Jump to content
MaxCheaters Official Group on X
MaxCheaters Official Group on Discord
--> Place your ad text here <--

LoginPacket - Critical security bug (all chronicles)

eressea
 Share

Recommended Posts

eressea Newbie

eressea

Posted
Posted

Hello everyone,

 

I'd like to inform you about critical security bug that's present in all widely known NCsoft l2server.exe binaries. If you're using Vanganth, you're definitely vulnerable to this one. If you're using MyExt64, update your server immediately (it's fixed in commit c52b36e).

 

Quote

 

"Someone has been using my builder account!"

-- Papa Bear, NCsoft and the Three Bears

 

 

When a player tries to log in, client sends LoginPacket with account ID and session ID. L2server should search for given account ID in std::map<int, int>, compare result with session ID and decide whether it's the correct account and session. However, some programmer at NCsoft made a terrible mistake. Instead of searching in the map like 

std::map<int, int>::const_iterator i = map.find(accountId);
if (i == map.end() || i->second != sessionId) return true; // disconnect user

they ended up searching the map this way: 

if (map[accountId] != sessionId) return true; // disconnect user

As you can see, if you supply arbitrary accountId and sessionId of 0, l2server will let you in (because it will add std::pair<int, int>(accountId, 0) to the map and then return 0). In reality you can't use any account ID as it's also searched in another std::map, so it works only for accounts that have been logged in since server start - but this is the only limitation.

 

This bug is really critical, if a player is able to guess account ID of some character with builder that has been logged in since server start, nasty things are going to happen...

 

I suggest everyone to fix it as soon as possible - you can see the fix in this commit https://bitbucket.org/l2shrine/extender-public/commits/c52b36e8aad518a094774aca49f2b78da7da390b (for Gracia Final, for other chronicles you'll have to find correct addresses)

  • Like 1
  • Thanks 1
  • Upvote 2
xxdem Newbie

xxdem

Posted
Posted

You don't know if the guy who wrote this was idiot, probably he is better than all of us since he was given such a critical task, the fact is, that IF this bug exists is either a backdoor or something that slipped away from them for all those reasons that make C++ shit

eressea Newbie

eressea

Posted
  • Author
Posted (edited)
1 hour ago, xxdem said:

A good reason on why they should stick with C on such case, this can't happen in C

 

If they wrote it in C, there would be many more problems than this one (much more code to write).

 

As for map [] operator - all good C++ programmers KNOW that it inserts element if it's not already present. Operator overloading is good feature - if used sanely - I definitely like writing s == "abc" more than writing s.isEqual("abc") or strcmp(s, "abc") == 0.

 

Generally speaking, I see C++ bit safer, but you have to use it well. You can write bad code in any language.

Edited by eressea
  • Like 1
xxdem Newbie

xxdem

Posted
Posted
21 hours ago, eressea said:

 

If they wrote it in C, there would be many more problems than this one (much more code to write).

 

As for map [] operator - all good C++ programmers KNOW that it inserts element if it's not already present. Operator overloading is good feature - if used sanely - I definitely like writing s == "abc" more than writing s.isEqual("abc") or strcmp(s, "abc") == 0.

 

Generally speaking, I see C++ bit safer, but you have to use it well. You can write bad code in any language.

 

That's not quite true about C, it would just be done on a more plain way, you don't really need a complex data structure to do this job, imho.

 

I love that you immediately noticed that on this specific case I was talking about operator overloading ([] more specifically) I didn't become too specific because there are lots of noobs here that wouldn't understand my point but you are smart enough to understand of what exactly I didn't like about the code :)

xxdem Newbie

xxdem

Posted
Posted (edited)

PS: with all the respect I have towards you, you get a big fuck you for overloading == into strcmp, the word to describe what it feals like is "sacrilege" in my country :p

 

Makes low level programming feel like frontend script code, and you also loose lots of functionality like inability to know and compare by address

Edited by xxdem
eressea Newbie

eressea

Posted
  • Author
Posted
4 hours ago, xxdem said:

That's not quite true about C, it would just be done on a more plain way, you don't really need a complex data structure to do this job, imho.

 

Writing red-black tree or hashmap in C is really pain in the ass unless you use macros (which I’m trying to avoid/minimize).

It can be done in asm, it can be done in C and it also can be done in C++ - with no or really little performance impact. I find maintaing clean C++ codebase easier than in C or asm - but it’s up to you to pick language you prefer. If written correctly, the result will be almost identical. But it will probably take twice time in asm vs C and twice time in C than in C++. All languages have pros and cons.

xxdem Newbie

xxdem

Posted
Posted
1 minute ago, eressea said:

 

Writing red-black tree or hashmap in C is really pain in the ass unless you use macros (which I’m trying to avoid/minimize).

It can be done in asm, it can be done in C and it also can be done in C++ - with no or really little performance impact. I find maintaing clean C++ codebase easier than in C or asm - but it’s up to you to pick language you prefer. If written correctly, the result will be almost identical. But it will probably take twice time in asm vs C and twice time in C than in C++. All languages have pros and cons.

 

My point was that it can be done without a hash map, I didn't meant "implement a C hashmap" that would be stupid, hash maps have a shitload of features you don't need on this case, (one of these features made this bug)

eressea Newbie

eressea

Posted
  • Author
Posted
2 hours ago, xxdem said:

 

My point was that it can be done without a hash map, I didn't meant "implement a C hashmap" that would be stupid, hash maps have a shitload of features you don't need on this case, (one of these features made this bug)

 

Well, you need to map one ID to another - and as those IDs are sparse, you can't just allocate few megabyte array and store it there. You need some associative container - either red-black map or hashmap... Of course it still can be some sorted (or unsorted) array or something like that, but it will be harder to manage, especially in case there won't be enough allocated memory to store all elements; you would have to reallocate and copy; also insert and delete function would be far from O(log n), however search operation would be O(log n) via binary search if it's sorted.

 

I don't say C is bad - but std::map is really much more convenient and when used well, it's perfectly safe.

xxdem Newbie

xxdem

Posted
Posted

imho I would just go O(n) with an array of struct{int accountId, int sessionId} and perform a search or something similar, it doesn't seem that the n will ever be huge on this case, I could be wrong

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing


  • Posts

    • SmurfsZone
      SmurfsZone: Your Best Source for League of Legend

      By SmurfsZone · Posted

      This is a  bump
    • reacheap
      wtt harbor 1x for l2reborn 10x new

      By reacheap · Posted

      hello, i want to wtt my charracter in l2elmorelab 1x harbor for 1.5kkk adena in l2reborn 10x new. Or if you interested tell me your offer. :)) Clean Mail 30 lvl Cleric Naked   Updated.
    • Starfire868686
      Multi route walker npc HELP

      By Starfire868686 · Posted

      package ai.npc.NFWalker; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Random; import l2r.gameserver.enums.CtrlIntention; import l2r.gameserver.model.Location; import l2r.gameserver.model.actor.L2Npc; import l2r.gameserver.model.quest.Quest; import l2r.gameserver.network.clientpackets.Say2; import l2r.gameserver.network.serverpackets.NpcSay; public class NFWalkerAI extends Quest { private static final int WALKER_NPC_ID = 20116; private final Map<String, Route> routes = new HashMap<>(); private final Map<Integer, Integer> npcIndexes = new HashMap<>(); private final Map<Integer, Boolean> npcReverse = new HashMap<>(); private final Map<Integer, String> npcCurrentRoute = new HashMap<>(); public NFWalkerAI() { super(-1, NFWalkerAI.class.getSimpleName(), "ai/npc/NFWalker"); loadRoutes(); addSpawnId(WALKER_NPC_ID); } private void loadRoutes() { // Route 1 Data Route route1 = new Route("route1"); route1.addPoint(new RoutePoint(0, 149363, 172341, -941, 0, false, "")); route1.addPoint(new RoutePoint(1, 148568, 172328, -980, 5, true, "Puff")); route1.addPoint(new RoutePoint(2, 148536, 172792, -980, 0, false, "")); // Route 2 Data Route route2 = new Route("route2"); route2.addPoint(new RoutePoint(0, 149363, 172341, -941, 0, false, "")); route2.addPoint(new RoutePoint(1, 150248, 172328, -980, 5, true, "Rise my children! Bring me the servants of the god! Let them be offered to our god Bifrons!")); route2.addPoint(new RoutePoint(2, 150248, 172776, -980, 0, false, "")); // Add routes to the map routes.put("route1", route1); routes.put("route2", route2); } @Override public String onSpawn(L2Npc npc) { if (npc.getId() == WALKER_NPC_ID) { selectInitialRouteForNpc(npc); } return super.onSpawn(npc); } @Override public String onAdvEvent(String event, L2Npc npc, l2r.gameserver.model.actor.instance.L2PcInstance player) { if (event.equalsIgnoreCase("move")) { moveNpc(npc); } else if (event.equalsIgnoreCase("check_reached")) { checkIfReached(npc); } return null; } private void moveNpc(L2Npc npc) { String routeName = npcCurrentRoute.get(npc.getObjectId()); Route route = routes.get(routeName); Integer pointIndex = npcIndexes.get(npc.getObjectId()); if (route != null && pointIndex != null) { RoutePoint point = route.getPoints().get(pointIndex); if (point.isRun()) { npc.setRunning(); } else { npc.setWalking(); } if (!point.getChat().isEmpty()) { npc.broadcastPacket(new NpcSay(npc.getObjectId(), Say2.NPC_ALL, npc.getId(), point.getChat())); } npc.getAI().setIntention(CtrlIntention.AI_INTENTION_MOVE_TO, new Location(point.getX(), point.getY(), point.getZ())); // Log movement intention System.out.println("NPC " + npc.getObjectId() + " moving to " + point.getX() + ", " + point.getY() + ", " + point.getZ()); // Schedule a check to see if the NPC has reached its destination startQuestTimer("check_reached", 1000, npc, null); } } private void checkIfReached(L2Npc npc) { String routeName = npcCurrentRoute.get(npc.getObjectId()); Route route = routes.get(routeName); Integer pointIndex = npcIndexes.get(npc.getObjectId()); if (route != null && pointIndex != null) { RoutePoint point = route.getPoints().get(pointIndex); Location currentLocation = npc.getLocation(); Location targetLocation = new Location(point.getX(), point.getY(), point.getZ()); // Check if the NPC has reached the target location if (currentLocation.equals(targetLocation)) { // Log that the NPC has reached the target System.out.println("NPC " + npc.getObjectId() + " reached target " + targetLocation); // Schedule the next movement startQuestTimer("move", point.getDelay() * 1000, npc, null); if (!npcReverse.get(npc.getObjectId())) { pointIndex++; if (pointIndex >= route.getPoints().size()) { npcReverse.put(npc.getObjectId(), true); pointIndex = route.getPoints().size() - 1; } } else { pointIndex--; if (pointIndex < 0) { npcReverse.put(npc.getObjectId(), false); pointIndex = 0; // Choose a new route after completing the current one in both directions switchRouteForNpc(npc); return; } } npcIndexes.put(npc.getObjectId(), pointIndex); } else { // Check again after 1 second startQuestTimer("check_reached", 1000, npc, null); } } } private void selectInitialRouteForNpc(L2Npc npc) { // Randomly select either route1 or route2 String selectedRouteName = "route" + (new Random().nextInt(2) + 1); npcCurrentRoute.put(npc.getObjectId(), selectedRouteName); npcIndexes.put(npc.getObjectId(), 0); npcReverse.put(npc.getObjectId(), false); startQuestTimer("move", 5000, npc, null); // Log initial route selection System.out.println("NPC " + npc.getObjectId() + " selected initial route " + selectedRouteName); } private void switchRouteForNpc(L2Npc npc) { String currentRoute = npcCurrentRoute.get(npc.getObjectId()); String newRoute = currentRoute.equals("route1") ? "route2" : "route1"; npcCurrentRoute.put(npc.getObjectId(), newRoute); npcIndexes.put(npc.getObjectId(), 0); npcReverse.put(npc.getObjectId(), false); startQuestTimer("move", 5000, npc, null); // Log route switching System.out.println("NPC " + npc.getObjectId() + " switched to route " + newRoute); } private static class Route { private List<RoutePoint> points = new ArrayList<>(); public Route(String name) { } public void addPoint(RoutePoint point) { points.add(point); } public List<RoutePoint> getPoints() { return points; } } private static class RoutePoint { private int id; private int x, y, z, delay; private boolean run; private String chat; public RoutePoint(int id, int x, int y, int z, int delay, boolean run, String chat) { this.id = id; this.x = x; this.y = y; this.z = z; this.delay = delay; this.run = run; this.chat = chat; } public int getId() { return id; } public int getX() { return x; } public int getY() { return y; } public int getZ() { return z; } public int getDelay() { return delay; } public boolean isRun() { return run; } public String getChat() { return chat; } } } I looking for help, with this, the npc not start to move. Im trying to create, an NPC wich have multiple walk routes basic logic is  random pick a route complite the route  like Route 1 start form zero (0 -> 1 -> 2(or more) -> 1 -> 0) When the npc return to 0, the script should pic the other route and start again.  And if there is a message like point 1 here     "route1.addPoint(new RoutePoint(1, 148568, 172328, -980, 5, true, "Puff"));" The npc should display the chat message. Currently my problem is the npc not moving, but if I manage it to start moving its randomly move between the route 1 and 2 set of coordinates. Currently for me its  a nightmare. I hope anyone can help somhow.
    • SXorg
      Proxy Market SX.ORG for any task | Buy and sell IP quickly

      By SXorg · Posted

      We are certainly not an ambulance, but we will definitely cure you of blacklists and empty pockets. Live freely with SX! Each of you will receive a trial version of SX to familiarize yourself with the product, all you have to do is post in this thread
    • arnonvitor
      L2J Developer Services and Bug-fixing for Server Owners

      By arnonvitor · Posted

      qual e o valor pra atualizar o java da soucer ?

  • Topics

×
×
  • Create New...