banimod / etpro / ettv forums

Hi,

many LUA mods (including mine) make use of cl_guid do identify known players and to give them special rights. cl_guid does not contain the Punkbuster GUID and is spoofable (eth can do it). That means all mods using that method for identification are insecure and attackers may get advanced rights by faking cl_guid.

To fix that hole, coders should use the *real* Punkbuster GUID, but there isn't an api function to get that GUID. So the only way to get it would be dumping the output of pb_sv_plist and playing with some regex.

Or are there any other ways for authentication?

nano wrote:Hi,

many LUA mods (including mine) make use of cl_guid do identify known players and to give them special rights. cl_guid does not contain the Punkbuster GUID

If it hasn't been tampered with it does.

and is spoofable (eth can do it). That means all mods using that method for identification are insecure and attackers may get advanced rights by faking cl_guid.

Correct.

To fix that hole, coders should use the *real* Punkbuster GUID, but there isn't an api function to get that GUID. So the only way to get it would be dumping the output of pb_sv_plist and playing with some regex.

Or are there any other ways for authentication?

Note that the 'real' pb GUID can be spoofed as well.

You can avoid impersonation by not exposing full PB GUIDs. In general client commands only show some of the GUID. Of course, any server admin can leak your full GUID.

There is no effective authentication, and there isn't ever likely to be one for ET.

Note that the 'real' pb GUID can be spoofed as well.

???!!!

p.s im using log (name/nick/cl_guid/guid/ip] lua by McSteve and should be fixed soon becuase of spoofing cl_guids, so if u got some similar luas (using pb_ command instead of cl_guid) pls share it with others :>

regards

HI, if cl_guid can be spoofed, i assume every part of the userinfo-string is unreliable. If so, then using et.Info_ValueForKey(et.trap_GetUserinfo(cno), "xxx"), where xxx can be ip, name, cl_guid,.. is totally unsafe.
Is this true?

If so, is et.gentity_get(cno, "pers.netname") a more robust way to get a client's name? Is there a way to reliably get a client's IP with Lua?
(without using et_Print(text) as a log-parsing tool ofc)

about config-strings,

Lua wiki: Configstrings are strings that are set on the server, and automatically sent to each client.

So this means they cannot be altered by clients to fool the server.. right?
My guess is the only 'safe' authentication are those where the client directly sends a password to the server via et_ClientCommand(cno, command) like \sal, \ref (?)

thank you

Yes, any information in the infostring can be spoofed, including the IP. In 2.60 and above, the engine actually always tacks the correct IP on the end, but this can be hidden by if the client puts another one on the front. 2.60 servers can also be tricked into getting the key/value pairs out of balance.

If you use lua string functions to get the IP:PORT of the end of the infostring, rather than using the infovalueforkey functions, that should always be right AFAIK.

I'm suspect you can't do anything interesting by spoofing name in the infostring, since the game keeps them in sync.

configstrings (which userinfo is NOT) are a server->client communication mechanism, so clients can't give them bogus values unless a particular config string gets it's value from untrusted client information.