File Description
Welcome back after a long holiday! We've all gotten our rest and relaxation, but it's time to get back to work. Gamall, who has brought us various security fixes for JK3 servers before, now brings us an exploit fix that will work for both JK2 and JK3. Now I'm a dunce in this department, so I'm pleased that Gamall included a very detailed read-me regarding the exploit.
Apparently if a user inputs an improper force value, he or she can manage to crash a server when the changes are applied. This utility should fix this problem by some means that are beyond my comprehension. But they should be fixed, which is the important bit. The source code is also included for those that may want to consider implementing this crash fix into their own mods.
For those interested this is also technically an update for his BaseJKA Security Fix. This utility is basically an updated version of that with the crash fix implemented into it. A separate read-me for that is included inside the archive. Be sure to check it out!
~Inyri
Readme
***************************************************************** ** JEDI KNIGHT: Jedi Academy ** ***************************************************************** #-----------------------------------------------------------# # TITLE : JK2 & JK3 Forcestring server crash Fix # # # # VERSION : 1.1a [BaseJKA Security Fix v1.1a] # # AUTHOR : Gamall Wednesday Ida # # E-MAIL : [email protected] # # WEBSITE : http://gamall-ida.com # # # # LICENSE : All code released under the # # GNU General Public License # # # # FILESIZE : ~ 4 Mo # # RELEASE DATE : December 2007 # #-----------------------------------------------------------# + READ ME! (CONTACT) +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o + Should you want to contact me, do NOT jump on my email, you won't get an answer. Read the "CONTACT" section near the end of that file instead ;-). + ABOUT THIS FILE +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o + There are two parts to this file: The most important one is the readme file you are presently reading, which describes the vulnerability and the fix for both JK2 and JK3. The second part is an update to my mod "BaseJKA Security Fix", which uses said fix. The update provides both linux and Windows binaries, and updated source-code files. See the mod's topic for more information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://gamall-ida.com/f/viewtopic.php?f=3&t=120 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + DESCRIPTION OF THE VULNERABILITY +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o + This is a very old crash, which has been around since JK2. Oddly enough, though it has been patched in several mods, there doesn't seem to be anything relevant on the net describing the bug and the ways to patch it. I didn't even hear of it until very recently. Here is a full description of the bug and a fix for it, destined to any modder who has not fixed that in their mod yet: BUG: In both JK2 and JKA, in source file game/w_force.c, procedure void WP_InitForcePowers( gentity_t *ent ) fails to perform proper sanity checks on "forcepowers" userinfo and may crash when attempting to parse an incorrect force powers string. [A mod compiled in DEBUG mode doesn't seem to be vulnerable, though, but that's not really a good way to fix it ;-) ]. EXPLOIT: Any player can cause a server crash by setting his forcepowers to an incorrect value. For instance, /kill then "/set forcepowers 1337; wait 1 ; forcechanged" will result in a server crash when joining the game again. FIX: Write the missing sanity check. The fix I have written should work on both JK2 and JKA, but I have only tested it on the latter. It is integrated in my mod "BaseJKA Security Fix", in version 1.1a. + THE FIX +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o + FILE: w_force.c FIND LINE: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ void WP_InitForcePowers( gentity_t *ent ) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ BEFORE, ADD: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* * Gamall Wednesday Ida * Workaround Force crash * License GPL. */ // if the force string is incorrect, this one will be used char *gaGENERIC_FORCE = "7-1-033330000000000333"; // masks: no values outside these boundaries will be accepted char *gaFORCE_LOWER = "0-1-000000000000000000"; char *gaFORCE_UPPER = "7-2-333333333333333333"; char* gaCheckForceString(char* s) { char *p = s, *pu = gaFORCE_UPPER, *pl = gaFORCE_LOWER; if (!s || strlen(s) != 22) return gaGENERIC_FORCE; while(*p) {if (*p > *pu++ || *p++ < *pl++) {return gaGENERIC_FORCE;}} return s; } // GWI: End Force Crash workaround. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ FIND LINE: [end of declaration block of WP_InitForcePowers()] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ qboolean didEvent = qfalse; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ AFTER, ADD: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ // GWI: force crash char* temp; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ FIND LINE: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Q_strncpyz( forcePowers, Info_ValueForKey (userinfo, "forcepowers"), sizeof( forcePowers ) ); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ AFTER, ADD: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ // GWI: Force crash temp = gaCheckForceString(forcePowers); if (temp != forcePowers) { trap_SendServerCommand(ent->client->pers.clientNum, va("print "^1Incorrect force string '%s'. Replaced by default.\n"", forcePowers)); G_LogPrintf("FORCE CRASH: Client num %d tried to take incorrect forcestring '%s'.", ent->client->pers.clientNum, forcePowers); Q_strncpyz( forcePowers, temp, sizeof( forcePowers ) ); } // End force crash workaround ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CONTACT / SUPPORT +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o + If you need help or have suggestions, comments, insults, praise or in general, anything to say about this program that you expect me to read and answer to, please post on the program's topic on my website: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://gamall-ida.com/f/viewtopic.php?f=3&t=356 OR (BaseJKA Security Fix's topic) http://gamall-ida.com/f/viewtopic.php?f=3&t=120 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The only circumstance in which my personal email is the proper way to contact me is when my website is down for maintenance for a long time, which is very infrequent. + CREDITS: +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o + Thanks to evan1715 for bringing the crash to my attention (though he drives me mad :D) A snippet of old code from MasterHex and Ensiform helped me locate the problem. Thanks to them. THIS MODIFICATION IS NOT MADE, DISTRIBUTED, OR SUPPORTED BY ACTIVISION, RAVEN, OR LUCASARTS ENTERTAINMENT COMPANY LLC. ELEMENTS TM & © LUCASARTS ENTERTAINMENT COMPANY LLC AND/OR ITS LICENSORS. +-----------------------------+ | File generated with 'GaTeX',| | an ASCII typesetting system | | by Gamall Wednesday Ida. | | http://gamall-ida.com | +-----------------------------+ Build: Fri Dec 21 18:35:53 2007 File : F:readme.GaTeX.source
Comments on this File
There are no comments yet. Be the first!