r1ch.net forums
* Home Help Search Login Register
r1ch.net  |  r1ch.net stuff  |  R1Q2  |  Topic: Technical details of the connectionless vulnerabilities
Pages: [1]
Print
Author Topic: Technical details of the connectionless vulnerabilities  (Read 1923 times)
R1CH
Administrator
Member

Posts: 2625



« on: November 16, 2006, 04:37:20 pm »

A few connectionless packet problems were discovered in R1Q2 and other Q2 clients. Here are the tech details.

Problem 1:
The client connectionless "challenge" command not checking to see if the client is actually connecting before parsing the packet. Thus, a packet sent mid-game would still be parsed.

Problem 2:
The "echo" connectionless packet just replies to the source IP with the data contained within the packet. Combined with the above vulnerability, if an "echo getchallenge" packet is sent with the source IP of the Q2 server, the client will reply to the server with the "getchallenge" and will receive back a legitimate "challenge" request, which it will then parse and restart the connection process.

Fix 1:
You should check the client is still in the ca_connecting state before parsing this packet, otherwise ignore it.

Fix 2:
Remove the "echo" connectionless packet from the client, it does not appear to serve any useful purpose beyond allowing "reflection" style attacks.

R1Q2 b6908 client contains a fix for these issues, users of other clients should check with the client author or direct the author to this page for more information.
Logged
Pages: [1]
Print
r1ch.net  |  r1ch.net stuff  |  R1Q2  |  Topic: Technical details of the connectionless vulnerabilities
Jump to:  

Powered by SMF 1.1.19 | SMF © 2013, Simple Machines