-
-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix arbitrary network data sending exploit via malformed userinfo #1074
base: master
Are you sure you want to change the base?
Conversation
gj sir |
confirm changes please! |
|
Now this exploit detected by https://github.com/UnrealKaraulov/UnrealDemoScanner |
here is the attack traffic recorded on the demo:
|
Where can I download the artifact build of this fix? |
Se puede hacer un hotfix usando RH_SV_ConnectClient de reapi mirando el código de Karaulov |
I think so, but how do I get the player's complete set info connection string? get_user_info only allows you to get by keys I hope soon salt the fix directly in rehlds |
|
|
This is a new exploit that was first mentioned in this issue - #1073
By using invalid utf8 chars in userinfo, an attacker can interrupt the reading of the string in
svc_updateuserinfo
for all connected clients, which will likely cause them to disconnect from the server due to incorrect reading of the rest of the packet. However, in addition to simply disconnecting clients, an attacker can append arbitrary network traffic to his userinfo, which connected clients can process. For example, in the PoC video below, an attacker compromises thesvc_stufftext
message, which executes some commands/cvars in the console of other clients:https://www.youtube.com/watch?v=BIG7I859_aI
The thing is that when processing userinfo via the
setinfo
command, the server already has a check in the code for invalid utf8 chars, it is located in theInfo_SetValueForStarKey
func:But there is no such check for userinfo sent via
C2S_CONNECTION
message, so I suggest adding it toInfo_IsValid
func.So this pr fixes this vulnerability.