Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 13:58

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 42 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Rtcw Nukeproof server
PostPosted: 29 Jan 2008 13:27 

Joined: 29 Jan 2008 02:00
Posts: 6
Hey guys,

I host a server @ demo of Wolfenstein. But a guy is now nuking all the servers without getting inside it.

Anyway i patched it with the lame patcher etc and server wasn't nuked for months. Only now one guy is nuking all the server all the time without getting in it.

It's a infostring nuke. Anyway i think he is nuking trough Dos. How can i solve this? There is not 1 server on Demo because of that *sshole. All servers get nuked in some seconds or minutes. He rapes the game for every-one.

Can you help me?
Thnx,
Greetz
Tr00ps


Top
 Profile  
 
 
 Post subject:
PostPosted: 30 Jan 2008 13:25 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
if the attack is from outside (so not in-game) you should recheck your server with q3infoboom using the following parameters:

q3infoboom -f 100 127.0.0.1 27960
q3infoboom -f 100 -q getstatus 127.0.0.1 27960

if your server doesn't crash means there is another vulnerability he exploits


Top
 Profile  
 
 Post subject:
PostPosted: 30 Jan 2008 14:44 

Joined: 29 Jan 2008 02:00
Posts: 6
anyway i patched the server with all patches there are but i dont undestand what u mean with this;

parameters:
q3infoboom -f 100 127.0.0.1 27960
q3infoboom -f 100 -q getstatus 127.0.0.1 27960


Top
 Profile  
 
 Post subject:
PostPosted: 30 Jan 2008 15:08 

Joined: 30 Jan 2008 15:02
Posts: 7
I've identified it as the infostring nuke, but I tried to replicate it using your infostring check. However I haven't tried the -f parameter, what does this do ?
Do you know a way to log all sent packets of a single port ?

with kind regards,

Dutchmeat


Top
 Profile  
 
 Post subject:
PostPosted: 30 Jan 2008 18:25 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
do you want to log the packets sent from your computer (on known port) ?


Top
 Profile  
 
 Post subject:
PostPosted: 30 Jan 2008 18:44 

Joined: 30 Jan 2008 15:02
Posts: 7
Sethioz wrote:
do you want to log the packets sent from your computer (on known port) ?

No, we want to log what packets are recieved on a known port.

EDIT:

The -f parameter is the FROM parameter, however does examples you suggested doesn't crash the server.


Top
 Profile  
 
 Post subject:
PostPosted: 30 Jan 2008 22:56 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
a way to log packets to a known port is just using Wireshark or WPE, but in both the cases there is too much data to handle.
Anyway if none of the above q3infoboom examples crash your server means that it's not the infoboom bug.


Top
 Profile  
 
 Post subject:
PostPosted: 30 Jan 2008 22:57 

Joined: 30 Jan 2008 15:02
Posts: 7
aluigi wrote:
a way to log packets to a known port is just using Wireshark or WPE, but in both the cases there is too much data to handle.
Anyway if none of the above q3infoboom examples crash your server means that it's not the infoboom bug.


I'll be more clear, cause this seems like a infoboom crash:

Quote:
Info string length exceeded
Info string length exceeded
Info string length exceeded
Info string length exceeded
Info string length exceeded
Info string length exceeded
Info string length exceeded
Info string length exceeded
Info string length exceeded
Info string length exceeded
********************
ERROR: Info_SetValueForKey: oversize infostring
********************
----- Server Shutdown -----


Top
 Profile  
 
 Post subject:
PostPosted: 30 Jan 2008 23:00 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
yeah seems a classical infoboom attack, but I don't understand why you can't crash your same server using q3infoboom, it's strange


Top
 Profile  
 
 Post subject:
PostPosted: 30 Jan 2008 23:04 

Joined: 30 Jan 2008 15:02
Posts: 7
What I do know is that the connect package(if they are using one) isn't arriving to the server intime to log it. So that means they are proberly not using any big strings in the userinfo string, I could be wrong though. One thing that you should keep in mind that those servers were running s4ndmod(2.1.2).
But the thing is that I can't tell if the G_Error is being called from the the server side or the server mod(maybe you could clear things up?)


Top
 Profile  
 
 Post subject:
PostPosted: 31 Jan 2008 02:30 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
dutchmeat wrote:
One thing that you should keep in mind that those servers were running s4ndmod(2.1.2).

mod wouldn't effect it...
Quote:
ERROR: Info_SetValueForKey: oversize infostring
if the server.exe (i dont play wolfenstien idk what the name of the .exe or if it even has 1 is called so ill just go with server.exe) has an official error like that it is never a modification's fault... from my experience u usually can't fix an official error through a mod only by the server.exe itself...
basically the mod wouldn't effect it, it's inside the "server side" and not "server mod" :), that clear it up? ;p


Top
 Profile  
 
 Post subject:
PostPosted: 31 Jan 2008 08:18 

Joined: 30 Jan 2008 15:02
Posts: 7
evan1715 wrote:
dutchmeat wrote:
One thing that you should keep in mind that those servers were running s4ndmod(2.1.2).

mod wouldn't effect it...


Actually it could, since Info_SetValueForKey is also a 'server side' function instead of the built in one.
RTCW basicly is the client and the server in just one exe, wolfmp.exe.
And since the server-side, or 'game' also calls Info_SetValueForKey, it could be that the mod is causing the crash.

I'll just Hex the wolfmp.exe to show a different error string then.


Top
 Profile  
 
 Post subject:
PostPosted: 31 Jan 2008 20:12 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
I still doubt it's the mod ^_^


Top
 Profile  
 
 Post subject:
PostPosted: 02 Feb 2008 16:30 

Joined: 29 Jan 2008 02:00
Posts: 6
Hosting the server without the S4ndmod, you get the same nuke..

Anyway i could try to host with a other mod, maybe the nuke doesn't work then..


Top
 Profile  
 
 Post subject:
PostPosted: 02 Feb 2008 16:38 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
u can try of course...

but i still think it isn't the mod :)


Top
 Profile  
 
 Post subject:
PostPosted: 02 Feb 2008 20:09 

Joined: 29 Jan 2008 02:00
Posts: 6
ok i'll try when i have time for it..

Anyway normally nukes destroy the netport, not visible on masterlist anymore if you start up server again with same netport.

But this nuke doesn't brake the netport. I don't know if this is usefull info, but maybe it is... :P


Top
 Profile  
 
 Post subject:
PostPosted: 03 Feb 2008 10:29 

Joined: 03 Feb 2008 09:54
Posts: 2
I have tcpdump logs, from when this started a couple days ago. I went to reboot the nuked server then, but it didn't come back up on the network. It is headless so I need to attach a monitor to see where it is getting stuck while booting. The tcpdump log should still be there unless the attacker got shell access on my machine and erased it, but from what I've read this exploit shouldn't have allowed that, err, right?

I copied one line from the tcpdump log before rebooting the server, to get the ip information so I could add a drop rule on my firewall. Below is that info, w/ the attacker's ip address -

03:07:34.876926 XX:XX:XX:16:8a:03 (oui Unknown) > XX:XX:XX:de:9b:d8 (oui Unknown), IPv4, length 555: dhcp-077-251-138-189.chello.nl.1664 > myserver.home.27960: UDP, length 513

I remember seeing a couple bad packets with the string, "getstatus xxxxxxxxxxxxxxxxxxxxxx..." Couldn't those with linux firewalls add a string matching rule to their iptables config that looks for this exploit and auto bans the address?


Hopefully I will be able to post the full log tommorow.


Top
 Profile  
 
 Post subject:
PostPosted: 03 Feb 2008 12:43 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
well it's just the usual q3infoboom attack.

The following iptables rules should do the job also without my work-around or in case mine isn't enough on ET/Linux:

iptables -A INPUT -p udp --dport 27015 -m string --string "\xff\xff\xff\xffgetinfo" -m length --length 64:inf -j DROP
iptables -A INPUT -p udp --dport 27015 -m string --string "\xff\xff\xff\xffgetstatus" -m length --length 64:inf -j DROP


Top
 Profile  
 
 Post subject:
PostPosted: 03 Feb 2008 19:55 

Joined: 30 Jan 2008 15:02
Posts: 7
I've managed to replicate the crash on troopers server, however, when I try it on my own server, it doesn't crash.
Although this might be a s4ndmod problem, cause when I try to crash it on my server using s4ndmod, it shows the 'info string exceeded' warning. But when I use my own mod(New Generation Mod) I don't see the 'info string exceeded' warning.

What I think we changed in newgeneration mod, is this:

q_shared.h:
Code:
#define   MAX_INFO_STRING      512 //1024  INFOBOOM FIX


In the original source code the max_info_string was defined as 1024, we changed it to 512.

Is there a way to edit a game mod, s4ndmod in this case, to change that MAX_INFO_STRING define?


Top
 Profile  
 
 Post subject:
PostPosted: 04 Feb 2008 01:47 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
3 options
hex edit
assembly
or recompile original source code

wolfeinsten use .dll's or .qvm?


Top
 Profile  
 
 Post subject:
PostPosted: 04 Feb 2008 02:03 

Joined: 03 Feb 2008 09:54
Posts: 2
I was running a stock demo server when it crashed.


Top
 Profile  
 
 Post subject:
PostPosted: 04 Feb 2008 02:19 

Joined: 04 Feb 2008 02:06
Posts: 2
Rtcw use dll's. And the source for the mod and game is closed.

Fluffatar wrote:
The tcpdump log should still be there unless the attacker got shell access on my machine and erased it, but from what I've read this exploit shouldn't have allowed that, err, right?

AFIK it's not possible, it simply stops the game when the string is too long.

I think the best way is to fix it by assembly in the Info_SetValueForKey method, or perhaps a detour-injecton.


Top
 Profile  
 
 Post subject:
PostPosted: 04 Feb 2008 13:30 

Joined: 30 Jan 2008 15:02
Posts: 7
Hey Fluffatar,

You might want to test New Generation Mod Plus, if the server doesn't crash we know what fixes the exploit(both executable and game mod).

New Generation Mod Plus:
http://home.deds.nl/~dutchmeat/ngmplus/

Regards,

Dutchmeat


Top
 Profile  
 
 Post subject:
PostPosted: 04 Feb 2008 20:09 

Joined: 29 Jan 2008 02:00
Posts: 6
we tested the NGM plus mod and still got nuked, this isn't the solution :(


Top
 Profile  
 
 Post subject:
PostPosted: 04 Feb 2008 22:18 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
Pingu wrote:
the source for the mod and game is closed.
Now if there are mods, I highly doubt that the game source code does not exist to the public. Find it and try and patch it, if you still believe the fix can be done in a mod.


Top
 Profile  
 
 Post subject:
PostPosted: 04 Feb 2008 23:30 

Joined: 04 Feb 2008 02:06
Posts: 2
There has been released a modsource, so that ppl can do changes to it. These are compiled to dll's.

The source for the executable, is still closed. And the error does, as far as I know, occur there.


Top
 Profile  
 
 Post subject:
PostPosted: 05 Feb 2008 19:14 

Joined: 29 Jan 2008 02:00
Posts: 6
I tried some things;

- Server get's nuked even when all ip's are banned 0.*.*.* till 255.*.*.*.
-> Even when server has privatepass and all ip's banned
- When all ip's are banned, he will see, "You're banned from this server", when he connects.
- Server get's nuked when nuker only tries to connect, so he doesn't even get inside server to nuked it.

Isn't he nuking with a special made name or something like that? Or does send on some kind of way the nuke to the server itself before he get's refused by server.


Top
 Profile  
 
 Post subject:
PostPosted: 06 Feb 2008 02:26 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
Pingu wrote:
There has been released a modsource, so that ppl can do changes to it. These are compiled to dll's.

The source for the executable, is still closed. And the error does, as far as I know, occur there.
oh i though u ment that there was no source code for anything, not even to make the mods :D

It's an outside crash, of course :)
I, again, highly doubt it is because of a connect bug. If they are banned and try to connect, the only thing that is being used & is happening is there is a client trying to connect, don't load anything till approved the connection... if approved then start the loading on 57 different things... otherwise keep the load on 2 things... staying connected and approval/denial of connection... that's where the fake players are and haven't been passed anything else

it's probably just an option for infoboom and the patch isn't working or something


Top
 Profile  
 
 Post subject:
PostPosted: 04 Jun 2008 12:54 

Joined: 04 Jun 2008 12:49
Posts: 1
i have a solution

i edit this wolfmpdemo.exe

and saw some strings i removed that one and now the server is not crashing

EDITED: blah blah blah senseless words


Top
 Profile  
 
 Post subject:
PostPosted: 04 Jun 2008 19:14 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
uh... ok.
personal issues eh lol


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 42 posts ]  Go to page 1, 2  Next

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: