Significant server exploit
#1

It came to my attention today of a exploit that occurred it would appear that it is possible to connect multiple players on the same playerid which means accounts could potentially be compromised if the name they connect with is a registered user.

Here is a log file of what happened (Unrelated data has been trimmed)

Код:
[11:51:10] [join] Khartman has joined the server (125:179.135.151.211)
[11:51:10] JOIN: Khartman, 179.135.151.211, 904D54CC0C84E4548F48ADF4DA5480089CCECEC8
[11:51:25] Player Logged In
[11:51:52] [join] [uL]Kanada42O has joined the server (125:179.135.151.211)
[11:51:52] JOIN: [uL]Kanada42O, 179.135.151.211, 904D54CC0C84E4548F48ADF4DA5480089CCECEC8
[11:51:53] Player was moving alive killed Player Name: [uL]Kanada42O
As you can see playerid 125 has never disconnected but connected again with a spoofed name.

The last output means they basically force spawned themselves at this point but the system sees that they shouldn't be alive so it kills them automatically.

Here is my patch, make sure this is included after <a_samp> to ensure it always called first, no I have not had time to fully test it against a real attack.

Simply use OnPlayerSpoofName() callback to do any banning and please note use ReturnName() to get their real name or you might inadvertently ban the wrong name.

pawn Код:
// Marks a playerid as a valid connection
static bool:ValidConnections[MAX_PLAYERS] = { false, ... };

// Keep track of names at login
new PlayerNames[MAX_PLAYERS][MAX_PLAYER_NAME];

// Return name will always return name at login
#define ReturnName(%0) PlayerNames[%0]

// Called when a spoofed name is detected
forward OnPlayerSpoofName(playerid);

// Player connects
public OnPlayerConnect(playerid)
{
    // Is that player already connected?
    if(ValidConnections[playerid])

        // Spoofing names
        CallLocalFunction("OnPlayerSpoofName", "i", playerid);
        return 1;
    }
    // Player was not connected
    else
    {
        // Save name mark as valid connection
        GetPlayerName(playerid, PlayerNames[playerid], MAX_PLAYER_NAME);
        ValidConnections[playerid] = true;
    }

    // Continue callback hooking
    if (funcidx("AntiSpoof_OnPlayerConnect") != -1)
    {
        return CallLocalFunction("AntiSpoof_OnPlayerConnect", "i", playerid);
    }
    return 1;
}

// Player disconnects
public OnPlayerDisconnect(playerid, reason)
{
    ValidConnections[playerid] = false;

    // Continue callback hooking
    if (funcidx("AntiSpoof_OnPlayerConnect") != -1)
    {
        return CallLocalFunction("AntiSpoof_OnPlayerDisconnect", "ii", playerid, reason);
    }
    return 1;
}


#if defined _ALS_OnPlayerConnect
    #undef OnPlayerConnect
#else
    #define _ALS_OnPlayerConnect
#endif
#define OnPlayerConnect AntiSpoof_OnPlayerConnect

forward AntiSpoof_OnPlayerConnect(playerid);

#if defined _ALS_OnPlayerDisconnect
    #undef OnPlayerDisconnect
#else
    #define _ALS_OnPlayerDisconnect
#endif
#define OnPlayerDisconnect AntiSpoof_OnPlayerDisconnect

forward AntiSpoof_OnPlayerDisconnect(playerid, reason);
Reply
#2

I don't understand, playing as 2 users under 1 process?! Or.. I am surely thinking that the Kannada name must've been logged with those softwares where you can not play, but chat with your friends. Something like IRC, but you completely see the in game chat. I don't know it's name, nor am I not allowed to release the name but I'm sure it must be that software. Once, I tried using that and it attempted to force spawn itself in Crazybobs CnR (a test IP I fetched ) just to chat, but since the whole software sends a bot to fetch/send from/to the software user.. the script thinks the bot as a normal user, and sends the registration dialogs and such. But since I don't know how it has successfully force spawned itself, but I believe under the notion that if the script doesn't have any force spawn codes, then the SA-MP server either kills (by looking at ur chat logs) or kicking the player.

I can say you that moreover, it's not an exploit because it's impossible to play under 2 usernames in 1 samp process, or unless the user has another software for chatting/other purposes to get in game using a bot

EDIT: Ignore this crap, click me for the better and explained version
Reply
#3

I do admit that it never made sense, but I never said anything about using exploits software, and I clearly said that it doesn't harm the SA-MP client, server or it's inhabited players, plus I didn't advertise . Let me re-explain what I said.

Many months ago, my GTA:SA got fucked and I seriously wanted to chat with my friends instead of playing with them. Yeah, it's my fault for looking through sites which has tools which damage the server data, but I found a software (like I said doesn't harm the server, client or the players) which allows me to connect a server as a normal player (but as a invisible bot) and chat with my friends without playing on the server itself. When I first used it, it did attempted to force spawn itself but eventually failed. I don't know how this software is related to this exploit, or say bug but by looking from your logs, I remembered this course of time in my past, so I decided to share with you about this.

I mostly think that the user must have 2 computers or a virtual machine within his computer, so he/she can run a process in both machines, thus is possible to have 2 usernames on the same IP address, logged in at the same time..

Possibilities, eh?
Reply
#4

Hmm...
https://sampforum.blast.hk/showthread.php?tid=474358

It shouldn't be possible to occupy 2 players inside a single player slot, so the only way to describe this is to say that a player can call OnPlayerConnect without calling OnPlayerDisconnect before.
Reply
#5

Quote:
Originally Posted by BigETI
Посмотреть сообщение
Hmm...
https://sampforum.blast.hk/showthread.php?tid=474358

It shouldn't be possible to occupy 2 players inside a single player slot, so the only way to describe this is to say that a player can call OnPlayerConnect without calling OnPlayerDisconnect before.

Possible solution:
Editing...
It basically spoofs OnPlayerConnect() and the player slot I was in fact able to replicate these conditions myself but I won't explain how that is done and it was a bit different than what was originally experience but still demonstrates the same kind of exploit.

Код:
[21:05:37] Incoming connection: 192.168.2.2:54827
[21:05:37] [npc:join] [uL]Kanada42O_432 has joined the server (41:192.168.2.2)
[21:06:37] [npc:join] [uL]Kanada42O_412395 has joined the server (41:192.168.2.2)
[21:06:38] IP 192.168.2.2 has been banned.
Peppe was certainly not bullshitting at all, this really needs to get patched ASAP.
Reply
#6

Possible solution:
http://pastebin.com/XfQiAtQv

pawn Код:
#include <ce_fix>
//...
public OnPlayerDisconnect(playerid, reason)
{
    if(reason == 3)
    {
        // Punish, or do whatever you like
    }
}
Reply
#7

Quote:
Originally Posted by BigETI
Посмотреть сообщение
Possible solution:
http://pastebin.com/XfQiAtQv

pawn Код:
#include <ce_fix>
//...
public OnPlayerDisconnect(playerid, reason)
{
    if(reason == 3)
    {
        // Punish, or do whatever you like
    }
}
You should also save the name as it will change and it could be a valid admin name which you wouldn't want getting banned in your system. There is another problem with that solution as well, there could be many OnPlayerDisconnect()'s that are hooked before this callback then they might get called which isn't good because the player has not disconnected yet they've only spoofed an OnPlayerConnect().

Another potential issue if I'm reading this correctly.

if(ce_fix[playerid]) OnPlayerDisconnect(playerid, 3);
else ce_fix[playerid] = true;
#if defined CE_OnPlayerConnect
return CE_OnPlayerConnect(playerid);

If i'm not mistaken that will allow the spoofed OnPlayerConnect() to always hook, that is not desirable it's not a real connection.

Last point I'm pretty sure calling OnPlayerDisconnect() doesn't delete any per player stuff now this shouldn't matter but it could be an issue.

Just clarify things for me if I got another wrong or am overlooking anything thanks
Reply
#8

Quote:
Originally Posted by [uL]Pottus
Посмотреть сообщение
You should also save the name as it will change and it could be a valid admin name which you wouldn't want getting banned in your system. There is another problem with that solution as well, there could be many OnPlayerDisconnect()'s that are hooked before this callback then they might get called which isn't good because the player has not disconnected yet they've only spoofed an OnPlayerConnect().

Another potential issue if I'm reading this correctly.

if(ce_fix[playerid]) OnPlayerDisconnect(playerid, 3);
else ce_fix[playerid] = true;
#if defined CE_OnPlayerConnect
return CE_OnPlayerConnect(playerid);

If i'm not mistaken that will allow the spoofed OnPlayerConnect() to always hook, that is not desirable it's not a real connection.

Last point I'm pretty sure calling OnPlayerDisconnect() doesn't delete any per player stuff now this shouldn't matter but it could be an issue.

Just clarify things for me if I got another wrong or am overlooking anything thanks
Normally the player/bot will be able to call OnPlayerConnect() without calling OnPlayerDisconnect before, so this include basicly calls OnPlayerDisconnect(), and claims that the user has not properly disconnected and makes "reason" return 3 (custom reason). Now it should be possible to you to re-design your script to prevent issues within OnPlayerConnect and OnPlayerDisconnect. It's a simply and probably efficient solution for now.
Reply
#9

My argument isn't that it wouldn't work it's that there was never a disconnect so why call that callback it makes no sense, the same as for allowing OnPlayerConnect() to continue processing when there was not a connection. But anyways thanks for posting another possible method for people to try.
Reply
#10

What should I do? As I ban via IP not Name, so how do I get the spoof user ID's IP rather than the wrong one.
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)