dnt get it like the rest of what i said.

:whip:
wolFTeam.pl
User avatar
ReyalP
Posts: 1663
Joined: Fri Jul 25, 2003 11:44 am

Post by ReyalP »

Luk4ward wrote:I heard that some ET server got hacked because of the vote exploit. So its working, but with hacked client. Btw i think i found a little typo in your code Reyalp :):
Semicolon is optional in lua. Yes it's a mistake on my part, but it's not incorrect according the The Fine Manual
The unit of execution of Lua is called a chunk. A chunk is simply a sequence of statements, which are executed sequentially. Each statement can be optionally followed by a semicolon
as benzz points out searching for a \ will not correctly find CR or LF chars (which are represented by \r and \n). Actually, I should check for \0A and \0D, but the current code worked correctly in all my tests.

If you can actually trigger the exploit with the current code (edit my current code, yours is horribly broken) in place, please send me your test case.

AFAIK, you cannot send a CR or LF char in a command without a hacked client. Sending a \r or \n sequence will not trigger the exploit.

I would strongly suggest that you make sure you have a firm understanding of the problem before posting "fixes" in this thread.
send lawyers, guns and money
User avatar
Luk4ward
Posts: 236
Joined: Sun Jul 30, 2006 1:55 pm
Location: Poland
Contact:

Post by Luk4ward »

ReyalP wrote:
Luk4ward wrote:I heard that some ET server got hacked because of the vote exploit. So its working, but with hacked client. Btw i think i found a little typo in your code Reyalp :):
Semicolon is optional in lua. Yes it's a mistake on my part, but it's not incorrect according the The Fine Manual
The unit of execution of Lua is called a chunk. A chunk is simply a sequence of statements, which are executed sequentially. Each statement can be optionally followed by a semicolon
yea, ok
as benzz points out searching for a \ will not correctly find CR or LF chars (which are represented by \r and \n). Actually, I should check for \0A and \0D, but the current code worked correctly in all my tests.
Why its incorrect?
If you can actually trigger the exploit with the current code (edit my current code, yours is horribly broken) in place, please send me your test case.

AFAIK, you cannot send a CR or LF char in a command without a hacked client. Sending a \r or \n sequence will not trigger the exploit.

I would strongly suggest that you make sure you have a firm understanding of the problem before posting "fixes" in this thread.
Yes i tested the exploit on test server with hacked client, but got kicked by ET engine. Can I somehow test my and your code to be sure whats going on? I was just making tests with normal client with /n and /r or any / command and only my modified code worked. I really understand the problem and C code from aluigi's board.
wolFTeam.pl
bennz
Posts: 9
Joined: Tue Feb 06, 2007 10:24 am

Post by bennz »

That's what I'm talking about, since 3 posts. In addition it's useless to debate, if everyone talks about his own, different code.

Short example from ac2pro.lua

Code: Select all

1. local stripped_name = trim &#40; uncol &#40; name &#41; &#41;
2. if string.find &#40;name,"%^^"&#41; or etadmin_name_exploit == "^" then
3. string.gsub&#40;string.gsub&#40;arg, "%^&#91;^%^&#93;", ""&#41;, "%^", ""&#41;     -- function uncol
4. local mstart,mend,cno = string.find&#40;stripped_name,string.lower&#40;badnamepat&#41;&#41;
Line 1: That's a big difference to cmobinedfixes. In line 2 there is the right pattern, it kicks all names containing 2 or more ^. But when looking thru badnamepatters the names have been stripped off all ^. (--> Line 3: First every ^ followed by something except ^ is removed, after that every remaining ^ is removed) That means it's useless to put '^^' in badnames table as there are no ^ left!


Hint:
- Lowering the badname patterns isn't really necessary. Intended use: case sensivity. It doesn't hurt in this case, but false positives...
- Put the combinedfixes as first to load in the chain. Merging security related checks is likely to cause trouble. (PEBCAK; Maintainability; Signatures you mentioned...)



We sure can discuss further checks in Enemy Territory -> ET Modding. Back to the most important bug:

You didn't understand the problem from aluigi's board, because

Code: Select all

so theoretically if a client sends the command ' callvote map "mp_leo;quit" ' and the vote passes, quit will be executed after "map mp_leo".
to prevent this Cmd_CallVote_f does the following check&#58;
  if&#40; strchr&#40; arg1, ';' &#41; || strchr&#40; arg2, ';' &#41; &#41; &#123;
     trap_SendServerCommand&#40; ent-g_entities, "print \"Invalid vote string.\n\"" &#41;;
     return;
  &#125;
but ofc this isn't enough, since the other separators &#40;'\r' and '\n'&#41; can also be sent in client commands.
sending such a callvote command from a game client isn't possible without a dll injection/hook/debugger afaik.
We don't have to care about ;! --> string.find(args,"%;") in function et_ClientCommand(cno, cmd) is useless.
We HAVE to check \n and \r. They include a backslash, but you can't find them with string.find(args,"%\\"). Escape sequence!


I'm helping to bring light into the darkness and you're speaking down to me? Nevernmind, I got used to it. I still recommend to fix your code.




ReyalP:

Am i blind and there is no \0A like hex escape? string.format instead :/

Code: Select all

if string.find&#40;args, string.format&#40;"%x", 010&#41;&#41; then -- new line 
-- or both decimal &#40;MUST have exactly 3 digits&#41;
if string.find&#40;args, "&#91;\013\010&#93;"&#41; then
but no don't need to check it twice?
User avatar
ReyalP
Posts: 1663
Joined: Fri Jul 25, 2003 11:44 am

Post by ReyalP »

Luk4ward wrote: Why its incorrect?
Because the exploit doesn't involve the characters '\' and 'n'. I suggest you learn the difference between an escape sequence and the value it represents.
I was just making tests with normal client with /n and /r or any / command and only my modified code worked.
But your code checks for the wrong thing.
I really understand the problem and C code from aluigi's board.
This is demonstrably untrue.

@bennz
You are correct, lua appears to only accepts decimal values.
send lawyers, guns and money
User avatar
Luk4ward
Posts: 236
Joined: Sun Jul 30, 2006 1:55 pm
Location: Poland
Contact:

Post by Luk4ward »

Ok, thanks for the help m8s. Now i fully understand all. Next time i will contact with Reyalp immediately and w8 for the response.

@ bennz

I have nothing to You really. If You had answered me like in last posts i would have a more respect for You. What about a fresh start? ;)

p.s ACpro updated with first Reyalp's code.
wolFTeam.pl
bennz
Posts: 9
Joined: Tue Feb 06, 2007 10:24 am

Post by bennz »

Sure :thumbs:
User avatar
mortis
Posts: 360
Joined: Tue Jul 06, 2004 11:57 pm
Location: at the center of the e-universe
Contact:

Post by mortis »

reyalp pwns all, as usual... ;)
Post Reply