ASSS Questions - CRITICAL DDOS possibility in newest asss version Dragony - Sun Mar 01, 2009 11:02 pm Post subject: CRITICAL DDOS possibility in newest asss version
This problem appears if someone uses the nice tcp based billing protocol. The problem is that values are not masked, thus, if a player logs in, the player can render the server useless and in worst case modify or overwrite data. In every case this should make the billing server crash.
PLOGIN:pid:flag:name:pw:ip:macid:contid
So if a user choses a password containing a ":", the server does not block it.
Since password is "hack:ed", a server splitting the string for : will get additional values. The worst case is that the IP is now "ed" and if the server inserts the IP in a database without checking the values, you can use sql-injecting here ect....
Solutions:
Easy fix: Block passwords having ":" in them
Not-so-easy fix: Mask the password html-style
Best-fix: server encodes password to md5 before transmitting it to the billing server.
JoWie - Mon Mar 02, 2009 5:07 am Post subject:
An easier solution would be to make the password the last field.
While it is a bug, you probably shouldn't be able to login because the contid would be cut off
Doc Flabby - Mon Mar 02, 2009 8:04 am Post subject:
Does anyone actually use the TCP billing protocol?
I did attempt to write a TCP billing server a while back but gave up lol, i dont think there is one in existance
A better solution would be to redesign the protocol...it appears to haves some flaws JoWie - Mon Mar 02, 2009 9:05 am Post subject:
CypherJF made a biller in java which uses TCP billing:
http://cypherjf.sscentral.com/accede/Dragony - Mon Mar 02, 2009 10:00 am Post subject:
I have written a biller for it. Thats why I have found the issue. Anyway.... I now wonder if the tcp specifications are completed at all? For example, isn't the job of the biller to calculate the kills etc. as well? I don't find any kill-communication in the protocol at all....
CypherJF - Mon Mar 02, 2009 9:33 pm Post subject:
Well, I'd hope any developer would try and catch this type of scenario - boot any connection trying to flood it with invalid packets. The biller should expect 8 parameters to be provided, anything more should be analyzed w/ scrutiny, any less should be rejected.
The TCP biller protocol is aka "user database protocol" isn't intended to keep track of player statistics (eg. kills, deaths, etc.), but only communication and user-store information (whose who, chat channels, squads, banners, etc.). grelminar believed scores should belong to the specific game server and not a central location.
Bak - Wed Mar 04, 2009 5:53 am Post subject:
reread what he wrote cypher... it's not quite a ddos attack
D1st0rt - Wed Mar 04, 2009 11:40 am Post subject:
problem solved, check it yourself. If you're not implementing it in Python or PCRE you'll have to change the named capture group syntax but it should be fine otherwise.
