Register for your free account! | Forgot your password?

You last visited: Today at 15:50

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement


Advertise with us!

[Fix] Minor item shop security issue

Discussion on [Fix] Minor item shop security issue within the Metin2 PServer Guides & Strategies forum part of the Metin2 Private Server category.

Reply
 
Old   #1
 
Mi4uric3's Avatar
 
elite*gold: 405
The Black Market: 0/0/0
Join Date: Dec 2007
Posts: 6,615
Received Thanks: 6,357
[Fix] Minor item shop security issue

Hi,

while looking through the servers source code I received in 2013 I found a minor security issue regarding the item shop. An attacker is able to temporarily delete items bought in the item shop from the game, so the buyer is unable to receive it. All deleted items are restored after the server restarts though, as they are only removed from the databases cache, not from the database itself. Also the attacker can only remove the item from the cache if the user didn't login after buying it (player.item_award.taken_time != NULL).

PoC application which attacks my local test server:

To fix it you need to delete the following lines:

Server/common/tables.h:
Code:
HEADER_GD_DELETE_AWARDID	= 138,	// delete gift notify icon
Server/common/tables.h:
Code:
// 선물 알림 기능 삭제용 패킷 정보
typedef struct tDeleteAwardID
{
	DWORD dwID;
} TPacketDeleteAwardID;
Server/db/src/ClientManager.cpp:
Code:
//delete gift notify icon

case HEADER_GD_DELETE_AWARDID:
	DeleteAwardId((TPacketDeleteAwardID*) data);
	break;
Server/db/src/ClientManager.cpp:
Code:
// delete gift notify icon
void CClientManager::DeleteAwardId(TPacketDeleteAwardID *data)
{
	//sys_log(0,"data from game server arrived %d",data->dwID);
	std::map<DWORD, TItemAward *>::iterator it;
	it = ItemAwardManager::Instance().GetMapAward().find(data->dwID);
	if ( it != ItemAwardManager::Instance().GetMapAward().end() )
	{
		std::set<TItemAward *> & kSet = ItemAwardManager::Instance().GetMapkSetAwardByLogin()[it->second->szLogin];
		if(kSet.erase(it->second))
			sys_log(0,"erase ItemAward id: %d from cache", data->dwID);
		ItemAwardManager::Instance().GetMapAward().erase(data->dwID);
	}
	else
	{
		sys_log(0,"DELETE_AWARDID : could not find the id: %d", data->dwID);
	}
}
Server/db/src/ClientManager.h:
Code:
//delete gift notify icon
void DeleteAwardId(TPacketDeleteAwardID* data);
Server/game/src/input.cpp:
Code:
//gift notify delete command
else if (!stBuf.compare(0,15,"DELETE_AWARDID "))
{
	char szTmp[64];
	std::string msg = stBuf.substr(15,26);	// item_award의 id범위?

	TPacketDeleteAwardID p;
	p.dwID = (DWORD)(atoi(msg.c_str()));
	snprintf(szTmp,sizeof(szTmp),"Sent to DB cache to delete ItemAward, id: %d",p.dwID);
	//sys_log(0,"%d",p.dwID);
	// strlcpy(p.login, msg.c_str(), sizeof(p.login));
	db_clientdesc->DBPacket(HEADER_GD_DELETE_AWARDID, 0, &p, sizeof(p));
	stResult += szTmp;
}
Mi4uric3 is offline  
Thanks
18 Users
Old 03/23/2016, 12:11   #2
 
lollo_9_1's Avatar
 
elite*gold: 100
The Black Market: 0/0/0
Join Date: Jun 2009
Posts: 168
Received Thanks: 711
Well, even though DELETE_AWARDID is exploitable by everyone, some other options have a similar troublesome issue: they don't delete rows somewhere, but generate a .txt any time they are called; if you flood such a process, you can freeze the machine quite easily.

The easiest way to solve such an issue would be checking if the admin page is empty, and if your ip is also in the allowed list soon after if (bHeader == HEADER_CG_TEXT).
lollo_9_1 is offline  
Thanks
6 Users
Reply

Tags
bug, delete_awardid, exploit, fix, itemshop

« New Guild 3D Map | [Sammelthread] Alle Guides der Release Sektion »

Similar Threads Similar Threads
Minor issue.
02/22/2015 - 9Dragons - 14 Replies
I've been testing my friend's server and I just found an "issue". Not sure if this should be labelled as an issue, though... The text in the whole game seems to be much bigger and wider than in any versions I've played so far. No, this isn't in connection with resolution diff. I always use 1280 x 1024 on my old monitor. Just take a quick look at the texts on both pictures, please. 1. http://i.imgur.com/l50a6yF.jpg?1
[HELP]Server security issue
03/14/2013 - SRO Private Server - 0 Replies
Hello friends .. For days I have problem with security .. Because I noticed you have gotten to the DB changing things .. Even deleting characters and changing password among other things ... I have user "sa" in SQL and I have disabled new user .. I have blocked ports "15880, 15882, 15885, 15883, 32000, 8080, 3306" .. The Recipient CGI_Internal ISS I have it in another destination and port changed and also blocked! The Web is Evolutiongamingnetwork! Someone could help me .. ? What could be...
[Remote Login Issue] Expired Security certificate
01/07/2011 - Shaiya Private Server - 0 Replies
Hi guys, i am having a small (and newly developed) issue with 1 of 4 computers and cant seem to figure why. Comp #1 Windows 98 SE 16 bit FAT Comp #2 Windows XP Pro 32bit NTFS Comp #3 Vista Premium 64bit NTFS Comp #4 Windows 7 MC 32bit NTFS Before NYE all where able to connect remotely to the server, when i returned from 2 days break Comp #3 will no longer connect and displays a warning that the certificate has expired. And as luck would have it, the #3 Comp is the newest/most...
[Urgent Security Issue] Action > Information > Reaction...
08/28/2009 - Lineage 2 - 8 Replies
This is the matter... How long does it takes to fix a serious security issue here? I reported that my account is somehow STOLEN and over 48 hours i dint see ANY reaction... What is going on and what it have to be done? Yours (real) Oracle



All times are GMT +1. The time now is 15:50.

elitepvpers - play less, get more - Top

Powered by vBulletin®
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2024 elitepvpers All Rights Reserved.