Sign in to follow this  
Wulvarik

You woul _ _ _ _ _POO_

Recommended Posts

I don't expect this one-off issue to be solved.  I just thought it was particularly special.

 

It eventually hard-crashed.

 

dUiqPe.jpg

 

 

And since logs are super-important for troubleshooting these things:

OKlWjG.jpg

 

 

 

 

....I can haz 10 hour sleep bonus?

Share this post


Link to post
Share on other sites

Woah there, cowboy.

 

Buy me dinner first and we'll see where things take us.

  • Like 1

Share this post


Link to post
Share on other sites

It's just a standard error when communication between client and server goes bad

 

Nothing special and nothing new, just have to relog

Share this post


Link to post
Share on other sites
9 hours ago, MrGARY said:

It's just a standard error when communication between client and server goes bad

 

Nothing special and nothing new, just have to relog

Geez, random memory corruption is a common thing?  And nobody's looked into it?

 

Pointers are pointing at random things.

 

Pointers, man.

 

Ebil hackers pay good money for the ability to make pointers point at random things.

 

WU remote code execution servers?

Share this post


Link to post
Share on other sites

I mean, let's take this to the extreme here.

 

The log file name was a random chunk of memory.  The log file contents were a random chunk of memory.

 

What if, instead of random, the log file name was "..\..\..\autoexec.bat", and instead of gibberish, the contents were "taskkill /f /im explorer.exe  \n del explorer.exe"?

 

Text strings which could easily be inserted into memory by server messages.

Share this post


Link to post
Share on other sites

It's not memory corruption and you're not seeing a random chunk of memory. It's the client trying to decipher what the server is telling it, but an issue causes it to severely misunderstand it.

 

For example, imagine the client receives a packet that says "Drain your stamina bar by 10%". But something goes wrong and your client incorrectly deciphers this message. Now it interprets this as "Put something in your events tab" and the text it should insert is seemingly random binary data that gets converted to text. Eventually one of these misinterpreted packets will ask it to do something impossible and it would crash.

 

The "damage" of this problem is limited to what the client allows packets to do. As far as I know, the client doesn't allow the server to execute arbitrary code on the client (that would be pretty crazy) or anything else that's as dangerous, so it can't create a bat file or whatever

Share this post


Link to post
Share on other sites

Look at the file name of the log.

 

If it's not random memory, but instead the contents of a packet, then that's even worse.

 

The server could send it a packet containing a carefully crafted path (which the event logging code will happily create), along with code to place in that file.

 

If the client is not doing proper error checking on its packets then that is a huge issue.

 

If anybody's bored, go hack some server code.  Tell me what happens if you get a server message in a tab titled "..\..\..\test".

 

Where does it create that file?

 

And that's just the easy test, using ascii.

 

What happens if you send a packet with java bytecode then get the client to jump to it?

 

I was having graphical corruption and a hardcrash, so it's obviously not limited to the tabs.

Share this post


Link to post
Share on other sites

Just to get this out of the way:

 

9adf25c3e9.png

 

Quote

If it's not random memory, but instead the contents of a packet, then that's even worse.

 

For all intents and purposes, it's random data. You're arguing here that random data can exploit the client. Or else if the server intentionally crafts a malicious packet, it could exploit the client (which is irrelevant to the main issue). You're not wrong, but you're describing a very general problem here, as this is the case for every single client/server application.

 

The idea is that the client can deal with irresponsible actions requested by the server. If it can't, then that is an issue. However, this deduction on its own is not helpful. It's like saying "Chrome could be exploited", but how can it be exploited? If you can figure that out, I'm sure the devs would be more than happy to fix the problem.

 

If you can make the client run arbitrary code, I'm sure the dev team would be very interested too

 

Quote

I was having graphical corruption and a hardcrash, so it's obviously not limited to the tabs.

That's because the client can be requested to show you graphical things or load certain map data (that might end up being corrupt), leading to visual glitches.

Share this post


Link to post
Share on other sites

Thanks for spending the time to actually test that.

 

Knowing that you can't just dump files anywhere in the system that you'd like makes this much less sinister.

 

I'd still be concerned about the rest, but turning that into an attack would be a project of its own to see what exactly the client can be told to do and how random that data really is.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this