PDA

View Full Version : Possible Hack



Dream Weaver
01-23-2007, 05:10 AM
I would suggest you guys check for a possible weakness in your script. I think there are players cheating by using a simple worm type hack. I suspect they are worming into the server and syphoning off burial points from all the players in the game and adding it to their own accounts. That allows them to accumulate large amounts of points in comparison to other players without having to use any special strategy.

If you find a possible weakness, I would suggest a solution. Have a cookie designed specially for the game. The cookie would record the IP address it was initially loaded onto the machine with and use that as a unique identifier. Then, whenever there is any activity with the computer and the server, that cookie would be talking to the server in the background identifying every activity. So, if someone is doing that, the cookie would rat them out.

File Sponge
01-25-2007, 04:28 AM
I think there are players cheating by using a simple worm type hack. I suspect they are worming into the server and syphoning off burial points from all the players in the game and adding it to their own accounts. That allows them to accumulate large amounts of points in comparison to other players without having to use any special strategy.


Interesting!! Seth, it would really make my day if you provided your thoughts on this theory. :)

jjohn
01-26-2007, 05:59 PM
I suspect they are worming into the server and syphoning off burial points from all the players in the game and adding it to their own accounts. That allows them to accumulate large amounts of points in comparison to other players without having to use any special strategy.


I don't know how this could be accomplished. This is no call in the scripting API like "transfer burial points from this player to this player." I don't know how you can execute the script API from the flash client REST-like protocol anyway. I guess you'd have to inject a script on to the server and find a way to execute it. I don't see how files could be created through the FQ Server, but I haven't looked that hard.

Perhaps there is something in the FQ logs that could illustrate this technique?

You could simply add burial points to one account and deduct it from another,
but that seems pointless.

Then again, cheating at a free game seems pretty pointless to me.



If you find a possible weakness, I would suggest a solution. Have a cookie designed specially for the game. The cookie would record the IP address it was initially loaded onto the machine with and use that as a unique identifier.


That's not a good solution. First of all, cookies can be faked easily. It's trivial to write HTTP headers. Second, IP address from some providers, like AOL, can change during a session. I know that sounds insane, but it appears to be true. Third, FQ already knows what the IP address of the client connection is as this is part of the basic TCP/IP socket API. There is already a session associated with a player, although I don't know the details of how that is implemented.

I think better logging in FQ is needed. There is already a when players log in and often what they are doing. I think the server log even tells which scripts are run. However, a transaction log that shows when the player records are changed would be helpful for tracking down suspicious behavior. A real example of this exploitation is also needed. Once the mechanism of exploitation is known, the FQ bug can be addressed.

FQ is a great game and I'd love to see more development on it. However, it's not a big money maker for RT Soft and Seth has a family to fed. :)

Dream Weaver
01-27-2007, 03:52 AM
Thanks.

But, there are players on certain servers running away by 10s of thousands of bps in a matter of a couple of days. There is no strategy in FQ that would account for that. Nothing but about 300 gold tags could give a person a single day score of more than 30k bp, unless they are using saved turns. However, when a player is in the top ranks and suddenly surges ahead by thousands, something is wrong. Look at File Sponge's game. Players are running away with the top uncontrolled. There is more than strategy.

A one day high run is believable, but to sustain it for several days when already at the top of the ranking just isn't possible.

And, I agree, FQ is an awesome game. Cheating is silly, but some people think win at all costs is fun, rather than winning by playing the best game. And, sometimes, it is just the fun of getting a hack to work and thinking no one else is on to them. So, if Seth has a spare moment, I would hope he would take a look just for the sake of all his fans out there. Otherwise, he makes great programs and I hope he continues.:p

Seth
01-28-2007, 01:35 AM
Well, security is very important and I will surely fix any reported holes/hacks.

The weakest link to security is the player editor and any installed/modified scripts.

However, the idea of "syphoning burial points" is pretty easy to prove/disprove, just check to see if your burial points weny down during a period where you were NOT attacked by another player. (when a player beats you, you lose burial points to him)

There is a "debug mode" that admins can check that will log more than usual.

If you suspect something is fishy on one server, feel free to try another or start your own and see if you can find any holes.

Ivan256
04-16-2007, 12:18 AM
For fun, I am writing my own Funeral Quest server to change-up the gameplay a bit, since the original has lost my interest.

In the process, I've found a few security bugs with the official server. I don't want to post any details in this forum, as I don't want to ruin the game for people, but there are exploits which can occur if you know the IP address of the other players (I have addressed this in my server using a cookie UUID, I'm not modifying the client), and another which allows any player to win any combat every time. The latter could be fixed trivially on the server side, as long as the code knows to check for it.

What should I do with this info in order to get the official server fixed?

Seth
04-16-2007, 01:21 AM
Hi, please send me any info on how to recreate a bug and I'll fix it ASAP.

The client is "not trusted" in all circumstances, but I'd be very happy to be proven wrong, as it's always possible to accidentally leave something open to explotation.

Btw, cookies should never be trusted.

Ivan256
04-16-2007, 02:16 AM
I don't trust the data from the cookie. I send the client a 64 byte UUID, and require that the client return the same UUID in the cookie before trusting anything else coming back from the client. The user can change the cookie if they'd like, but all it will accomplish is getting them booted from the game. Spoofing the cookie is cryptographically hard due to the UUID generation algorithm. If all you use as a trusted key is the IP address, a user on the same NAT, or a user who spoofs their IP can do whatever they'd like to any logged in account, including chat commands, etc...

I'll send you details about the combat exploit in a PM, because it's something anybody can do, and I don't want anybody doing it. Conveniently enough, you don't need to be proven wrong for it to work.

Seth
04-16-2007, 09:27 AM
Thanks very much for the PM'ed info, I will check it out and fix it, it sounds very plausible...


The user can change the cookie if they'd like, but all it will accomplish is getting them booted from the game.


Yes I agree. And I only use IP address to remember the player. If two (or more) people play the from the same IP, the worst thing that happens is they boot each other off.

Seth
04-20-2007, 04:09 AM
I've verified Ivan256's bug report, he's correct, there is a way to exploit battles to always win with a hacked client/packet sender.

I'd recommend everyone upgrade to 0.97.

I've put the new version up here (http://www.rtsoft.com/fq/fqserver.htm). This version patches the exploit and will log any detected hack attempts to the error.txt file.

I had to repackage the installer, so please let me know if anybody has any problems/issues with it...

Anyway, thanks Ivan256, if you run across anything else please drop me a note! :o

File Sponge
04-23-2007, 12:14 AM
I'd recommend everyone upgrade to 0.97.
I had to repackage the installer, so please let me know if anybody has any problems/issues with it...


0.97 didn't work with my init.c file (which had a lot of left over guns mod stuff in it -- I stopped using guns mod a long time ago but never totally cleaned up init.c). When I fired up 0.97 the first time, it just terminated without doing anything.

After I deleted all the lines in init.c pertaining to guns mod, and did some cleanup on the maint_player.c and maint.c files to take out all the guns mod stuff that caused errors due to the new init.c, everything is working great. I managed to generate a little over 18000 errors in the error log before I figured it out, though. :-)

Thanks for the update!!