[VERY IMPORTANT] — SERVER SECURITY RISK!!!

Hello friends and haters,

this time I’m being completely serious.
I want to help you save what you worked hard for and what you are still working on.

Today I found an exploit that allows a normal player to execute arbitrary server-side actions, and on vulnerable servers even reach database-related impact.
This is extremely dangerous because:

• someone can spawn items endlessly and cheat, destroying the server and its economy
• someone can damage or wipe critical data, meaning players lose all their progress and you lose all your work too

And yes, this exploit also affected me before, multiple times.
Back then I had no clear clue how they were doing it.

Today one of my old friends contacted me and told me he had seen +200 cards on other servers, and that the same guy can do this on at least several other servers too.
Well, I also heard he is selling these hacks for big money, so I’m not going to let some greedy bastard make money while destroying this already half-dead community.

So welcome guys — here I am.

What today’s bug is about

As we all know, with DLL injection or by spoofing / impersonating the client, you are able to modify messages sent to the server on the fly.
That part is nothing new.

But what apparently not everyone knew is that the game server does not properly validate all scripts / packets coming from the client.
Because of that, the attacker is able to append his own Lua code to something that is supposed to be safe.

You will probably ask: how does that work?

When talking to an NPC, every dialog option is also tied to a Lua command.
Of course, normally we should not be able to execute random privileged Lua, because we do not have permission 100, right?
But if that was enforced blindly, no NPC would work at all.

So what the server does is simple: while you are inside that NPC dialog, it adds the commands available in that NPC script to a whitelist, and because of that you are temporarily allowed to execute those dialog actions.
Up to this point, everything sounds logical and consistent.

BUT HERE IS THE CATCH.

The server does not properly verify that the command chosen by the player is exactly the same one that exists in the whitelist.
Instead, on vulnerable implementations, it only validates it loosely, so the attacker can send the legitimate NPC command together with extra injected Lua code.

That means both parts can be executed together, and from that point the attacker can escalate privileges, cheat on the server, and even permanently damage it.

For obvious reasons I am not posting the exact payload publicly.
If I do that, I’m basically handing a loaded gun to every clown who wants to ruin a server.

Fix

The fix is relatively simple, at least as a quick emergency patch.

• validate NPC dialog commands using exact matching
• do not allow partial / substring checks
• reject any extra appended code
• review all places where the server trusts client-provided script-related input

I still think more needs to be done, and I’m going to dig deeper into this topic, but this quick fix already closes the main hole I found today.

The fix is free for every server, because instead of destroying competition, I would rather see happy players being able to play on the servers they actually like, not on whichever server survived only because somebody dirty-killed the others.

I’m showing the fix in the screenshot below.


[Only registered and activated users can see links. Click Here To Register...]


Thank you for your attention.
Patch this as fast as possible.