Insurance exploit
Posted: Thu Feb 12, 2009 6:18 pm
For those not aware there is an exploit involving insurance. This is a result of the bans as well as the lock down of new accounts. I am unsure if this is linked to our previous incident involving DDoS threats, but it really does not matter, we are handling it as a separate case for now.
This flaw somehow enables an attacker to make insured items drop. The cause is still a theory at this point but from what I've been told is it has to do with sending malformed font to the server. I have not yet checked but I am pretty sure text such as speech, as well as char names upon registration, are sent as UTF-16, which means 1 char - 2 bytes. This leaves tons of room to put junk that could potentially cause weird issues.
my theory is that there is a buffer underrun vulnerability in the server so sending these malformed strings are manipulating other memory such as disabling insurance on items. I will be reviewing up to 5GB of raw packet logs to confirm this though it could take weeks to sift through all that. I stopped the packet logger not too long ago and have begun transferring the logs off the server.
As a result of this we'll most likely implement some stricter text handling as far as names and speech goes. This may potentially disable Chinese characters and other stuff of that sort.
Once we gather more details on this exploit we may open up speech capabilities more once the exploit has been fixed in the proper code. Fixing the text is only a work around and I do not really consider it a true fix, but it may at least stop the exploit from working.
And I can't stress this enough, anyone caught using this exploit or any other on our production server without reporting it asap will be instantly banned, and linked accounts/friends could even be banned too. This is a very serious offense and is taken just as seriously as other types of hacking such as DDoS or brute forcing admin security etc.
Archived topic from AOV, old topic ID:4260, old post ID:27246
This flaw somehow enables an attacker to make insured items drop. The cause is still a theory at this point but from what I've been told is it has to do with sending malformed font to the server. I have not yet checked but I am pretty sure text such as speech, as well as char names upon registration, are sent as UTF-16, which means 1 char - 2 bytes. This leaves tons of room to put junk that could potentially cause weird issues.
my theory is that there is a buffer underrun vulnerability in the server so sending these malformed strings are manipulating other memory such as disabling insurance on items. I will be reviewing up to 5GB of raw packet logs to confirm this though it could take weeks to sift through all that. I stopped the packet logger not too long ago and have begun transferring the logs off the server.
As a result of this we'll most likely implement some stricter text handling as far as names and speech goes. This may potentially disable Chinese characters and other stuff of that sort.
Once we gather more details on this exploit we may open up speech capabilities more once the exploit has been fixed in the proper code. Fixing the text is only a work around and I do not really consider it a true fix, but it may at least stop the exploit from working.
And I can't stress this enough, anyone caught using this exploit or any other on our production server without reporting it asap will be instantly banned, and linked accounts/friends could even be banned too. This is a very serious offense and is taken just as seriously as other types of hacking such as DDoS or brute forcing admin security etc.
Archived topic from AOV, old topic ID:4260, old post ID:27246