BaseJKA Security Fix
Posted: Mon Mar 26, 2007 3:08 pm
FINAL OPEN-SOURCE VERSION
Download:
Note: Update to version 1.1a available here.
Adds fix for forcestring crash.
See on Filefront
Download:
Note: Update to version 1.1a available here.
Adds fix for forcestring crash.
See on Filefront
Code: Select all
*****************************************************************
** JEDI KNIGHT: Jedi Academy **
*****************************************************************
#-----------------------------------------------------------#
# TITLE : BaseJKA Security Fix + SOURCE #
# VERSION : 1.1 #
# AUTHOR : Gamall Wednesday Ida #
# E-MAIL : gamall.ida@gmail.com #
# WEBSITE : http://gamall-ida.com #
# #
# FILENAME Windows : basejka_Gamalls_fix_11.pk3 #
# FILENAME Linux : jampgamei386.so #
# FILESIZE : ~ 4 Mo #
# DATE RELEASED : October 2007 #
#-----------------------------------------------------------#
+ INSTALLATION INSTRUCTIONS:
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o +
Just put the relevant file in your server's base folder.
+ DESCRIPTION
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o +
(version 1.0e, see below for changelog to final 1.1)
This patch (technically it is a mod, so do not expect it to be
compatible with JA+ or anything else) corrects the three Denial
of Service vulnerabilities I am aware of affecting basejka, and
makes the logs more useful to an experienced admin, without
attempting to alter the gameplay or admin etc in any way. Some
random fixes and features were also added at the request of
users.
IMPORTANT: My patch only affects the component "jampgame". In
order to completely protect a server, you must also use a
patched "jampded". Here is one link to ready to use jampdeds :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://jediknight2.filefront.com/file/
UNOFFICIAL_Patch_for_JA_101_Dedicated_Servers;41652
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Note that it seems that Windows servers are still vulnerable to
targeted attacks on jampded. I won't say more since this is out
of the scope of this mod.
+ CHANGELOG v1.0e -> v1.1
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o +
> The help page is now automatically displayed only on the very
first connection, as opposed to connections when you are
carried over from a previous map, or at the end of a duel turn.
> Names such as "**Spamzor" are automatically converted to "*
Spamzor", so a display bug, causing chat lines from such a
player to be displayed in both the chat box and the server
broadcast line, cannot be exploited anymore.
> Fixed a false positive in my bot detection scheme: bots were
detected as a fake player attack ; although this had no real
consequence, it was a source of confusion in the logs.
> Logs now differentiate connections from bots and from real
players.
> Messages from the dedicated server have been made slightly
more visible: the tag is now [SERVER], with colors. I would
have liked to do the same with the /svsay command, but it can't
be altered, as it is hard coded into jampded instead of
jampgame. Go figure...
> The IP is now logged each time somebody changes their names.
> Added the /(t)ime client command, displaying the local time
of the server:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
]\time
# Server time:
Sun Sep 09 13:37:03 2007
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Added cvar ga_doNotAllowDualKataSpin, default 0, preventing
anyone in a dual kata from spinning like a madman. (slightly
buggy, as the screen seems to vibrate when moving the mouse,
but it works.)
> Added cvar ga_nameLengthLimit: names will be truncated not to
exceed that length. Note that color escape sequences, such as
^1, are not counted.
> Some ga_* cvars are now marked as serverinfo (external tools
can read them).
> Added the /info client command and ga_serverInfo cvar. /info
displays the contents of the cvar. Admins can put rules, etc in
there, and any player can read it anytime.
> Anti model/color change spam/lag: any player can now freely
change their info only 50 times per map (unless they reconnect
of course). After that, they need to wait for three full
seconds between each change. This should not inconvenience any
legitimate player, and protects everyone on the server from the
lag which can be created by fast and furious sustained userinfo
change.
> Added another log file, ga_ConnectLog.txt, listing every
connection and full userinfo, and nothing but that, which is
now created by the server: for instance
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[Sun Sep 16 20:23:02 2007] [========================== SERVER START ==========================]
[Sun Sep 16 20:23:11 2007] Connect :: name(num) = [^5G^7amall ^5W^7ednesday ^5I^7da]( 2) :: ip = [ 127.0.0.1] :: userinfo = [COMPLETE USERINFO STRING LOGGED HERE]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> The logs now use real time:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[Sun Sep 16 20:24:03 2007] Kill: 2 1 3: ^5G^7amall ^5W^7ednesday ^5I^7da killed Desann by MOD_SABER
[Sun Sep 16 20:24:07 2007] say: (1)Desann: Impressive, most impressive... but you are not a Jedi yet!
[Sun Sep 16 20:24:11 2007] Kill: 2 4 3: ^5G^7amall ^5W^7ednesday ^5I^7da killed Imperial Saboteur by MOD_SABER
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ SUMMARY OF THE CHANGES in v1.0e:
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o +
- Client disconnect buffer overflow: fixed
- trap_SendServerCommand().
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o -
The possibility to cause a DoS disconnecting all clients by
sending overlong strings to the server has been fixed.
Incorrect commands are just ignored.
- Ingame buffer overflow (say/tell): fixed Cmd_Say_f()
- and Cmd_Tell_f().
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o -
The possibility to crash the server by using say or tell to
pass overlong strings to the server has been removed.
Incorrect calls are truncated to a decent length (150).
- Fake Players Attack: heavily secured, customisable
- ClientConnect().
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o -
The possibility to lag and even crash the server by sending
a great number of fake connection request using a third
party program such as q3fill has been removed. See below for
more information.
- Improvement of the log file/server messages.
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o -
Each time a client connects, the complete userinfo string is
logged, even is the connection is denied. This includes the
IP, port, qport, name of the client and much more.
If the connection is denied, a message explaining why is
displayed by the server, and relevant information is written
down in the log file. Since those messages could be used to
spam the screen in case of a fake players attack, and in the
case you just don't want to know about that, you can
deactivate the public messages : just set those cvars to 0
(default = 1):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ga_showBadPassClient | 0 or 1 :
-> display a message when a client connects with a bad password.
ga_showBannedClient | 0 or 1 :
-> display a message when a banned client connects.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The "Infostring length exceeded" console error message has
been made a tad more explicit. I noticed a bug which would
cause it to be sent each frame. It is hard to debug if you
don't know what caused it ;)
Each time a user changes name, it is written down in the log
file.
When a client disconnects, their name is logged.
Each time a client says/tells something, their client number
is logged along with their name.
- Random unimportant fixes/improvements.
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o -
The annoying timelimit when changing name has been dulled
down from five seconds to 0.7 second.
The ^0 (black) colour now works properly. If you don't want
to see black in names, you can deactivate this by setting
the following cvar to 0:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ga_allowBlackInNames
| 0 or 1 (default = 1)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When a player's name is incorrect, it is set to "Padawan" in
basejka, which is annoying, since you end up with many
"Padawan"s. You can now decide what it will be, and if you
so choose, you can add the player's client number to their
name by typing "%i" in the name.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ga_defaultName
| (default = "^4P^7adawan ^5(^7%i^5)")
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For instance, with the default setting, the client 9 will be
renamed to "Padawan (9)". Note that I put many spaces
between the name and number: normal players can't use more
than three spaces in a row, so nobody will be able to
imitate the default name with the number of someone else,
and trick you in kicking that other player instead of
them...
If you don't like that, you can just change it back to
"Padawan".
Insignificant names, such as "Padawan", can be black-listed,
which will result in them being replaced by the default
name.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ga_nameBlackList
| default = "Padawan;otherunacceptablename"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Note that the black list is case insensitive, and that
spaces, underscores and dashes are ignored. So do not put
any "_" etc in ga_nameBlackList.
Admins can now close the server and display a message to
connecting clients explaining why the server is closed,
instead of putting a password.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ga_closeServer
| 0 or 1 or 2
ga_closedServerMsg;
| default = "^1The server is closed at the moment\n^2Please come back later"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
As you have undoubtedly noticed, you can use colors and line
breaks in the message. Try and keep it short though.
If ga_closeServer is set to 0, the server is open (normal
behaviour). If set to 1, the server is closed, and you are
notified each time somebody connects to the server. If set
to 2, the server is closed, and you won't be notified of
connecting clients.
Every client can use the /list (or /l) function, displaying
information on the connected clients, which is useful in
order to know who is who. (the server status function is
useless as it doesn't always yield the correct client
number...)
There is also the /help (/h) command, displaying a small
help text.
+ PROTECTION AGAINST THE FAKE PLAYERS :
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o +
There are three different protections against the q3fill attack
: When a client connects, three protection layers activate :
- Clever Fake Detection
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o -
The connection string is checked for a value specific to JKA
players, of which the bots are devoid by default. If no such
value is found, then the connection is denied, and the IP
can be automatically added to the banlist.
This aspect is controlled by the following cvars :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ga_cleverFakeDetection | default = "model"
ga_cleverfakeAutoBan | default = "1"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This first protection alone will get rid of 99.99 % of all
attacks.
If the attacker knows what he is doing, he can easily fool
that by altering the attack. Most script-kiddies do not have
that kind of know-how though.
You can deactivate this feature by setting
ga_cleverFakeDetection "none".
- Hard-Coded Fake Detection
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o -
Check for a value specific to bots, that does not appear in
legitimate players. This is a viewpoint completely opposed
to the first layer, but works exactly the same way.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ga_hardFakeDetection | default = "cl_guid"
ga_hardFakeAutoBan | default = "1"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To fool this layer is tricky, as the target value is
hard-coded into q3fill. The attacker would need to alter
q3fill's source code in an appropriate way without breaking
anything and recompile it... definitely not something your
average dumb server crasher can do :D
You can deactivate this feature by setting
ga_hardFakeDetection "none".
- Connect Flood Detection
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o -
If the two first layers fail (or are deactivated), then
there is no way to tell a genuine player and a bot apart. So
we must detect them by the speed at which they connect from
the same IP.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ga_sameIpNumber
| default = "5"
ga_sameIpTime
| default = "30"
ga_sameIpAutoBan
| default = "1"
ga_sameIpAutoKick
| default = "1"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
With the default settings, the connection of more than 5
players from the same ip in less than 30 seconds will be
deemed a fake players attack. As usual, the connection will
be denied, and the IP can be banned, depending on the
admin's choice. The bots that got in can also been kicked
automatically.
Setting ga_sameIpNumber to 0 will deactivate this third
layer.
NOTE: Be very careful when playing with ga_hardFakeDetection
and ga_cleverFakeDetection. Putting incorrect values there
may prevent ANY player from entering the game, or in the
best case scenario render the protection useless. The
default values are good. Don't alter them unless you know
what you are doing.
+ TECHNICALITIES:
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o +
This patch has been compiled with the following compilers:
- On Windows:
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o -
Visual C++ 2005 (8);
It is the same compiler Raven Software used to compile the
original jampgame (albeit they used version 7), and the very
same compilation parameters. So there is NO reason at all
that the damages/blocks should be altered in any way.
- On Linux:
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o -
GCC 2.96 on a Red Hat Linux release 7.2 (Enigma);
GCC is a very good compiler, but Raven used ICC, which is a
commercial product I don't have. So the damages might in
theory be slightly altered, although I personally can't tell
the difference.
This would come from the way each compiler handles the
computation of float variables.
+ SOURCE CODE:
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o +
I won't be working on that mod anymore, unless a 'real' (as
opposed to 'alleged', you know ;) ) unless a real security
exploit is brought to my attention, so I chose to make it
completely open-source, under the GPL. That way anyone can add
or remove features as they please, or use some of my tricks in
their own mod if they want to.
A copy of the source code has been shipped with this package.
My modifications to raven's source code are released under the
GNU General Public License (GPL), which means (roughly) that
you are free to use the code as you please, so long as you
release your own work under the GPL.
A copy of the GPL has been shipped with this package. You must
read and understand it if you intend to use the source code.
In addition, I would appreciate it if anyone using any part of
my code took the time to post a link to their own project on
the fix's thread:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://gamall-ida.com/f/viewtopic.php?f=3&t=120
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CONTACT / SUPPORT
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o +
If you need help or have suggestions, comments, insults, praise
or in general, anything to say about this program that you
expect me to read and answer to, please post on the program's
topic on my website:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://gamall-ida.com/f/viewtopic.php?f=3&t=120
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CREDITS:
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o +
Kudos to Trimbo for his linux-ready version of the vanilla SDK.
Warm regards to Luigi Auriemma for his work on JKA and the q3
engine.
THIS MODIFICATION IS NOT MADE, DISTRIBUTED, OR SUPPORTED BY
ACTIVISION, RAVEN, OR LUCASARTS ENTERTAINMENT COMPANY LLC.
ELEMENTS TM & © LUCASARTS ENTERTAINMENT COMPANY LLC AND/OR ITS
LICENSORS.
+-----------------------------+
| File generated with 'GaTeX',|
| an ASCII typesetting system |
| by Gamall Wednesday Ida. |
| http://gamall-ida.com |
+-----------------------------+
Build: Sun Oct 21 12:32:47 2007
File : f:readme.GaTeX.source