WTS a massive critical error bug or fix

[BruT]

as the title says this bug causes massive critical errors to everyone online, no clue will be given here, can be used to boot top servers.

i can guarantee that no server has protection for it yet.

also offering a protection(fix) against it.

Edited September 26, 2017 by BruT

[eressea]

Is it for l2off or l2j or both?

[BruT]

when i am rdy ill try it on l2off pack too

[Lokus]

++ info?

[BruT]

1 hour ago, Lokus said:

++ info?

mass critical error

[Setekh]

Is it the same with the old chat exploit? There were scripts for l2net and phx tho people just forgot about it and some servers fixed it.

[Fyyre]

Guild crest exploit.  Sending of malformed image, cause critical error for other players.

Edited September 27, 2017 by Fyyre

[Szakalaka]

It means it has to be doable from client side, right? The set crest packet (as far as i remember) is just a byte array of constant size. What can go wrong here?

Actaully it is just a unbound byte array both for clan and ally, just checked.

A video proof would be fun to watch :)

Edited September 28, 2017 by Szakalaka

[GLO]

41 minutes ago, Szakalaka said:

It means it has to be doable from client side, right? The set crest packet (as far as i remember) is just a byte array of constant size. What can go wrong here?

Actaully it is just a unbound byte array both for clan and ally, just checked.

A video proof would be fun to watch :)

i tried it by changing _data = new byte[_length]; to   _data = "testtests".getBytes();  in clientpacket>RequestSetPledgeCrest 

when uploading crest it just doesnt appear instad of crashing

i prob missing something but if i were to test if this exploit works or not is this the correct approach or (if it works by changing packet on server side it would work if i change it on client?)

[Setekh]

8 hours ago, Fyyre said:

Guild crest exploit.  Sending of malformed image, cause critical error for other players.

But a guild crest exploit cannot be broadcast-ed to the world, only to it's known list of players. Also as i heard it affects servers with global chat, and there was a l2net script that allowed the crash on shout range.

 

MXC Share: 

 

l2Net ref: 

 

 

Hmmm wat? when did i fix that?

 

Edited September 28, 2017 by Setekh

[Szakalaka]

And its not fixed since 2009? Can't believe..

[eressea]

Can be fixed in client by writing single jmp on the right place (d3ddrv.dll)

EDIT: BTW does anyone have link and/or more info for that chat message crash? (link in the topic points to rapidshare which doesn't exist anymore)

Edited September 28, 2017 by eressea

[Fyyre]

Validate the DDS header for Crest on server side.

[eressea]

2 hours ago, Fyyre said:

Validate the DDS header for Crest on server side.

Best practise would be fixing both server and client side, that way you can give players fix without server restart and later apply server fix during regular restart :)

[AlmostGood]

author said "massive" = effect is not always triggered right away

and "to everyone online" = affects everyone

that's lot of info to narrow search to just few possible packets

 

crest seems reasonable, but it could be anything else, client is full of hardcoded constrains :P