Jump to content

Fix Core Crash (unused serverside packet)


Recommended Posts

  • Premium

Hey guys,

i noticed a core crash "exploit" someone is currently using with HEADER_CG_TEXT.

its a simple buffer overflow in the HEADER_CG_TEXT packet.
because the packet is not used you can just remove it.
in marty files its already fixed because only localhost has access as far as i remember.

packet.h

    HEADER_CG_TEXT                    = 64,

 

packet_info.cpp

Set(HEADER_CG_TEXT, sizeof(TPacketCGText), "Text", false);

 

input.cpp

if (bHeader == HEADER_CG_TEXT)
(
[...]
)

 

Edited by .colossus.
  • Metin2 Dev 1
  • Good 1
  • Love 7
Link to comment
Share on other sites

#ifdef ENABLE_PORT_SECURITY
        if (IsEmptyAdminPage() || !IsAdminPage(inet_ntoa(d->GetAddr().sin_addr))) // block if adminpage is not set or if not admin
        {
            sys_log(0, "SOCKET_CMD: BLOCK FROM(%s)", d->GetHostName());
            return -1;
        }
#endif

 

i can remove all from  #ifdef ENABLE_PORT_SECURITY  ?   this delete #ifdef ENABLE_PORT_SECURITY why 😞 

Link to comment
Share on other sites

  • Premium
6 minutes ago, MLens said:

#ifdef ENABLE_PORT_SECURITY
        if (IsEmptyAdminPage() || !IsAdminPage(inet_ntoa(d->GetAddr().sin_addr))) // block if adminpage is not set or if not admin
        {
            sys_log(0, "SOCKET_CMD: BLOCK FROM(%s)", d->GetHostName());
            return -1;
        }
#endif

 

i can remove all from  #ifdef ENABLE_PORT_SECURITY  ?   this delete #ifdef ENABLE_PORT_SECURITY why 😞 

read my thread again 🙂

--> in marty files its already fixed because only localhost has access as far as i remember.

so you just need to enable ENABLE_PORT_SECURITY or delete everything because its not used

Edited by .colossus.
Link to comment
Share on other sites

2 minutes ago, .colossus. said:

read my thread again 🙂

--> in marty files its already fixed because only localhost has access as far as i remember.

if (bHeader == HEADER_CG_TEXT) ( [...] )

in HEADER_CG_TEXT   have  #ifdef ENABLE_PORT_SECURITY    if delete   if (bHeader == HEADER_CG_TEXT) ( [...] )     delete and this  #ifdef ENABLE_PORT_SECURITY      i will uninstall #ifdef ENABLE_PORT_SECURITY ?     i have  HEADER_CG_TEXT  normal in my files

Link to comment
Share on other sites

  • Honorable Member

The issue is that the buffer is not cleared even if the packet is wrong. It will keep growing until you run out of memory.

It's not just adminpage (@) vulnerable to this, but it's the simplest to exploit.

Edited by martysama0134
  • Good 1
Link to comment
Share on other sites

On 6/18/2021 at 6:23 PM, .colossus. said:

Hey guys,

i noticed a core crash "exploit" someone is currently using with HEADER_CG_TEXT.

its a simple buffer overflow in the HEADER_CG_TEXT packet.
because the packet is not used you can just remove it.
in marty files its already fixed because only localhost has access as far as i remember.

packet.h

    HEADER_CG_TEXT                    = 64,

 

packet_info.cpp

Set(HEADER_CG_TEXT, sizeof(TPacketCGText), "Text", false);

 

input.cpp

if (bHeader == HEADER_CG_TEXT)
(
[...]
)

 

Remove this line in packet.h 😄 

typedef struct command_text
{
    BYTE    bHeader;
} TPacketCGText;

 

 

  • Metin2 Dev 1
  • Good 1
Link to comment
Share on other sites

Announcements



×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.