Register for your free account! | Forgot your password?

You last visited: Today at 15:02

  • Please register to post and access all features, it's quick, easy and FREE!


[Release]Security Fixes

Reply
 
Old   #1
 
elite*gold: 3003
Join Date: Mar 2014
Posts: 515
Received Thanks: 104
[Release]Security Fixes

Dear Elitepvpers,
I decided to release some exploits before anyone uses them against any servers.
Most of them are not Public as far as I know, most of them need a bit of advanced knowledge to exploit:

SQL-Injection Guild [Function: CDPSrvr::OnQuerySetGuildName]:
In this case there are 2 Bugs which make this attack even possible on most of the servers.
Problem 1:
Quote:
There is no check if the item that is used is the "Change Guild-Name" item
Problem 2:
Quote:
The developers validate the String that contains the name ("lpszGuild") but even if this check fails they forgot to return.
Solution[Define for both fixes is __GUILD_RENAME_FAKE]:



SQL-Injection Name [Function: CDPSrvr::OnQuerySetPlayerName]:
This is similar to the one above.
Problem :
Quote:
The developers validate the String that contains the name ("lpszPlayer") but even if this check fails they forgot to return.
Solution[Define for the fix is __CHAR_RENAME_INVALID]:



Buffer Overflow [Function: CProject::IsInvalidName]:
This is a critical bug, but most of the "flyff hackers" would not be able to abuse this other than just crashing the server.
Problem :
Quote:
The critical line of this is
Quote:
strcpy( pszName, szName );
"pszName" is a local buffer of size 64 but szName can be up to 100 characters long.
If szName exeeds the limit of 64 ,the stack canary is overwritten and therefore an error will be raised resulting in a servercrash. There are 2 ways to fix this: Either increasing the buffersize up to 100 or preventing the buffer overflowing
Solution[Define for the fix is __BUFFEROVERDLOW_NAMECHECK]:



Array out of bounds [Function: CItemUpgrade::RemovePetVisItem]:
This can result in a servercrash or even stathacks and more.
Problem :
Quote:
I will keep this simple. There is no check of the value of "nPosition" so we can easily get out of bounds
Solution[Define for the fix is __PET_PIERCING_BOUNDS]:


UPDATE 1 (15.05.2016)
Array out of bounds [Function: CExchange::ResultExchange]:
This can result in a servercrash or even dupes and more.
Problem :
Quote:
Similar to the one above. There is no check of the value of "nListNum" so we can easily get out of bounds as if its "nListNum < 0" it will pass all checks
Solution[Define for the fix is __EXCHANGE_NEGATIVE]:


UPDATE 2 (02.04.2018)
Nullpointer [Function: CDPSrvr::OnTransformItem]:
This results in a servercrash.
Problem :
Quote:
ITransformer::Transformer only returns a valid Object if the argument is 0 which is for EggTransformation and otherwise NULL which leads to de-referencing a nullpointer (if you actively use Assertions you might want to add a check in the Transformer function itself)
Solution[Define for the fix is __INVALID_TRANSFORM]:


I will only be releasing bugs that affect the availability of the server. I won't be releasing fixes for anything that is not causing a DoS.

If your server gets crashed by someone and the fix is not public, please don't hesitate to contact me, I'm happy to help

Zerux



Zerux is offline  
Thanks
28 Users
Old 05/15/2016, 13:55   #2
 
elite*gold: 3003
Join Date: Mar 2014
Posts: 515
Received Thanks: 104
Added another fix which I forgot in the initial thread
Quote:
UPDATE 1 (15.05.2016)
Array out of bounds [Function: CExchange::ResultExchange]


Zerux is offline  
Thanks
1 User
Old 04/02/2018, 13:08   #3
 
elite*gold: 3003
Join Date: Mar 2014
Posts: 515
Received Thanks: 104
Another bug I came across after I was asked to check a specific part of the code
Quote:
UPDATE 2 (02.04.2018)
Nullpointer [Function: CDPSrvr::OnTransformItem]
Zerux is offline  
Thanks
3 Users
Reply



« Pikachu (From PkMn) | [TuT Source] Shop Items einzeln hinzufgen »

Similar Threads
[Release] Small fixes
Some people use these bugs on several servers and here's a fix for it: ...
5 Replies - Flyff PServer Guides & Releases
[Release] SRO & Exploit Fixes
Link01: https://mega.co.nz/#!5R8VgCbY!QTQtX0tulLBAJd5UEmN-Szn19Jdn7_pYe9827GoWjVU Link02:Multiupload.nl - upload your files to multiple file hosting...
35 Replies - SRO PServer Guides & Releases
[Release] RoC Fixes
Baruna Tooltip (Logo Description) WndManager.cpp After if( pItemProp->IsUltimate() ) g_toolTip.SetUltimateToolTip(pItemBase);Add...
54 Replies - Flyff PServer Guides & Releases



All times are GMT +2. The time now is 15:02.


Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Abuse
Copyright ©2018 elitepvpers All Rights Reserved.