[EXPLOIT] Metin2 Chat Link Exploit

[Abel(Tiger) 1141]

Hello,

As the title says, there is a significant exploit in the chat link system. Given that many servers utilize this system, I believe most private servers are affected by this exploit.

Essentially, someone can execute any CMD command they want on a player's computer by instructing them to click on an item.

How does it work?

This is the hidden content, please

• Sign In
• or
• Sign Up

He sends this through whisper or public chat, and the player clicks on the item. The command opens notepad.exe.

How can you fix it?

Firstly, STOP using os.system to open links. There are special libraries for that, such as the one I will use to implement this fix.

Please note that this is a straightforward fix and may not be 100% foolproof because malicious links can still be sent to open in the browser. I recommend using a link validation technique on the server side and allowing only specific links.

This is the hidden content, please

• Sign In
• or
• Sign Up

Edited January 24 by Abel(Tiger)
add hide tag

[WeedHex 627]

Better to create also a list of allowed link roots inside the game.

Edited February 11 by WeedHex

[Deliris 395]

This issue has been fixed back in 2022, check the following link:

 

[Kidro 135]

Hey, if you receive error

 

'0122 23:42:20675 :: Invalid url start https://www.youtube.com/watch?v=fy-cEY1JBao^&t=1118s'

 

replace the whole function with:

 

    def MakeHyperlinkTooltip(self, hyperlink):
        tokens = hyperlink.split(":")
        if tokens and len(tokens):
            type = tokens[0]
            if "item" == type:
                self.hyperlinkItemTooltip.SetHyperlinkItem(tokens)
            elif "msg" == type and str(tokens[1]) != player.GetMainCharacterName():
                self.OpenWhisperDialog(str(tokens[1]))                
            elif "web" == type and (tokens[1].startswith("httpXxX") or tokens[1].startswith("httpsXxX")):
                link = tokens[1].replace("XxX", "://")
                OpenLinkQuestionDialog = uiCommon.QuestionDialog2()
                OpenLinkQuestionDialog.SetText1(localeInfo.CHAT_OPEN_LINK_DANGER)
                OpenLinkQuestionDialog.SetText2(localeInfo.CHAT_OPEN_LINK)
                OpenLinkQuestionDialog.SetAcceptEvent(lambda arg=TRUE: self.AnswerOpenLink(arg))
                OpenLinkQuestionDialog.SetCancelEvent(lambda arg=FALSE: self.AnswerOpenLink(arg))
                constInfo.link = link
                OpenLinkQuestionDialog.Open()
                self.OpenLinkQuestionDialog = OpenLinkQuestionDialog
            elif "sysweb" == type:
                open_url_in_browser(tokens[1].replace("XxX", "://"))
            elif "Kidro" == type or "msg" == type and str(tokens[1]) != player.GetMainCharacterName():
                self.OpenWhisperDialog(str(tokens[1]))    

 

 

The problem is from:

constInfo.link = "start " + tokens[1].replace("XxX", "://").replace("&","^&")
 

Here's what seems to be happening:

The URL is being prefixed with "start ", which is not part of a valid URL.
The ampersand (&) is being replaced with ^&, which is also not standard in URLs and likely causing the issue.
 

Edited January 22 by Kidro