Author |
Message |
Dragony Newbie
Joined: Mar 01 2009 Posts: 4 Offline
|
Posted: Sun Mar 01, 2009 11:02 pm Post subject: CRITICAL DDOS possibility in newest asss version |
|
|
|
|
This problem appears if someone uses the nice tcp based billing protocol. The problem is that values are not masked, thus, if a player logs in, the player can render the server useless and in worst case modify or overwrite data. In every case this should make the billing server crash.
PLOGIN:pid:flag:name:pw:ip:macid:contid
So if a user choses a password containing a ":", the server does not block it.
PLOGIN:123:0:hack0r:hack:ed:100.222.33.44:blabla:bleh
Since password is "hack:ed", a server splitting the string for : will get additional values. The worst case is that the IP is now "ed" and if the server inserts the IP in a database without checking the values, you can use sql-injecting here ect....
Solutions:
Easy fix: Block passwords having ":" in them
Not-so-easy fix: Mask the password html-style
Best-fix: server encodes password to md5 before transmitting it to the billing server. |
|
Back to top |
|
|
JoWie Server Help Squatter
Gender: Joined: Feb 25 2004 Posts: 215 Offline
|
Posted: Mon Mar 02, 2009 5:07 am Post subject: |
|
|
|
|
An easier solution would be to make the password the last field.
While it is a bug, you probably shouldn't be able to login because the contid would be cut off |
|
Back to top |
|
|
Doc Flabby Server Help Squatter
Joined: Feb 26 2006 Posts: 636 Offline
|
Posted: Mon Mar 02, 2009 8:04 am Post subject: |
|
|
|
|
Does anyone actually use the TCP billing protocol?
I did attempt to write a TCP billing server a while back but gave up lol, i dont think there is one in existance
A better solution would be to redesign the protocol...it appears to haves some flaws _________________ Rediscover online gaming. Get Subspace | STF The future...prehaps |
|
Back to top |
|
|
JoWie Server Help Squatter
Gender: Joined: Feb 25 2004 Posts: 215 Offline
|
|
Back to top |
|
|
Dragony Newbie
Joined: Mar 01 2009 Posts: 4 Offline
|
Posted: Mon Mar 02, 2009 10:00 am Post subject: |
|
|
|
|
I have written a biller for it. Thats why I have found the issue. Anyway.... I now wonder if the tcp specifications are completed at all? For example, isn't the job of the biller to calculate the kills etc. as well? I don't find any kill-communication in the protocol at all.... |
|
Back to top |
|
|
CypherJF I gargle nitroglycerin
Gender: Joined: Aug 14 2003 Posts: 2582 Location: USA Offline
|
Posted: Mon Mar 02, 2009 9:33 pm Post subject: |
|
|
|
|
Well, I'd hope any developer would try and catch this type of scenario - boot any connection trying to flood it with invalid packets. The biller should expect 8 parameters to be provided, anything more should be analyzed w/ scrutiny, any less should be rejected.
The TCP biller protocol is aka "user database protocol" isn't intended to keep track of player statistics (eg. kills, deaths, etc.), but only communication and user-store information (whose who, chat channels, squads, banners, etc.). grelminar believed scores should belong to the specific game server and not a central location. _________________ Performance is often the art of cheating carefully. - James Gosling |
|
Back to top |
|
|
Bak ?ls -s 0 in
Age:25 Gender: Joined: Jun 11 2004 Posts: 1826 Location: USA Offline
|
|
Back to top |
|
|
D1st0rt Miss Directed Wannabe
Age:36 Gender: Joined: Aug 31 2003 Posts: 2247 Location: Blacksburg, VA Offline
|
|
Back to top |
|
|
|