nn_lb1
BaseJKA Security Fix
basejka_gamall_fix_1.1.zip —
Description
This patch supposedly prevents various types of attacks on JKA servers. The attacks in question are Denial Of Service, buffer overflow, "fake players". As a bonus, the patch also corrects the inherent terrible-ness of JKA's built-in logging system with various enhancements to server logs.
Sounds good, doesn't it? Well, I'm going to keep this short, because otherwise I might end up circumventing FileFront's Acceptable Use Policy, and being fired and possibly sued is never a good thing.
Let me just say that I found one inherent flaw with this. It only tends to work against these attacks when they are generated by the various utilities scattered around the internet.
When using such a utility (which the author kindly - albeit unintentionally - provided me with for testing purposes), the patch worked like a dream on blocking Denial Of Service attacks. It was only semi-successful with the fake players - I managed to flood JA+, Lugormod and Makermod servers to the point of them having hardware crashes, yet JAE was tight as a button. (I didn't try ClanMod, so if anyone would like to test it for me and post the results in the comments, it would be appreciated - just let your server provider know that you're going to attempt a flood attack first so that they don't cut your service!)
(I've never had a buffer overflow error in my life, and wouldn't know how to replicate it even if I tried, since baseJKA automatically caps off command strings at a reasonable limit below the crash-point level.)
However, when not using a utility - i.e. carrying out manual attacks - there was really no change in the effects between when this patch was installed and when it wasn't. I still managed to thrash the servers* the same way I could even if the patch hadn't been installed, but I believe that's probably because unlike a program, humans are dynamic - we don't follow a pre-set subroutine and therefore we're less predictable, and thus the patch can't really block us because it doesn't know what to expect, therefore since it doesn't know what to expect it doesn't know how to react.
So, as a general rule, against someone who really knows what they're doing, the effects of this security fix will be limited. However, since that kind of "hacker" is generally working at security software companies earning a six-figure salary rather than sitting at home crashing game servers, all you have to worry about are the little Matrix-era haxor kiddies who make up stories about "hackin' mainframes and shizzle" when they tell their friends about how they downloaded an Eminem MP3 - and against that kind of person, this patch will do a very nice job of securing your server.
Server owners, this patch may just do you a few favours, so it's a very useful add-on to have in your defensive arsenal.
Oh, and as a side note, if any of you are one of the haxor kiddies I described above, then please do society a favour, and take the blue pill. >_>
~ Kouen
* I would just like to add as a postscript, that I would never do such a thing for any reasons other than purely scientific or technological ones.
There are various changes in this 1.1 update, and rather than speculating on them despite having little knowledge in this department, I'll just list them for server enthusiasts to mull over themselves:
- The help page is now automatically displayed only on the very first connection, as opposed to connections when you are carried over from a previous map, or at the end of a duel turn.
- Names such as "**Spamzor" are automatically converted to "*Spamzor", so a display bug, causing chat lines from such a player to be displayed in both the chat box and the server broadcast line, cannot be exploited anymore.
- Fixed a false positive in my bot detection scheme: bots were detected as a fake player attack ; although this had no real consequence, it was a source of confusion in the logs
- Logs now differentiate connections from bots and from real players.
- Messages from the dedicated server have been made slightly more visible: the tag is now [SERVER], with colors. I would have liked to do the same with the /svsay command, but it can't be altered, as it is hard coded into jampded instead of jampgame. Go figure...
- The IP is now logged each time somebody changes their names.
- Added the /(t)ime client command, displaying the local time of the server
- Added cvar ga_doNotAllowDualKataSpin, default 0, preventing anyone in a dual kata from spinning like a madman. (slightly buggy, as the screen seems to vibrate when moving the mouse, but it works.)
- Added cvar ga_nameLengthLimit: names will be truncated not to exceed that length. Note that color escape sequences, such as ^1, are not counted.
- Some ga_* cvars are now marked as serverinfo (external tools can read them).
- Added the /info client command and ga_serverInfo cvar. /info displays the contents of the cvar. Admins can put rules, etc in there, and any player can read it anytime.
- Anti model/color change spam/lag: any player can now freely change their info only 50 times per map (unless they reconnect of course). After that, they need to wait for three full seconds between each change. This should not inconvenience any legitimate player, and protects everyone on the server from the lag which can be created by fast and furious sustained userinfo change.
- Added another log file, ga_ConnectLog.txt, listing every connection and full userinfo, and nothing but that, which is now created by the server.
- The logs now use real time.
Make sure to check out the rest of the read-me for more features and more details on these updates. Also keep in mind that this mod is meant to be used with baseJA and does not promise protection with other server-side mods.
This also includes source code for those interested!
~Inyri
nn_lb2
README
***************************************************************** ** JEDI KNIGHT: Jedi Academy ** ***************************************************************** #-----------------------------------------------------------# # TITLE : BaseJKA Security Fix + SOURCE # # VERSION : 1.1 # # AUTHOR : Gamall Wednesday Ida # # E-MAIL : [email protected] # # WEBSITE : http://gamall-ida.com # # # # FILENAME Windows : basejka_Gamalls_fix_11.pk3 # # FILENAME Linux : jampgamei386.so # # FILESIZE : ~ 4 Mo # # DATE RELEASED : October 2007 # #-----------------------------------------------------------# + INSTALLATION INSTRUCTIONS: +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o + Just put the relevant file in your server's base folder. + DESCRIPTION +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o + (version 1.0e, see below for changelog to final 1.1) This patch (technically it is a mod, so do not expect it to be compatible with JA+ or anything else) corrects the three Denial of Service vulnerabilities I am aware of affecting basejka, and makes the logs more useful to an experienced admin, without attempting to alter the gameplay or admin etc in any way. Some random fixes and features were also added at the request of users. IMPORTANT: My patch only affects the component "jampgame". In order to completely protect a server, you must also use a patched "jampded". Here is one link to ready to use jampdeds : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://jediknight2.filefront.com/file/ UNOFFICIAL_Patch_for_JA_101_Dedicated_Servers;41652 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Note that it seems that Windows servers are still vulnerable to targeted attacks on jampded. I won't say more since this is out of the scope of this mod. + CHANGELOG v1.0e -> v1.1 +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o + > The help page is now automatically displayed only on the very first connection, as opposed to connections when you are carried over from a previous map, or at the end of a duel turn. > Names such as "**Spamzor" are automatically converted to "* Spamzor", so a display bug, causing chat lines from such a player to be displayed in both the chat box and the server broadcast line, cannot be exploited anymore. > Fixed a false positive in my bot detection scheme: bots were detected as a fake player attack ; although this had no real consequence, it was a source of confusion in the logs. > Logs now differentiate connections from bots and from real players. > Messages from the dedicated server have been made slightly more visible: the tag is now [SERVER], with colors. I would have liked to do the same with the /svsay command, but it can't be altered, as it is hard coded into jampded instead of jampgame. Go figure... > The IP is now logged each time somebody changes their names. > Added the /(t)ime client command, displaying the local time of the server: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ]\time # Server time: Sun Sep 09 13:37:03 2007 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Added cvar ga_doNotAllowDualKataSpin, default 0, preventing anyone in a dual kata from spinning like a madman. (slightly buggy, as the screen seems to vibrate when moving the mouse, but it works.) > Added cvar ga_nameLengthLimit: names will be truncated not to exceed that length. Note that color escape sequences, such as ^1, are not counted. > Some ga_* cvars are now marked as serverinfo (external tools can read them). > Added the /info client command and ga_serverInfo cvar. /info displays the contents of the cvar. Admins can put rules, etc in there, and any player can read it anytime. > Anti model/color change spam/lag: any player can now freely change their info only 50 times per map (unless they reconnect of course). After that, they need to wait for three full seconds between each change. This should not inconvenience any legitimate player, and protects everyone on the server from the lag which can be created by fast and furious sustained userinfo change. > Added another log file, ga_ConnectLog.txt, listing every connection and full userinfo, and nothing but that, which is now created by the server: for instance ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [Sun Sep 16 20:23:02 2007] [========================== SERVER START ==========================] [Sun Sep 16 20:23:11 2007] Connect :: name(num) = [^5G^7amall ^5W^7ednesday ^5I^7da]( 2) :: ip = [ 127.0.0.1] :: userinfo = [COMPLETE USERINFO STRING LOGGED HERE] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > The logs now use real time: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [Sun Sep 16 20:24:03 2007] Kill: 2 1 3: ^5G^7amall ^5W^7ednesday ^5I^7da killed Desann by MOD_SABER [Sun Sep 16 20:24:07 2007] say: (1)Desann: Impressive, most impressive... but you are not a Jedi yet! [Sun Sep 16 20:24:11 2007] Kill: 2 4 3: ^5G^7amall ^5W^7ednesday ^5I^7da killed Imperial Saboteur by MOD_SABER ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + SUMMARY OF THE CHANGES in v1.0e: +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o + - Client disconnect buffer overflow: fixed - trap_SendServerCommand(). -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o - The possibility to cause a DoS disconnecting all clients by sending overlong strings to the server has been fixed. Incorrect commands are just ignored. - Ingame buffer overflow (say/tell): fixed Cmd_Say_f() - and Cmd_Tell_f(). -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o - The possibility to crash the server by using say or tell to pass overlong strings to the server has been removed. Incorrect calls are truncated to a decent length (150). - Fake Players Attack: heavily secured, customisable - ClientConnect(). -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o - The possibility to lag and even crash the server by sending a great number of fake connection request using a third party program such as q3fill has been removed. See below for more information. - Improvement of the log file/server messages. -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o - Each time a client connects, the complete userinfo string is logged, even is the connection is denied. This includes the IP, port, qport, name of the client and much more. If the connection is denied, a message explaining why is displayed by the server, and relevant information is written down in the log file. Since those messages could be used to spam the screen in case of a fake players attack, and in the case you just don't want to know about that, you can deactivate the public messages : just set those cvars to 0 (default = 1): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ga_showBadPassClient | 0 or 1 : -> display a message when a client connects with a bad password. ga_showBannedClient | 0 or 1 : -> display a message when a banned client connects. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The "Infostring length exceeded" console error message has been made a tad more explicit. I noticed a bug which would cause it to be sent each frame. It is hard to debug if you don't know what caused it ;) Each time a user changes name, it is written down in the log file. When a client disconnects, their name is logged. Each time a client says/tells something, their client number is logged along with their name. - Random unimportant fixes/improvements. -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o - The annoying timelimit when changing name has been dulled down from five seconds to 0.7 second. The ^0 (black) colour now works properly. If you don't want to see black in names, you can deactivate this by setting the following cvar to 0: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ga_allowBlackInNames | 0 or 1 (default = 1) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When a player's name is incorrect, it is set to "Padawan" in basejka, which is annoying, since you end up with many "Padawan"s. You can now decide what it will be, and if you so choose, you can add the player's client number to their name by typing "%i" in the name. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ga_defaultName | (default = "^4P^7adawan ^5(^7%i^5)") ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For instance, with the default setting, the client 9 will be renamed to "Padawan (9)". Note that I put many spaces between the name and number: normal players can't use more than three spaces in a row, so nobody will be able to imitate the default name with the number of someone else, and trick you in kicking that other player instead of them... If you don't like that, you can just change it back to "Padawan". Insignificant names, such as "Padawan", can be black-listed, which will result in them being replaced by the default name. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ga_nameBlackList | default = "Padawan;otherunacceptablename" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Note that the black list is case insensitive, and that spaces, underscores and dashes are ignored. So do not put any "_" etc in ga_nameBlackList. Admins can now close the server and display a message to connecting clients explaining why the server is closed, instead of putting a password. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ga_closeServer | 0 or 1 or 2 ga_closedServerMsg; | default = "^1The server is closed at the moment\n^2Please come back later" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ As you have undoubtedly noticed, you can use colors and line breaks in the message. Try and keep it short though. If ga_closeServer is set to 0, the server is open (normal behaviour). If set to 1, the server is closed, and you are notified each time somebody connects to the server. If set to 2, the server is closed, and you won't be notified of connecting clients. Every client can use the /list (or /l) function, displaying information on the connected clients, which is useful in order to know who is who. (the server status function is useless as it doesn't always yield the correct client number...) There is also the /help (/h) command, displaying a small help text. + PROTECTION AGAINST THE FAKE PLAYERS : +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o + There are three different protections against the q3fill attack : When a client connects, three protection layers activate : - Clever Fake Detection -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o - The connection string is checked for a value specific to JKA players, of which the bots are devoid by default. If no such value is found, then the connection is denied, and the IP can be automatically added to the banlist. This aspect is controlled by the following cvars : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ga_cleverFakeDetection | default = "model" ga_cleverfakeAutoBan | default = "1" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This first protection alone will get rid of 99.99 % of all attacks. If the attacker knows what he is doing, he can easily fool that by altering the attack. Most script-kiddies do not have that kind of know-how though. You can deactivate this feature by setting ga_cleverFakeDetection "none". - Hard-Coded Fake Detection -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o - Check for a value specific to bots, that does not appear in legitimate players. This is a viewpoint completely opposed to the first layer, but works exactly the same way. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ga_hardFakeDetection | default = "cl_guid" ga_hardFakeAutoBan | default = "1" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To fool this layer is tricky, as the target value is hard-coded into q3fill. The attacker would need to alter q3fill's source code in an appropriate way without breaking anything and recompile it... definitely not something your average dumb server crasher can do :D You can deactivate this feature by setting ga_hardFakeDetection "none". - Connect Flood Detection -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o - If the two first layers fail (or are deactivated), then there is no way to tell a genuine player and a bot apart. So we must detect them by the speed at which they connect from the same IP. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ga_sameIpNumber | default = "5" ga_sameIpTime | default = "30" ga_sameIpAutoBan | default = "1" ga_sameIpAutoKick | default = "1" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With the default settings, the connection of more than 5 players from the same ip in less than 30 seconds will be deemed a fake players attack. As usual, the connection will be denied, and the IP can be banned, depending on the admin's choice. The bots that got in can also been kicked automatically. Setting ga_sameIpNumber to 0 will deactivate this third layer. NOTE: Be very careful when playing with ga_hardFakeDetection and ga_cleverFakeDetection. Putting incorrect values there may prevent ANY player from entering the game, or in the best case scenario render the protection useless. The default values are good. Don't alter them unless you know what you are doing. + TECHNICALITIES: +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o + This patch has been compiled with the following compilers: - On Windows: -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o - Visual C++ 2005 (8); It is the same compiler Raven Software used to compile the original jampgame (albeit they used version 7), and the very same compilation parameters. So there is NO reason at all that the damages/blocks should be altered in any way. - On Linux: -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o - GCC 2.96 on a Red Hat Linux release 7.2 (Enigma); GCC is a very good compiler, but Raven used ICC, which is a commercial product I don't have. So the damages might in theory be slightly altered, although I personally can't tell the difference. This would come from the way each compiler handles the computation of float variables. + SOURCE CODE: +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o + I won't be working on that mod anymore, unless a 'real' (as opposed to 'alleged', you know ;) ) unless a real security exploit is brought to my attention, so I chose to make it completely open-source, under the GPL. That way anyone can add or remove features as they please, or use some of my tricks in their own mod if they want to. A copy of the source code has been shipped with this package. My modifications to raven's source code are released under the GNU General Public License (GPL), which means (roughly) that you are free to use the code as you please, so long as you release your own work under the GPL. A copy of the GPL has been shipped with this package. You must read and understand it if you intend to use the source code. In addition, I would appreciate it if anyone using any part of my code took the time to post a link to their own project on the fix's thread: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://gamall-ida.com/f/viewtopic.php?f=3&t=120 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CONTACT / SUPPORT +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o + If you need help or have suggestions, comments, insults, praise or in general, anything to say about this program that you expect me to read and answer to, please post on the program's topic on my website: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://gamall-ida.com/f/viewtopic.php?f=3&t=120 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CREDITS: +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o + Kudos to Trimbo for his linux-ready version of the vanilla SDK. Warm regards to Luigi Auriemma for his work on JKA and the q3 engine. THIS MODIFICATION IS NOT MADE, DISTRIBUTED, OR SUPPORTED BY ACTIVISION, RAVEN, OR LUCASARTS ENTERTAINMENT COMPANY LLC. ELEMENTS TM & © LUCASARTS ENTERTAINMENT COMPANY LLC AND/OR ITS LICENSORS. +-----------------------------+ | File generated with 'GaTeX',| | an ASCII typesetting system | | by Gamall Wednesday Ida. | | http://gamall-ida.com | +-----------------------------+ Build: Sun Oct 21 12:32:47 2007 File : f:readme.GaTeX.source
There are no comments yet. Be the first!
nn_player