Response to messages about server crash exploit

Users who are viewing this thread

Total: 2 (members: 0, guests: 2)

Vornne

Count
Old Guard
I have been getting multiple private messages about players crashing servers by feeding invalid string tokens in to the local / faction / admin chat: this is not a bug caused by anything in PW, just a result of the M&B module system string composition functionality not being coded robustly, to handle errors gracefully when fed invalid strings rather than crashing the whole game engine. Since the module system has no operations for recognising characters or processing strings (except for str_is_empty, which is no use) there is no way to prevent the crash other than entirely removing local, faction, and admin chat from the mod.

As I have said in the past when people asked about it, there doesn't seem much chance of TaleWorlds fixing the bug, since Warband Native multiplayer is not affected (text strings from non admin player input are not sent to the server, for display or logging - the hard coded global and team chat do not use the module system, and exploits affecting them in the past were fixed in the engine code), and the game seems well past maintenance mode, abandoned except when external developers pay for features for "child" games (fair enough).

The best chance of dealing with the problem at the moment is using the WSE or something like it. Since people don't seem to be figuring it out themselves (or at least sharing with everyone), I have updated the "merge_wse" branch in GitHub to WSE v4.2.9 and have done some testing to see what could be done to prevent the crashing: the str_sanitize operation seems made for the purpose, and when added to the client_event_chat_message_* event handler in script_game_receive_network_message, the crashes seemed to stop for me (the sending player still crashes, but who cares). The script changes are very simple - could be one line if you wanted:

https://github.com/vornne/pw_module_system/commit/a03c3b328770fdad35158d1bccc0ceb0467b076a

Or if using the PW git repository for your server script changes, just fetch and merge the merge_wse branch, then build the module, and use the WSE to run your dedicated server.
 
What is a string token which causes the crash for example? They write something or they modify the client side mod and send invalid server events?
I think I never experienced it.
 
Me neither.
Then again, it's probably best for the wider audiences to have that exact message remain unknown.
People who want to know it will find it anyways, but giving it out on a public level could cause a new level of trolls crashing servers around, from what I understand is everything aside Native?
 
This makes me sad, I hope it gets fixed.

EDIT: I've found a character that crashes the client, not sure about the server.
 
Could you stop being a salty prawn for once, Jesse? :smile:

Whether or not Taleworlds will bother fixing this issue in the near future is yet to be seen, hopefully they decide that it is in their ultimate interest to prevent the community from tearing itself apart. Those of you asking for the actual exploit to be shared should probably think twice, it's something that really should be kept under wraps for as long as possible to prevent the devastating fallout (PW's community isn't known for restraint in abusing exploits). This particular issue impacts every module that has any custom chat (NW, PW and its submods, etc).

 
Gishank said:
Could you stop being a salty prawn for once, Jesse? :smile:

Whether or not Taleworlds will bother fixing this issue in the near future is yet to be seen, hopefully they decide that it is in their ultimate interest to prevent the community from tearing itself apart. Those of you asking for the actual exploit to be shared should probably think twice, it's something that really should be kept under wraps for as long as possible to prevent the devastating fallout (PW's community isn't known for restraint in abusing exploits). This particular issue impacts every module that has any custom chat (NW, PW and its submods, etc).
Click to expand...

Says you. You deleted my webspace without any warning. I was still a customer of yours. Your reason was the fact that my website "pw-oasis.com" was redirecting to Oasis Hostings 'website. You claimed it was a waste of resources and thus removed my webspace.

When asked why it was removed you replied with the excuse "common sense".
Gishanks' hosting does not feature a ToS or acceptable usage policy. Common sense can be left to own interpetation. You could have atleast given me a warning which you also didn't do.

You are also selling script features I paid for when Oasis was still up without my permission.
When questioning Dany about this he ended up removing me. Gishank also hasn't responded to this matter.


I have not made this public before as I am currently associated with my own hosting company and didn't want to use this to boost our own popularity with this complaint.
 
I've discussed this matter with you on numerous occasions, Jesse, wherein you've attempted to twist my words to build your own fabrication; therefore, I see absolutely no reason to delve back in to this discussion on a public forum via hijacking this forum thread.



Back to the matter at hand;

Due to the nature of how WSE functions, many people will be unable to implement the work around that Vornne supplied. Until a better solution is devised, or Taleworlds opts to fix the root cause of the issue, I would encourage everyone hosting servers to refer to their "server_log_x_x_x.txt" files after a crash. Whilst crashes can be caused by all manner of things, it is easy to verify if a player has abused the exploit. Look to the last line of the relevant log file (or, if your server automatically restarts, use CTRL + F to find the last instance of "SERVER has joined the game with ID: 0 and has administrator rights.") If the exploit has been utilised by a malicious player to crash the server, the line should be along the lines of "Joe Bloggs: UNRECOGNIZED TOKEN". Hopefully this will allow communities to remove the less savoury players who abuse this vulnerability.
 
Ra'Jiska said:
DanyEle said:
And I was actually thinking about releasing the fix publicly for all, once it has been tested thoroughly  :party:
Click to expand...

Out of curiosity, what does this do, the main concept.
Click to expand...

I'm guessing (Though no idea really), that just like there are scripts to detect commands like /help, make it like a command, where as if a player introduces the invalid token, the server will recognize it, so it won't show up, or he gets permbanned (Even if the server crashes), or something of the sorts. Again, no idea, just what I'm guessing.
 
I think a permaban would be harsh. What if a player types it by mistake without knowing what it does? Its a pretty simple token... not saying what it is to prevent people from using it.
 
Ramaraunt said:
I think a permaban would be harsh. What if a player types it by mistake without knowing what it does? Its a pretty simple token... not saying what it is to prevent people from using it.
Click to expand...

They can apply for an unban then. If it's a known player, admins will understand and will let it pass that -first- time.
 
You must log in or register to reply here.

Similar threads

Need More Info Game crashes with directx error while battle starts
Replies
2
Views
429
makzef
Server map configuration
Replies
3
Views
105
LLHE
Need More Info Repeated crashing, sometimes entire PC needs hard reboot
Replies
3
Views
343
shyllll
Back
Top Bottom