Jump to content
MaxCheaters Official Group on Discord
Top.MaxCheaters.com is now OPEN – Lineage 2 Top Listing

LoginPacket - Critical security bug (all chronicles)

eressea
 Share

Recommended Posts

eressea Newbie

eressea

Posted
Posted

Hello everyone,

 

I'd like to inform you about critical security bug that's present in all widely known NCsoft l2server.exe binaries. If you're using Vanganth, you're definitely vulnerable to this one. If you're using MyExt64, update your server immediately (it's fixed in commit c52b36e).

 

Quote

 

"Someone has been using my builder account!"

-- Papa Bear, NCsoft and the Three Bears

 

 

When a player tries to log in, client sends LoginPacket with account ID and session ID. L2server should search for given account ID in std::map<int, int>, compare result with session ID and decide whether it's the correct account and session. However, some programmer at NCsoft made a terrible mistake. Instead of searching in the map like 

std::map<int, int>::const_iterator i = map.find(accountId);
if (i == map.end() || i->second != sessionId) return true; // disconnect user

they ended up searching the map this way: 

if (map[accountId] != sessionId) return true; // disconnect user

As you can see, if you supply arbitrary accountId and sessionId of 0, l2server will let you in (because it will add std::pair<int, int>(accountId, 0) to the map and then return 0). In reality you can't use any account ID as it's also searched in another std::map, so it works only for accounts that have been logged in since server start - but this is the only limitation.

 

This bug is really critical, if a player is able to guess account ID of some character with builder that has been logged in since server start, nasty things are going to happen...

 

I suggest everyone to fix it as soon as possible - you can see the fix in this commit https://bitbucket.org/l2shrine/extender-public/commits/c52b36e8aad518a094774aca49f2b78da7da390b (for Gracia Final, for other chronicles you'll have to find correct addresses)

xxdem Newbie

xxdem

Posted
Posted

You don't know if the guy who wrote this was idiot, probably he is better than all of us since he was given such a critical task, the fact is, that IF this bug exists is either a backdoor or something that slipped away from them for all those reasons that make C++ shit

eressea Newbie

eressea

Posted
  • Author
Posted (edited)
1 hour ago, xxdem said:

A good reason on why they should stick with C on such case, this can't happen in C

 

If they wrote it in C, there would be many more problems than this one (much more code to write).

 

As for map [] operator - all good C++ programmers KNOW that it inserts element if it's not already present. Operator overloading is good feature - if used sanely - I definitely like writing s == "abc" more than writing s.isEqual("abc") or strcmp(s, "abc") == 0.

 

Generally speaking, I see C++ bit safer, but you have to use it well. You can write bad code in any language.

Edited by eressea
xxdem Newbie

xxdem

Posted
Posted
21 hours ago, eressea said:

 

If they wrote it in C, there would be many more problems than this one (much more code to write).

 

As for map [] operator - all good C++ programmers KNOW that it inserts element if it's not already present. Operator overloading is good feature - if used sanely - I definitely like writing s == "abc" more than writing s.isEqual("abc") or strcmp(s, "abc") == 0.

 

Generally speaking, I see C++ bit safer, but you have to use it well. You can write bad code in any language.

 

That's not quite true about C, it would just be done on a more plain way, you don't really need a complex data structure to do this job, imho.

 

I love that you immediately noticed that on this specific case I was talking about operator overloading ([] more specifically) I didn't become too specific because there are lots of noobs here that wouldn't understand my point but you are smart enough to understand of what exactly I didn't like about the code :)

xxdem Newbie

xxdem

Posted
Posted (edited)

PS: with all the respect I have towards you, you get a big fuck you for overloading == into strcmp, the word to describe what it feals like is "sacrilege" in my country :p

 

Makes low level programming feel like frontend script code, and you also loose lots of functionality like inability to know and compare by address

Edited by xxdem
eressea Newbie

eressea

Posted
  • Author
Posted
4 hours ago, xxdem said:

That's not quite true about C, it would just be done on a more plain way, you don't really need a complex data structure to do this job, imho.

 

Writing red-black tree or hashmap in C is really pain in the ass unless you use macros (which I’m trying to avoid/minimize).

It can be done in asm, it can be done in C and it also can be done in C++ - with no or really little performance impact. I find maintaing clean C++ codebase easier than in C or asm - but it’s up to you to pick language you prefer. If written correctly, the result will be almost identical. But it will probably take twice time in asm vs C and twice time in C than in C++. All languages have pros and cons.

xxdem Newbie

xxdem

Posted
Posted
1 minute ago, eressea said:

 

Writing red-black tree or hashmap in C is really pain in the ass unless you use macros (which I’m trying to avoid/minimize).

It can be done in asm, it can be done in C and it also can be done in C++ - with no or really little performance impact. I find maintaing clean C++ codebase easier than in C or asm - but it’s up to you to pick language you prefer. If written correctly, the result will be almost identical. But it will probably take twice time in asm vs C and twice time in C than in C++. All languages have pros and cons.

 

My point was that it can be done without a hash map, I didn't meant "implement a C hashmap" that would be stupid, hash maps have a shitload of features you don't need on this case, (one of these features made this bug)

eressea Newbie

eressea

Posted
  • Author
Posted
2 hours ago, xxdem said:

 

My point was that it can be done without a hash map, I didn't meant "implement a C hashmap" that would be stupid, hash maps have a shitload of features you don't need on this case, (one of these features made this bug)

 

Well, you need to map one ID to another - and as those IDs are sparse, you can't just allocate few megabyte array and store it there. You need some associative container - either red-black map or hashmap... Of course it still can be some sorted (or unsorted) array or something like that, but it will be harder to manage, especially in case there won't be enough allocated memory to store all elements; you would have to reallocate and copy; also insert and delete function would be far from O(log n), however search operation would be O(log n) via binary search if it's sorted.

 

I don't say C is bad - but std::map is really much more convenient and when used well, it's perfectly safe.

xxdem Newbie

xxdem

Posted
Posted

imho I would just go O(n) with an array of struct{int accountId, int sessionId} and perform a search or something similar, it doesn't seem that the n will ever be huge on this case, I could be wrong

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


  • Posts

    • L2Dexter
      L2Dexter-x200

      By L2Dexter · Posted

    • Silvin
      [Share] SuperPointEditor

      By Silvin · Posted

      ## SuperPoint Editor   SuperPoint Editor is a practical visual editor for Lineage II PTS 'SuperPoint.bin' files. It is built for people who need to inspect, fix, rebuild, and draw server routes without digging through binary data by hand.   ### What You Can Do   - Open and edit 'SuperPoint.bin' files. - Export BIN data into a readable TXT format. - Save edited data back into a valid BIN file. - Validate routes before saving. - Work with SuperPoint routes, points, directed connections, and path records in tables. - Add, duplicate, delete, and reorder points. - Create direct and reverse connections between route points. - Automatically generate connections between neighboring points. - Edit raw point coordinates: 'X', 'Y', 'Z', 'Index', and 'Delay'. - Keep route names and internal route data organized. - Use either English or Ukrainian interface language.   ### C4 Server Support   Some C4 servers have 'SuperPoint.bin', but do not have 'superpointinfo.txt' in scripts. The editor supports this case directly. When 'superpointinfo.txt' is not found near the BIN file, the editor can open the BIN in C4 mode. In this mode, 'Fstring ID' is disabled because that value belongs to 'superpointinfo.txt', not to the BIN itself. The editor will not generate or modify 'superpointinfo.txt' while working in this mode. This keeps C4 data clean and avoids creating script files that the server does not actually use.   ### superpointinfo.txt Support   For chronicles that do use 'superpointinfo.txt', the editor can load and synchronize it together with the BIN data. When saving, the editor updates route nodes and coordinates while preserving existing metadata such as: - 'npc_name' - 'move_type' - 'fstring_index' - 'social_number' - 'delay' New nodes are generated with safe default values, so existing script metadata is not accidentally wiped.   ### Geodata Tools   The editor can also open converted geodata '.dat' files and display them as a map. This makes route editing much more visual. You can: - Load geodata and inspect the terrain by layer. - Zoom and pan around the map. - Create a new SuperPoint directly from a map cell. - Draw a route by clicking on the geodata. - Drag existing points to new positions. - Automatically snap 'X/Y' to the selected geo cell. - Use the selected geodata layer to fill the point 'Z'. - See all routes on the map or focus only on the selected one. This is especially useful when building new NPC movement paths or correcting bad route coordinates.   ### Connections and Paths   SuperPoint connections are directional. A connection from point '3' to point '2' is not the same as a connection from point '2' to point '3'. The editor makes this explicit by separating: - route points, - directed connections, - and the actual path records used by each connection. For simple cases, it can create direct path records automatically. For more complex movement, you can edit the path points manually. ### Built for Safe Editing The editor includes validation before saving, so common structural problems can be caught before a broken BIN is produced. It also verifies rebuilt BIN files through the converter engine. The goal is simple: edit quickly, but do not silently damage server data.   ### Unknown Field   This small 'Unknown' field is part of the original BIN structure. Most official-looking files keep it as '0', and for regular route editing there is usually no reason to change it. The editor exposes it so nothing from the BIN is hidden or lost. If you do not know exactly what your server uses it for, keep it at '0'. Download
    • adm.l2pvpbrasil
      Npc_Teleport Interlude+Eff

      By adm.l2pvpbrasil · Posted

      NpcGrp não salva no interlúdio e da crítico quando coloca ele no cliente, já testei ele antes.
    • VPSLab
      — VPSLAB — Fast & Private RDP/VPS | 100% Instant Setup

      By VPSLab · Posted

      Active & Taking orders!
    • adm.l2pvpbrasil
      Raid Boss with effect

      By adm.l2pvpbrasil · Posted

      Obrigado mano pela moral .

  • Topics

×
×
  • Create New...

Important Information

This community uses essential cookies to function properly. Non-essential cookies and third-party services are used only with your consent. Read our Privacy Policy and We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue..