fix How To Fix Minor Item Shop Security Issue

[Mi4uric3 4]

Hi,

while looking through the servers source code I received in 2013 I found a minor security issue regarding the item shop. An attacker is able to temporarily delete items bought in the item shop from the game, so the buyer is unable to receive it. All deleted items are restored after the server restarts though, as they are only removed from the databases cache, not from the database itself. Also the attacker can only remove the item from the cache if the user didn't login after buying it (player.item_award.taken_time != NULL).

PoC application which attacks my local test server: Minor item shop security issue

To fix it you need to delete the following lines:

Server/common/tables.h:

HEADER_GD_DELETE_AWARDID    = 138,    // delete gift notify icon

Server/common/tables.h:

// 선물 알림 기능 삭제용 패킷 정보
typedef struct tDeleteAwardID
{
    DWORD dwID;
} TPacketDeleteAwardID;

Server/db/src/ClientManager.cpp:

//delete gift notify icon

case HEADER_GD_DELETE_AWARDID:
    DeleteAwardId((TPacketDeleteAwardID*) data);
    break;

Server/db/src/ClientManager.cpp:

// delete gift notify icon
void CClientManager::DeleteAwardId(TPacketDeleteAwardID *data)
{
	//sys_log(0,"data from game server arrived %d",data->dwID);
	std::map<DWORD, TItemAward *>::iterator it;
	it = ItemAwardManager::Instance().GetMapAward().find(data->dwID);
	if ( it != ItemAwardManager::Instance().GetMapAward().end() )
	{
		std::set<TItemAward *> & kSet = ItemAwardManager::Instance().GetMapkSetAwardByLogin()[it->second->szLogin];
		if(kSet.erase(it->second))
			sys_log(0,"erase ItemAward id: %d from cache", data->dwID);
		ItemAwardManager::Instance().GetMapAward().erase(data->dwID);
	}
	else
	{
		sys_log(0,"DELETE_AWARDID : could not find the id: %d", data->dwID);
	}
}

Server/db/src/ClientManager.h:

//delete gift notify icon
void DeleteAwardId(TPacketDeleteAwardID* data);

Server/game/src/input.cpp:

//gift notify delete command
else if (!stBuf.compare(0,15,"DELETE_AWARDID "))
{
	char szTmp[64];
	std::string msg = stBuf.substr(15,26);	// item_award의 id범위?

	TPacketDeleteAwardID p;
	p.dwID = (DWORD)(atoi(msg.c_str()));
	snprintf(szTmp,sizeof(szTmp),"Sent to DB cache to delete ItemAward, id: %d",p.dwID);
	//sys_log(0,"%d",p.dwID);
	// strlcpy(p.login, msg.c_str(), sizeof(p.login));
	db_clientdesc->DBPacket(HEADER_GD_DELETE_AWARDID, 0, &p, sizeof(p));
	stResult += szTmp;
}

 

 

[ds_aim 239]

Thanks

Isn't better to add a return intro  void CClientManager::ItemAward(CPeer * peer,char* login)  and a check intro ItemAwardManager  if (false && row[col])