From 91502f14999f46c6e4179ad5e0b5abd47326564f Mon Sep 17 00:00:00 2001 From: James R Date: Mon, 15 Jul 2019 15:39:58 -0700 Subject: [PATCH 1/4] Don't send login final hashes to everyone Someone thought it was a good fucking idea to make logins NetXCmds. NetXCmds are sent to everyone however. Thankfully logins are two passes. And the second pass uses a salt based on the playernum. Therefore, in order to actually make use of the final hash, you'd have to be the same playernum as who originally sent it. Still a stupid exploit. P.S. The netcode is LOL XD by VincyTM -Telos --- src/d_clisrv.c | 58 +++++++++++++++++++++++++++++++++++++++ src/d_clisrv.h | 9 +++++++ src/d_netcmd.c | 73 ++++---------------------------------------------- src/d_netcmd.h | 4 +-- 4 files changed, 74 insertions(+), 70 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 274fe398aa..64d3ee6da5 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -44,6 +44,7 @@ #include "lzf.h" #include "lua_script.h" #include "lua_hook.h" +#include "md5.h" #ifdef CLIENT_LOADINGSCREEN // cl loading screen @@ -116,6 +117,9 @@ static UINT8 resynch_local_inprogress = false; // WE are desynched and getting p static UINT8 player_joining = false; UINT8 hu_resynching = 0; +UINT8 adminpassmd5[MD5_LEN]; +boolean adminpasswordset = false; + // Client specific static ticcmd_t localcmds; static ticcmd_t localcmds2; @@ -3760,6 +3764,7 @@ static void HandlePacketFromPlayer(SINT8 node) XBOXSTATIC INT32 netconsole; XBOXSTATIC tic_t realend, realstart; XBOXSTATIC UINT8 *pak, *txtpak, numtxtpak; + XBOXSTATIC UINT8 finalmd5[MD5_LEN];/* Well, it's the cool thing to do? */ FILESTAMP txtpak = NULL; @@ -3958,6 +3963,33 @@ FILESTAMP textcmd[0] += (UINT8)netbuffer->u.textcmd[0]; } break; + case PT_LOGIN: + CONS_Printf("I received LOGIN\n"); + if (client) + break; + +#ifndef NOMD5 + if (doomcom->datalength < MD5_LEN)/* ignore partial sends */ + break; + + if (!adminpasswordset) + { + CONS_Printf(M_GetText("Password from %s failed (no password set).\n"), player_names[netconsole]); + break; + } + + // Do the final pass to compare with the sent md5 + D_MD5PasswordPass(adminpassmd5, MD5_LEN, va("PNUM%02d", netconsole), &finalmd5); + + if (!memcmp(netbuffer->u.md5sum, finalmd5, MD5_LEN)) + { + CONS_Printf(M_GetText("%s passed authentication.\n"), player_names[netconsole]); + COM_BufInsertText(va("promote %d\n", netconsole)); // do this immediately + } + else + CONS_Printf(M_GetText("Password from %s failed.\n"), player_names[netconsole]); +#endif + break; case PT_NODETIMEOUT: case PT_CLIENTQUIT: if (client) @@ -4841,3 +4873,29 @@ tic_t GetLag(INT32 node) { return gametic - nettics[node]; } + +void D_MD5PasswordPass(const UINT8 *buffer, size_t len, const char *salt, void *dest) +{ +#ifdef NOMD5 + (void)buffer; + (void)len; + (void)salt; + memset(dest, 0, 16); +#else + XBOXSTATIC char tmpbuf[256]; + const size_t sl = strlen(salt); + + if (len > 256-sl) + len = 256-sl; + + memcpy(tmpbuf, buffer, len); + memmove(&tmpbuf[len], salt, sl); + //strcpy(&tmpbuf[len], salt); + len += strlen(salt); + if (len < 256) + memset(&tmpbuf[len],0,256-len); + + // Yes, we intentionally md5 the ENTIRE buffer regardless of size... + md5_buffer(tmpbuf, 256, dest); +#endif +} diff --git a/src/d_clisrv.h b/src/d_clisrv.h index 8443b3fc0e..96591ed932 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -70,6 +70,9 @@ typedef enum PT_NODETIMEOUT, // Packet sent to self if the connection times out. PT_RESYNCHING, // Packet sent to resync players. // Blocks game advance until synched. + + PT_LOGIN, // Login attempt from the client. + #ifdef NEWPING PT_PING, // Packet sent to tell clients the other client's latency to server. #endif @@ -398,6 +401,7 @@ typedef struct UINT8 textcmd[MAXTEXTCMD+1]; // 66049 bytes (wut??? 64k??? More like 257 bytes...) filetx_pak filetxpak; // 139 bytes clientconfig_pak clientcfg; // 136 bytes + UINT8 md5sum[MD5_LEN]; serverinfo_pak serverinfo; // 1024 bytes serverrefuse_pak serverrefuse; // 65025 bytes (somehow I feel like those values are garbage...) askinfo_pak askinfo; // 61 bytes @@ -526,5 +530,10 @@ void D_ResetTiccmds(void); tic_t GetLag(INT32 node); UINT8 GetFreeXCmdSize(void); +void D_MD5PasswordPass(const UINT8 *buffer, size_t len, const char *salt, void *dest); + extern UINT8 hu_resynching; + +extern UINT8 adminpassmd5[MD5_LEN]; +extern boolean adminpasswordset; #endif diff --git a/src/d_netcmd.c b/src/d_netcmd.c index 998eef05d1..1c2d380c10 100644 --- a/src/d_netcmd.c +++ b/src/d_netcmd.c @@ -34,13 +34,13 @@ #include "p_spec.h" #include "m_cheat.h" #include "d_clisrv.h" +#include "d_net.h" #include "v_video.h" #include "d_main.h" #include "m_random.h" #include "f_finale.h" #include "filesrch.h" #include "mserv.h" -#include "md5.h" #include "z_zone.h" #include "lua_script.h" #include "lua_hook.h" @@ -143,7 +143,6 @@ static void Command_Clearscores_f(void); // Remote Administration static void Command_Changepassword_f(void); static void Command_Login_f(void); -static void Got_Login(UINT8 **cp, INT32 playernum); static void Got_Verification(UINT8 **cp, INT32 playernum); static void Got_Removal(UINT8 **cp, INT32 playernum); static void Command_Verify_f(void); @@ -437,7 +436,6 @@ void D_RegisterServerCommands(void) // Remote Administration COM_AddCommand("password", Command_Changepassword_f); - RegisterNetXCmd(XD_LOGIN, Got_Login); COM_AddCommand("login", Command_Login_f); // useful in dedicated to kick off remote admin COM_AddCommand("promote", Command_Verify_f); RegisterNetXCmd(XD_VERIFIED, Got_Verification); @@ -2652,35 +2650,7 @@ static void Got_Teamchange(UINT8 **cp, INT32 playernum) // Attempts to make password system a little sane without // rewriting the entire goddamn XD_file system // -#include "md5.h" -static void D_MD5PasswordPass(const UINT8 *buffer, size_t len, const char *salt, void *dest) -{ -#ifdef NOMD5 - (void)buffer; - (void)len; - (void)salt; - memset(dest, 0, 16); -#else - XBOXSTATIC char tmpbuf[256]; - const size_t sl = strlen(salt); - - if (len > 256-sl) - len = 256-sl; - memcpy(tmpbuf, buffer, len); - memmove(&tmpbuf[len], salt, sl); - //strcpy(&tmpbuf[len], salt); - len += strlen(salt); - if (len < 256) - memset(&tmpbuf[len],0,256-len); - - // Yes, we intentionally md5 the ENTIRE buffer regardless of size... - md5_buffer(tmpbuf, 256, dest); -#endif -} - #define BASESALT "basepasswordstorage" -static UINT8 adminpassmd5[16]; -static boolean adminpasswordset = false; void D_SetPassword(const char *pw) { @@ -2718,7 +2688,6 @@ static void Command_Login_f(void) // If we have no MD5 support then completely disable XD_LOGIN responses for security. CONS_Alert(CONS_NOTICE, "Remote administration commands are not supported in this build.\n"); #else - XBOXSTATIC UINT8 finalmd5[16]; const char *pw; if (!netgame) @@ -2738,47 +2707,15 @@ static void Command_Login_f(void) pw = COM_Argv(1); // Do the base pass to get what the server has (or should?) - D_MD5PasswordPass((const UINT8 *)pw, strlen(pw), BASESALT, &finalmd5); + D_MD5PasswordPass((const UINT8 *)pw, strlen(pw), BASESALT, &netbuffer->u.md5sum); // Do the final pass to get the comparison the server will come up with - D_MD5PasswordPass(finalmd5, 16, va("PNUM%02d", consoleplayer), &finalmd5); + D_MD5PasswordPass(netbuffer->u.md5sum, MD5_LEN, va("PNUM%02d", consoleplayer), &netbuffer->u.md5sum); CONS_Printf(M_GetText("Sending login... (Notice only given if password is correct.)\n")); - SendNetXCmd(XD_LOGIN, finalmd5, 16); -#endif -} - -static void Got_Login(UINT8 **cp, INT32 playernum) -{ -#ifdef NOMD5 - // If we have no MD5 support then completely disable XD_LOGIN responses for security. - (void)cp; - (void)playernum; -#else - UINT8 sentmd5[16], finalmd5[16]; - - READMEM(*cp, sentmd5, 16); - - if (client) - return; - - if (!adminpasswordset) - { - CONS_Printf(M_GetText("Password from %s failed (no password set).\n"), player_names[playernum]); - return; - } - - // Do the final pass to compare with the sent md5 - D_MD5PasswordPass(adminpassmd5, 16, va("PNUM%02d", playernum), &finalmd5); - - if (!memcmp(sentmd5, finalmd5, 16)) - { - CONS_Printf(M_GetText("%s passed authentication.\n"), player_names[playernum]); - COM_BufInsertText(va("promote %d\n", playernum)); // do this immediately - } - else - CONS_Printf(M_GetText("Password from %s failed.\n"), player_names[playernum]); + netbuffer->packettype = PT_LOGIN; + HSendPacket(servernode, true, 0, MD5_LEN); #endif } diff --git a/src/d_netcmd.h b/src/d_netcmd.h index b82065c821..2446933567 100644 --- a/src/d_netcmd.h +++ b/src/d_netcmd.h @@ -125,8 +125,8 @@ typedef enum XD_ADDPLAYER, // 10 XD_TEAMCHANGE, // 11 XD_CLEARSCORES, // 12 - XD_LOGIN, // 13 - XD_VERIFIED, // 14 + // UNUSED 13 (Because I don't want to change these comments) + XD_VERIFIED = 14,//14 XD_RANDOMSEED, // 15 XD_RUNSOC, // 16 XD_REQADDFILE, // 17 From 19dd9a3c14365956e69e2cf5da9a9c01d6990a1e Mon Sep 17 00:00:00 2001 From: James R Date: Sat, 17 Aug 2019 10:33:14 -0700 Subject: [PATCH 2/4] Kart discrepancies --- src/d_clisrv.c | 10 +++++----- src/d_clisrv.h | 4 ++-- src/d_netcmd.c | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index 64d3ee6da5..f62a4b6f0e 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -117,7 +117,7 @@ static UINT8 resynch_local_inprogress = false; // WE are desynched and getting p static UINT8 player_joining = false; UINT8 hu_resynching = 0; -UINT8 adminpassmd5[MD5_LEN]; +UINT8 adminpassmd5[16]; boolean adminpasswordset = false; // Client specific @@ -3764,7 +3764,7 @@ static void HandlePacketFromPlayer(SINT8 node) XBOXSTATIC INT32 netconsole; XBOXSTATIC tic_t realend, realstart; XBOXSTATIC UINT8 *pak, *txtpak, numtxtpak; - XBOXSTATIC UINT8 finalmd5[MD5_LEN];/* Well, it's the cool thing to do? */ + XBOXSTATIC UINT8 finalmd5[16];/* Well, it's the cool thing to do? */ FILESTAMP txtpak = NULL; @@ -3969,7 +3969,7 @@ FILESTAMP break; #ifndef NOMD5 - if (doomcom->datalength < MD5_LEN)/* ignore partial sends */ + if (doomcom->datalength < 16)/* ignore partial sends */ break; if (!adminpasswordset) @@ -3979,9 +3979,9 @@ FILESTAMP } // Do the final pass to compare with the sent md5 - D_MD5PasswordPass(adminpassmd5, MD5_LEN, va("PNUM%02d", netconsole), &finalmd5); + D_MD5PasswordPass(adminpassmd5, 16, va("PNUM%02d", netconsole), &finalmd5); - if (!memcmp(netbuffer->u.md5sum, finalmd5, MD5_LEN)) + if (!memcmp(netbuffer->u.md5sum, finalmd5, 16)) { CONS_Printf(M_GetText("%s passed authentication.\n"), player_names[netconsole]); COM_BufInsertText(va("promote %d\n", netconsole)); // do this immediately diff --git a/src/d_clisrv.h b/src/d_clisrv.h index 96591ed932..c005f3f9a6 100644 --- a/src/d_clisrv.h +++ b/src/d_clisrv.h @@ -401,7 +401,7 @@ typedef struct UINT8 textcmd[MAXTEXTCMD+1]; // 66049 bytes (wut??? 64k??? More like 257 bytes...) filetx_pak filetxpak; // 139 bytes clientconfig_pak clientcfg; // 136 bytes - UINT8 md5sum[MD5_LEN]; + UINT8 md5sum[16]; serverinfo_pak serverinfo; // 1024 bytes serverrefuse_pak serverrefuse; // 65025 bytes (somehow I feel like those values are garbage...) askinfo_pak askinfo; // 61 bytes @@ -534,6 +534,6 @@ void D_MD5PasswordPass(const UINT8 *buffer, size_t len, const char *salt, void * extern UINT8 hu_resynching; -extern UINT8 adminpassmd5[MD5_LEN]; +extern UINT8 adminpassmd5[16]; extern boolean adminpasswordset; #endif diff --git a/src/d_netcmd.c b/src/d_netcmd.c index 1c2d380c10..38004d5ff9 100644 --- a/src/d_netcmd.c +++ b/src/d_netcmd.c @@ -2710,12 +2710,12 @@ static void Command_Login_f(void) D_MD5PasswordPass((const UINT8 *)pw, strlen(pw), BASESALT, &netbuffer->u.md5sum); // Do the final pass to get the comparison the server will come up with - D_MD5PasswordPass(netbuffer->u.md5sum, MD5_LEN, va("PNUM%02d", consoleplayer), &netbuffer->u.md5sum); + D_MD5PasswordPass(netbuffer->u.md5sum, 16, va("PNUM%02d", consoleplayer), &netbuffer->u.md5sum); CONS_Printf(M_GetText("Sending login... (Notice only given if password is correct.)\n")); netbuffer->packettype = PT_LOGIN; - HSendPacket(servernode, true, 0, MD5_LEN); + HSendPacket(servernode, true, 0, 16); #endif } From c1ba72ead8af7db7766e9838a1e992d9aff6c44f Mon Sep 17 00:00:00 2001 From: James R Date: Sat, 17 Aug 2019 10:33:33 -0700 Subject: [PATCH 3/4] Remove a printf --- src/d_clisrv.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/d_clisrv.c b/src/d_clisrv.c index f62a4b6f0e..28d327ece2 100644 --- a/src/d_clisrv.c +++ b/src/d_clisrv.c @@ -3964,7 +3964,6 @@ FILESTAMP } break; case PT_LOGIN: - CONS_Printf("I received LOGIN\n"); if (client) break; From 9c1fa867faeeabbd76122a3ec1d59312ff740ffd Mon Sep 17 00:00:00 2001 From: James R Date: Sat, 17 Aug 2019 10:34:19 -0700 Subject: [PATCH 4/4] Include md5.h --- src/d_netcmd.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/d_netcmd.c b/src/d_netcmd.c index 38004d5ff9..aadebab804 100644 --- a/src/d_netcmd.c +++ b/src/d_netcmd.c @@ -46,6 +46,7 @@ #include "lua_hook.h" #include "m_cond.h" #include "m_anigif.h" +#include "md5.h" #ifdef NETGAME_DEVMODE #define CV_RESTRICT CV_NETVAR