Leaderboard

Hi, while looking through the servers source code I received in 2013 I found a minor security issue regarding the item shop. An attacker is able to temporarily delete items bought in the item shop from the game, so the buyer is unable to receive it. All deleted items are restored after the server restarts though, as they are only removed from the databases cache, not from the database itself. Also the attacker can only remove the item from the cache if the user didn't login after buying it (player.item_award.taken_time != NULL). PoC application which attacks my local test server: Minor item shop security issue To fix it you need to delete the following lines: Server/common/tables.h: HEADER_GD_DELETE_AWARDID = 138, // delete gift notify icon Server/common/tables.h: // 선물 알림 기능 삭제용 패킷 정보 typedef struct tDeleteAwardID { DWORD dwID; } TPacketDeleteAwardID; Server/db/src/ClientManager.cpp: //delete gift notify icon case HEADER_GD_DELETE_AWARDID: DeleteAwardId((TPacketDeleteAwardID*) data); break; Server/db/src/ClientManager.cpp: // delete gift notify icon void CClientManager::DeleteAwardId(TPacketDeleteAwardID *data) { //sys_log(0,"data from game server arrived %d",data->dwID); std::map<DWORD, TItemAward *>::iterator it; it = ItemAwardManager::Instance().GetMapAward().find(data->dwID); if ( it != ItemAwardManager::Instance().GetMapAward().end() ) { std::set<TItemAward *> & kSet = ItemAwardManager::Instance().GetMapkSetAwardByLogin()[it->second->szLogin]; if(kSet.erase(it->second)) sys_log(0,"erase ItemAward id: %d from cache", data->dwID); ItemAwardManager::Instance().GetMapAward().erase(data->dwID); } else { sys_log(0,"DELETE_AWARDID : could not find the id: %d", data->dwID); } } Server/db/src/ClientManager.h: //delete gift notify icon void DeleteAwardId(TPacketDeleteAwardID* data); Server/game/src/input.cpp: //gift notify delete command else if (!stBuf.compare(0,15,"DELETE_AWARDID ")) { char szTmp[64]; std::string msg = stBuf.substr(15,26); // item_award의 id범위? TPacketDeleteAwardID p; p.dwID = (DWORD)(atoi(msg.c_str())); snprintf(szTmp,sizeof(szTmp),"Sent to DB cache to delete ItemAward, id: %d",p.dwID); //sys_log(0,"%d",p.dwID); // strlcpy(p.login, msg.c_str(), sizeof(p.login)); db_clientdesc->DBPacket(HEADER_GD_DELETE_AWARDID, 0, &p, sizeof(p)); stResult += szTmp; }

quest ride begin state start begin function Ride( vnum, remain_time ) ride_info = { [71114] = { 20110, 60*60, apply.DEF_GRADE_BONUS, 75, 1, true, false, false}, [71115] = { 20110, 60*60, apply.DEF_GRADE_BONUS, 100, 1, false, false, false }, [71116] = { 20111, 60*60, apply.DEF_GRADE_BONUS, 100, 1, true, false, false }, [71117] = { 20111, 60*60, apply.DEF_GRADE_BONUS, 150, 1, false, false, false }, [71118] = { 20112, 60*60, apply.DEF_GRADE_BONUS, 125, 1, true, false, false }, [71119] = { 20112, 60*60, apply.DEF_GRADE_BONUS, 200, 1, false, false, false }, [71120] = { 20113, 60*60, apply.ATT_GRADE_BONUS, 200, 1, true, false, false }, [71121] = { 20113, item.get_socket(2)*60, apply.ATT_GRADE_BONUS, 300, 1, false, false, false }, -- new mount [71124] = { 20114, item.get_socket(2)*60, apply.ATTBONUS_MONSTER, 20, 1, false, false, false }, [71125] = { 20115, item.get_socket(2)*60, apply.ATTBONUS_MONSTER, 20, 1, false, false, false}, [71126] = { 20116, item.get_socket(2)*60, apply.ATTBONUS_MONSTER, 20, 1, false, false, false}, [71127] = { 20117, item.get_socket(2)*60, apply.ATTBONUS_MONSTER, 20, 1, false, false, false}, [71128] = { 20118, item.get_socket(2)*60, apply.ATTBONUS_MONSTER, 20, 1, false, false, false}, [71131] = { 20119, item.get_socket(2)*60, apply.MAX_HP, 500, 1, false, false, false}, [71132] = { 20119, item.get_socket(2)*60, apply.MAX_HP, 1000, 1, false, false, false}, [71133] = { 20119, item.get_socket(2)*60, apply.MAX_HP, 1500, 1, false, false, false}, [71134] = { 20119, item.get_socket(2)*60, apply.MAX_HP, 2000, 1, false, false, false}, [71161] = { 20159, item.get_socket(2)*60, apply.MOV_SPEED, 60, 1, false, false, false}, [52001] = { 20201, 60*60*24*365, apply.ATTBONUS_MONSTER, 0, 0, false, true }, [52002] = { 20201, 60*60*24*365, apply.MALL_EXPBONUS, 0, 0, false, true }, [52003] = { 20201, 60*60*24*365, apply.MAX_HP, 0, 0, false, true }, [52004] = { 20201, 60*60*24*365, apply.DEF_GRADE_BONUS, 0, 0, false, true }, [52005] = { 20201, 60*60*24*365, apply.ATT_GRADE_BONUS, 0, 0, false, true }, [52006] = { 20205, 60*60*24*365, apply.ATTBONUS_MONSTER, 3, 0, false, true }, [52007] = { 20205, 60*60*24*365, apply.MALL_EXPBONUS, 3, 0, false, true }, [52008] = { 20205, 60*60*24*365, apply.MAX_HP, 250, 0, false, true }, [52009] = { 20205, 60*60*24*365, apply.DEF_GRADE_BONUS, 50, 0, false, true }, [52010] = { 20205, 60*60*24*365, apply.ATT_GRADE_BONUS, 30, 0, false, true }, [52011] = { 20209, 60*60*24*365, apply.ATTBONUS_MONSTER, 5, 0, false, true }, [52012] = { 20209, 60*60*24*365, apply.MALL_EXPBONUS, 5, 0, false, true }, [52013] = { 20209, 60*60*24*365, apply.MAX_HP, 500, 0, false, true }, [52014] = { 20209, 60*60*24*365, apply.DEF_GRADE_BONUS, 150, 0, false, true }, [52015] = { 20209, 60*60*24*365, apply.ATT_GRADE_BONUS, 100, 0, false, true }, [52016] = { 20202, 60*60*24*365, apply.ATTBONUS_MONSTER, 0, 0, false, true }, [52017] = { 20202, 60*60*24*365, apply.MALL_EXPBONUS, 0, 0, false, true }, [52018] = { 20202, 60*60*24*365, apply.MAX_HP, 0, 0, false, true }, [52019] = { 20202, 60*60*24*365, apply.DEF_GRADE_BONUS, 0, 0, false, true }, [52020] = { 20202, 60*60*24*365, apply.ATT_GRADE_BONUS, 0, 0, false, true }, [52021] = { 20206, 60*60*24*365, apply.ATTBONUS_MONSTER, 3 , 0, false, true }, [52022] = { 20206, 60*60*24*365, apply.MALL_EXPBONUS, 3 , 0, false, true }, [52023] = { 20206, 60*60*24*365, apply.MAX_HP, 250, 0, false, true }, [52024] = { 20206, 60*60*24*365, apply.DEF_GRADE_BONUS, 50, 0, false, true }, [52025] = { 20206, 60*60*24*365, apply.ATT_GRADE_BONUS, 30, 0, false, true }, [52026] = { 20210, 60*60*24*365, apply.ATTBONUS_MONSTER, 5 , 0, false, true }, [52027] = { 20210, 60*60*24*365, apply.MALL_EXPBONUS, 5 , 0, false, true }, [52028] = { 20210, 60*60*24*365, apply.MAX_HP, 500, 0, false, true }, [52029] = { 20210, 60*60*24*365, apply.DEF_GRADE_BONUS, 150, 0, false, true }, [52030] = { 20210, 60*60*24*365, apply.ATT_GRADE_BONUS, 100, 0, false, true }, [52031]= { 20204, 60*60*24*365, apply.ATTBONUS_MONSTER, 0, 0, false, true }, [52032]= { 20204, 60*60*24*365, apply.MALL_EXPBONUS, 0, 0, false, true }, [52033]= { 20204, 60*60*24*365, apply.MAX_HP, 0, 0, false, true }, [52034]= { 20204, 60*60*24*365, apply.DEF_GRADE_BONUS, 0, 0, false, true }, [52035]= { 20204, 60*60*24*365, apply.ATT_GRADE_BONUS, 0, 0, false, true }, [52036]= { 20208, 60*60*24*365, apply.ATTBONUS_MONSTER, 3 , 0, false, true }, [52037]= { 20208, 60*60*24*365, apply.MALL_EXPBONUS, 3 , 0, false, true }, [52038]= { 20208, 60*60*24*365, apply.MAX_HP, 250, 0, false, true }, [52039]= { 20208, 60*60*24*365, apply.DEF_GRADE_BONUS, 50, 0, false, true }, [52040]= { 20208, 60*60*24*365, apply.ATT_GRADE_BONUS, 30, 0, false, true }, [52041]= { 20212, 60*60*24*365, apply.ATTBONUS_MONSTER, 5 , 0, false, true }, [52042]= { 20212, 60*60*24*365, apply.MALL_EXPBONUS, 5 , 0, false, true }, [52043]= { 20212, 60*60*24*365, apply.MAX_HP, 500, 0, false, true }, [52044]= { 20212, 60*60*24*365, apply.DEF_GRADE_BONUS, 150, 0, false, true }, [52045]= { 20212, 60*60*24*365, apply.ATT_GRADE_BONUS, 100, 0, false, true }, [52046]= { 20203, 60*60*24*365, apply.ATTBONUS_MONSTER, 0, 0, false, true }, [52047]= { 20203, 60*60*24*365, apply.MALL_EXPBONUS, 0, 0, false, true }, [52048]= { 20203, 60*60*24*365, apply.MAX_HP, 0, 0, false, true }, [52049]= { 20203, 60*60*24*365, apply.DEF_GRADE_BONUS, 0, 0, false, true }, [52050]= { 20203, 60*60*24*365, apply.ATT_GRADE_BONUS, 0, 0, false, true }, [52051]= { 20207, 60*60*24*365, apply.ATTBONUS_MONSTER, 3 , 0, false, true }, [52052]= { 20207, 60*60*24*365, apply.MALL_EXPBONUS, 3 , 0, false, true }, [52053]= { 20207, 60*60*24*365, apply.MAX_HP, 250, 0, false, true }, [52054]= { 20207, 60*60*24*365, apply.DEF_GRADE_BONUS, 50, 0, false, true }, [52055]= { 20207, 60*60*24*365, apply.ATT_GRADE_BONUS, 30, 0, false, true }, [52056]= { 20211, 60*60*24*365, apply.ATTBONUS_MONSTER, 5 , 0, false, true }, [52057]= { 20211, 60*60*24*365, apply.MALL_EXPBONUS, 5 , 0, false, true }, [52058]= { 20211, 60*60*24*365, apply.MAX_HP, 500, 0, false, true }, [52059]= { 20211, 60*60*24*365, apply.DEF_GRADE_BONUS, 150, 0, false, true }, [52060]= { 20211, 60*60*24*365, apply.ATT_GRADE_BONUS, 100, 0, false, true }, [52061]= { 20213, 60*60*24*365, apply.ATTBONUS_MONSTER, 0, 0, false, true }, [52062]= { 20213, 60*60*24*365, apply.MALL_EXPBONUS, 0, 0, false, true }, [52063]= { 20213, 60*60*24*365, apply.MAX_HP, 0, 0, false, true }, [52064]= { 20213, 60*60*24*365, apply.DEF_GRADE_BONUS, 0, 0, false, true }, [52065]= { 20213, 60*60*24*365, apply.ATT_GRADE_BONUS, 0, 0, false, true }, [52066]= { 20214, 60*60*24*365, apply.ATTBONUS_MONSTER, 3 , 0, false, true }, [52067]= { 20214, 60*60*24*365, apply.MALL_EXPBONUS, 3 , 0, false, true }, [52068]= { 20214, 60*60*24*365, apply.MAX_HP, 250, 0, false, true }, [52069]= { 20214, 60*60*24*365, apply.DEF_GRADE_BONUS, 50, 0, false, true }, [52070]= { 20214, 60*60*24*365, apply.ATT_GRADE_BONUS, 30, 0, false, true }, [52071]= { 20215, 60*60*24*365, apply.ATTBONUS_MONSTER, 5 , 0, false, true }, [52072]= { 20215, 60*60*24*365, apply.MALL_EXPBONUS, 5 , 0, false, true }, [52073]= { 20215, 60*60*24*365, apply.MAX_HP, 500, 0, false, true }, [52074]= { 20215, 60*60*24*365, apply.DEF_GRADE_BONUS, 150, 0, false, true }, [52075]= { 20215, 60*60*24*365, apply.ATT_GRADE_BONUS, 100, 0, false, true }, -- Àü°©¾Ï¼ø·Ï [52076]= { 20216, 60*60*24*365, apply.ATTBONUS_MONSTER, 0, 0, false, true }, [52077]= { 20216, 60*60*24*365, apply.MALL_EXPBONUS, 0, 0, false, true }, [52078]= { 20216, 60*60*24*365, apply.MAX_HP, 0, 0, false, true }, [52079]= { 20216, 60*60*24*365, apply.DEF_GRADE_BONUS, 0, 0, false, true }, [52080]= { 20216, 60*60*24*365, apply.ATT_GRADE_BONUS, 0, 0, false, true }, [52081]= { 20217, 60*60*24*365, apply.ATTBONUS_MONSTER, 3 , 0, false, true }, [52082]= { 20217, 60*60*24*365, apply.MALL_EXPBONUS, 3 , 0, false, true }, [52083]= { 20217, 60*60*24*365, apply.MAX_HP, 250, 0, false, true }, [52084]= { 20217, 60*60*24*365, apply.DEF_GRADE_BONUS, 50, 0, false, true }, [52085]= { 20217, 60*60*24*365, apply.ATT_GRADE_BONUS, 30, 0, false, true }, [52086]= { 20218, 60*60*24*365, apply.ATTBONUS_MONSTER, 5 , 0, false, true }, [52087]= { 20218, 60*60*24*365, apply.MALL_EXPBONUS, 5 , 0, false, true }, [52088]= { 20218, 60*60*24*365, apply.MAX_HP, 500, 0, false, true }, [52089]= { 20218, 60*60*24*365, apply.DEF_GRADE_BONUS, 150, 0, false, true }, [52090]= { 20218, 60*60*24*365, apply.ATT_GRADE_BONUS, 100, 0, false, true }, -- Dragor [52091]= { 20223, 60*60*24*365, apply.ATTBONUS_MONSTER, 0, 1, false, true }, [52092]= { 20223, 60*60*24*365, apply.MALL_EXPBONUS, 0, 1, false, true }, [52093]= { 20223, 60*60*24*365, apply.MAX_HP, 0, 1, false, true }, [52094]= { 20223, 60*60*24*365, apply.DEF_GRADE_BONUS, 0, 1, false, true }, [52095]= { 20223, 60*60*24*365, apply.ATT_GRADE_BONUS, 0, 1, false, true }, [52096]= { 20224, 60*60*24*365, apply.ATTBONUS_MONSTER, 3 , 1, false, true }, [52097]= { 20224, 60*60*24*365, apply.MALL_EXPBONUS, 3 , 1, false, true }, [52098]= { 20224, 60*60*24*365, apply.MAX_HP, 250, 1, false, true }, [52099]= { 20224, 60*60*24*365, apply.DEF_GRADE_BONUS, 50, 1, false, true }, [52100]= { 20224, 60*60*24*365, apply.ATT_GRADE_BONUS, 30, 1, false, true }, [52101]= { 20225, 60*60*24*365, apply.ATTBONUS_MONSTER, 5 , 1, false, true }, [52102]= { 20225, 60*60*24*365, apply.MALL_EXPBONUS, 5 , 1, false, true }, [52103]= { 20225, 60*60*24*365, apply.MAX_HP, 500, 1, false, true }, [52104]= { 20225, 60*60*24*365, apply.DEF_GRADE_BONUS, 150, 1, false, true }, [52105]= { 20225, 60*60*24*365, apply.ATT_GRADE_BONUS, 100, 1, false, true }, -- Moa [52106]= { 20228, 60*60*24*365, apply.ATTBONUS_MONSTER, 0, 1, false, true }, [52107]= { 20228, 60*60*24*365, apply.MALL_EXPBONUS, 0, 1, false, true }, [52108]= { 20228, 60*60*24*365, apply.MAX_HP, 0, 1, false, true }, [52109]= { 20228, 60*60*24*365, apply.DEF_GRADE_BONUS, 0, 1, false, true }, [52110]= { 20228, 60*60*24*365, apply.ATT_GRADE_BONUS, 0, 1, false, true }, [52111]= { 20229, 60*60*24*365, apply.ATTBONUS_MONSTER, 3 , 1, false, true }, [52112]= { 20229, 60*60*24*365, apply.MALL_EXPBONUS, 3 , 1, false, true }, [52113]= { 20229, 60*60*24*365, apply.MAX_HP, 250, 1, false, true }, [52114]= { 20229, 60*60*24*365, apply.DEF_GRADE_BONUS, 50, 1, false, true }, [52115]= { 20229, 60*60*24*365, apply.ATT_GRADE_BONUS, 30, 1, false, true }, [52116]= { 20230, 60*60*24*365, apply.ATTBONUS_MONSTER, 5 , 1, false, true }, [52117]= { 20230, 60*60*24*365, apply.MALL_EXPBONUS, 5 , 1, false, true }, [52118]= { 20230, 60*60*24*365, apply.MAX_HP, 500, 1, false, true }, [52119]= { 20230, 60*60*24*365, apply.DEF_GRADE_BONUS, 150, 1, false, true }, [52120]= { 20230, 60*60*24*365, apply.ATT_GRADE_BONUS, 100, 1, false, true }, --Karácsonyi szarvas, jegesmedve és panda mount [71164]= { 20220, item.get_socket(2)*60, apply.MOV_SPEED, 60, 1, false, false, false}, [71165]= { 20221, item.get_socket(2)*60, apply.MOV_SPEED, 60, 1, false, false, false}, [71166]= { 20222, item.get_socket(2)*60, apply.MOV_SPEED, 60, 1, false, false, false}, --király tigris [71137]= { 20120, item.get_socket(2)*60, apply.MALL_EXPBONUS, 20, 1, false, false, false}, [71138]= { 20121, item.get_socket(2)*60, apply.MALL_EXPBONUS, 20, 1, false, false, false}, [71139]= { 20122, item.get_socket(2)*60, apply.MALL_EXPBONUS, 20, 1, false, false, false}, [71140]= { 20123, item.get_socket(2)*60, apply.MALL_EXPBONUS, 20, 1, false, false, false}, [71141]= { 20124, item.get_socket(2)*60, apply.MALL_EXPBONUS, 20, 1, false, false, false}, [71142]= { 20125, item.get_socket(2)*60, apply.MALL_EXPBONUS, 20, 1, false, false, false}, --Dragor test és Tűz, jég unikornis [71180] = { 20180, item.get_socket(2)*60, apply.DEF_GRADE_BONUS, 150, 1, false, false, false}, [71181] = { 20220, item.get_socket(2)*60, apply.DEF_GRADE_BONUS, 175, 1, false, false, false}, [71182] = { 20221, item.get_socket(2)*60, apply.DEF_GRADE_BONUS, 200, 1, false, false, false}, [71183] = { 20184, item.get_socket(2)*60, apply.ATT_GRADE_BONUS, 100, 1, false, false, false}, [71184] = { 20183, item.get_socket(2)*60, apply.ATT_GRADE_BONUS, 100, 1, false, false, false}, } if pc.level < ride_info[vnum][5] then syschat("Még nincs meg a szinted.") else if ride_info[vnum][2] == 0 and remain_time != 0 then pc.mount( ride_info[vnum][1], remain_time*60 ) pc.mount_bonus( ride_info[vnum][3], ride_info[vnum][4], remain_time*60 ) else pc.mount( ride_info[vnum][1], ride_info[vnum][2] ) pc.mount_bonus( ride_info[vnum][3], ride_info[vnum][4], ride_info[vnum][2] ) end if true == ride_info[vnum][6] then pc.remove_item(vnum, 1) end end end when login begin local vnum, remain_time = pc.get_special_ride_vnum() if 0 != vnum then ride.Ride(vnum, remain_time) end end when 71114.use or 71115.use or 71116.use or 71117.use or 71118.use or 71119.use or 71120.use or 71121.use or 71124.use or 71125.use or 71126.use or 71127.use or 71128.use or 71161.use or 52001.use or 52002.use or 52003.use or 52004.use or 52005.use or 52006.use or 52007.use or 52008.use or 52009.use or 52010.use or 52011.use or 52012.use or 52013.use or 52014.use or 52015.use or 52016.use or 52017.use or 52018.use or 52019.use or 52020.use or 52021.use or 52022.use or 52023.use or 52024.use or 52025.use or 52026.use or 52027.use or 52028.use or 52029.use or 52030.use or 52031.use or 52032.use or 52033.use or 52034.use or 52035.use or 52036.use or 52037.use or 52038.use or 52039.use or 52040.use or 52041.use or 52042.use or 52043.use or 52044.use or 52045.use or 52046.use or 52047.use or 52048.use or 52049.use or 52050.use or 52051.use or 52052.use or 52053.use or 52054.use or 52055.use or 52056.use or 52057.use or 52058.use or 52059.use or 52060.use or 52061.use or 52062.use or 52063.use or 52064.use or 52065.use or 52066.use or 52067.use or 52068.use or 52069.use or 52070.use or 52071.use or 52072.use or 52073.use or 52074.use or 52075.use or 52076.use or 52077.use or 52078.use or 52079.use or 52080.use or 52081.use or 52082.use or 52083.use or 52084.use or 52085.use or 52086.use or 52087.use or 52088.use or 52089.use or 52090.use or 71164.use or 71180.use or 71181.use or 71182.use or 71183.use or 71184.use or 71165.use or 71166.use or 71137.use or 71138.use or 71139.use or 71140.use or 71141.use or 71142.use or 71131.use or 71132.use or 71133.use or 71134.use or 52091.use or 52092.use or 52093.use or 52094.use or 52095.use or 52096.use or 52097.use or 52098.use or 52099.use or 52100.use or 52101.use or 52102.use or 52103.use or 52104.use or 52105.use or 52106.use or 52107.use or 52108.use or 52109.use or 52110.use or 52111.use or 52112.use or 52113.use or 52114.use or 52115.use or 52116.use or 52117.use or 52118.use or 52119.use or 52120.use begin if pc.is_polymorphed() then syschat("Próbáld újra ha nem vagy átváltoztva.") elseif false == pc.is_riding() then if true == horse.is_summon() then horse.unsummon() end -- ą«ÇŃ´ë·Î ĽłÁ¤(60łâ) -- item.set_socket(2, 60*24*365*60) ride.Ride(item.vnum, 0) else pc.unmount() --say("ŔĚąĚ Ĺ»°ÍŔ» ŔĚżëÁßŔÔ´Ď´Ů.") --say("") end end end end

Correct the file in gdb and post it again.

Can someone post metin2_patch_pc3 and metin2_patch_pc3m? (They have been updated in winter 2015)

I'm waiting you,no problem ahahha

Can you try to compile cryptopp lib on 2013_XP and client,too?

Okey. Compile it on Distribute

You could try putting 2013_xp

TOOOOOOOO HARD ? A fucking search. [Hidden Content]

Change Platform Toolset.

This problem in libthecore. You can edit signal.c in libthecore Best Regards Ellie