Page 1 of 3 123 LastLast
Results 1 to 15 of 33
Like Tree8Likes

ATTN: Server owners (are you vulnerable?)

This is a discussion on ATTN: Server owners (are you vulnerable?) within the Private Servers forums, part of the Knight Online (ko4life.com) category; There's an issue going around that would appear to be more common than I'd have thought. It allows players to ...
Page: 1


  1. #1
    Senior Member
    Join Date
    Dec 2009
    Posts
    1,714

    Default ATTN: Server owners (are you vulnerable?)

    There's an issue going around that would appear to be more common than I'd have thought. It allows players to log into any account while only knowing the account name.
    It's exploitable on any server, provided they're vulnerable. Please see my - hopefully detailed enough - post to identify whether you're vulnerable and ensure it gets fixed. One guy abusing it's apparently blackmailing owners with it.

    [Any version] Fix unauthorised access exploit to any account - Releases - Snoxd

    @Players: Another good reason to avoid using the same account name as your character's name.
    Last edited by twostars; 10-03-2013 at 08:53 PM. Reason: well derp, if they already knew the password it's not much of an exploit is it.

  2. #2
    Banned Member
    Join Date
    Sep 2013
    Posts
    91

    Default

    Good share,good advertisment of snoxd as well.

  3. #3
    Banned Senior Member
    Join Date
    Aug 2012
    Posts
    1,097

    Default

    Wonderful job Two!

    @Karlskarone, he put the link there so people who don't browse snoxd know.

  4. #4
    Banned Member
    Join Date
    Sep 2013
    Posts
    91

    Default

    In a week or 2 we will see new topics on random ko forums.. '' Account exploit fix by ~ IamCoolz ''

  5. #5
    Senior Member
    Join Date
    Dec 2009
    Posts
    1,714

    Default

    Quote Originally Posted by Karlskrone View Post
    good advertisment of snoxd as well.
    Yes, because players will definitely want to go visit a dead forum that currently really only focuses on server development. I'm sure the benefit of server owners who don't check it all that often (because as stated, it's pretty much dead) actually seeing and fixing it outweighs the whole "herp derp players be introduced to a dev forum" (and yes, despite the forum's intent, it's otherwise completely dead & dated as a hacking forum. So derp.).

    Troll elsewhere please.
    Rainmaker likes this.

  6. #6
    Banned Member
    Join Date
    Sep 2013
    Posts
    91

    Default

    Quote Originally Posted by twostars View Post
    Yes, because players will definitely want to go visit a dead forum that currently really only focuses on server development. I'm sure the benefit of server owners who don't check it all that often (because as stated, it's pretty much dead) actually seeing and fixing it outweighs the whole "herp derp players be introduced to a dev forum" (and yes, despite the forum's intent, it's otherwise completely dead & dated as a hacking forum. So derp.).

    Troll elsewhere please.
    Snoxd is not dead at all. Its quite frankly more alive than ko4life,and if SNOXD would have smart admins they would triple their activity within a week.. But you could also just copy the texture of snoxd topic and post it here instead of posting a redirect link... But hey,it's alright atleast its something usefull.

  7. #7
    Senior Member
    Join Date
    Dec 2009
    Posts
    1,714

    Default

    Quote Originally Posted by Karlskrone View Post
    But you could also just copy the texture of snoxd topic and post it here instead of posting a redirect link... But hey,it's alright atleast its something usefull.
    No, I couldn't because I kept editing it. It would mean I'd have to keep editing both of them. Not repeating myself is a good idea.

    Also, the post itself links to another Snoxd thread to ensure they're patched up elsewhere.

    Don't take this the wrong way, but kindly fuck off now. This topic doesn't concern you.

  8. #8
    I am Timmeh Senior Member
    Join Date
    Aug 2007
    Posts
    1,152

    Default

    Quote Originally Posted by Karlskrone View Post
    Snoxd is not dead at all. Its quite frankly more alive than ko4life,and if SNOXD would have smart admins they would triple their activity within a week.. But you could also just copy the texture of snoxd topic and post it here instead of posting a redirect link... But hey,it's alright atleast its something usefull.
    Man this guy is the #1 troll in every fucking private server topic lol

  9. #9
    Banned Member
    Join Date
    Sep 2013
    Posts
    91

    Default

    Quote Originally Posted by ilovemyko1 View Post
    Man this guy is the #1 troll in every fucking private server topic lol
    All i know is that you chargebacked 180.00 USD! Without any proper excuses.. Please?


    ---------------
    I got this 'patched' for like ages according to your text on snoxd...LOL but, since exploit like this never occured to me. Im not sure what u are talking about
    Is there any server that is vulnerable? Is there any server that has experience with this?... Or is there anyone at all that find this usefull?
    I know people here giving you a +1,and saying good job twostars... But is this really effective or its just a made up story.. I won't belive it untill i see it. ( The exploit of taking acc infos )

    I don't understand the exploit
    The basis of the exploit is this:
    - User logs in to get to server list
    - User memory edits their account ID in memory to the victim's account ID.

    However one thing we can be sure about it is making seperate database for account data and just name it diffrent like 'account'.. But whats the catch in the procedures it should be obvious? lol #8376490 - Pastie

    its not concering me,so who is it concering?

  10. #10
    I am Timmeh Senior Member
    Join Date
    Aug 2007
    Posts
    1,152

    Default

    Quote Originally Posted by Karlskrone View Post
    All i know is that you chargebacked 180.00 USD! Without any proper excuses.. Please?


    ---------------
    I got this 'patched' for like ages according to your text on snoxd...LOL but, since exploit like this never occured to me. Im not sure what u are talking about
    Is there any server that is vulnerable? Is there any server that has experience with this?... Or is there anyone at all that find this usefull?
    I know people here giving you a +1,and saying good job twostars... But is this really effective or its just a made up story.. I won't belive it untill i see it. ( The exploit of taking acc infos )

    I don't understand the exploit
    The basis of the exploit is this:
    - User logs in to get to server list
    - User memory edits their account ID in memory to the victim's account ID.

    However one thing we can be sure about it is making seperate database for account data and just name it diffrent like 'account'.. But whats the catch in the procedures it should be obvious? lol #8376490 - Pastie

    its not concering me,so who is it concering?
    Oh this must be cyrus lol, Excuse I don't have to have an excuse, I have a reason pvphosting is a bunch of shit giving 2 people the same dedi I mean come on, I had no advertisement on my project what so ever and I had random people from turkey connecting to my server and I had my files being moved everywhere of course I'm going to charge back.

  11. #11
    Senior Member
    Join Date
    Dec 2009
    Posts
    1,714

    Default

    Quote Originally Posted by Karlskrone View Post
    I got this 'patched' for like ages according to your text on snoxd...LOL but, since exploit like this never occured to me. Im not sure what u are talking about
    I didn't say that at all. Thread says that it's similar to another exploit which should already be patched, but be sure that it's patched properly because I found some people thought they were fine by simply using the default proc (which had a similar check, but was inherently broken).

    Little bit confusing, but long story short: different issue, make sure it's actually patched.

    Quote Originally Posted by Karlskrone View Post
    Is there any server that is vulnerable? Is there any server that has experience with this?... Or is there anyone at all that find this usefull?
    I know people here giving you a +1,and saying good job twostars... But is this really effective or its just a made up story.. I won't belive it untill i see it. ( The exploit of taking acc infos )
    Yes. ProfessionalKO was one, the guy mentioned abusing it in OSKO (no way of verifying this is true though), and I recall another server owner having this issue at least a month or so ago.
    Looking back, I recall a lot of servers where this was the case (didn't consider it a huge issue as I wasn't aware of the exploit then, but I did usually remind them that they should probably fix it [the screwed up procs]), so I doubt much has changed since.
    As for whether or not you believe it: why do I care? I really don't. Nickos3 mentioned it was happening, I (somewhat accidentally) figured out the fault. I know other servers suffer from the issue, so I released it. End of story.

    Quote Originally Posted by Karlskrone View Post
    I don't understand the exploit
    The basis of the exploit is this:
    - User logs in to get to server list
    - User memory edits their account ID in memory to the victim's account ID.
    I wasn't trying to release the exploit, I was trying to release the fix. Having said that, if you can't figure out how that works, I feel for you. No wait, I lied.
    Seriously, the point is for people to fix it.

    (also, thanks for pointing out the typo)

    Quote Originally Posted by Karlskrone View Post
    However one thing we can be sure about it is making seperate database for account data and just name it diffrent like 'account'.. But whats the catch in the procedures it should be obvious? lol #8376490 - Pastie

    its not concering me,so who is it concering?
    No idea what you're saying about the databases, but it doesn't really matter what you do. If the procedure doesn't return 0 on error, you're vulnerable, regardless of what the database is named or whether it's split.
    This procedure is fine, which means you're not vulnerable. Congratulations.

  12. #12
    God. Moderator Kallop's Avatar
    Join Date
    Aug 2008
    Location
    Above you.
    Posts
    5,202

    Default

    Quote Originally Posted by twostars View Post
    There's an issue going around that would appear to be more common than I'd have thought. It allows players to log into any account while only knowing the account name.
    It's exploitable on any server, provided they're vulnerable. Please see my - hopefully detailed enough - post to identify whether you're vulnerable and ensure it gets fixed. One guy abusing it's apparently blackmailing owners with it.

    [Any version] Fix unauthorised access exploit to any account - Releases - Snoxd

    @Players: Another good reason to avoid using the same account name as your character's name.


    Funny how the fix was posted now when the exploit is at least 2 years old. I've been a victim once and seen ppl abuse it multiple times. Oh well gj with the fix.

  13. #13
    Senior Member
    Join Date
    Dec 2009
    Posts
    1,714

    Default

    Quote Originally Posted by Kallop View Post
    Funny how the fix was posted now when the exploit is at least 2 years old. I've been a victim once and seen ppl abuse it multiple times. Oh well gj with the fix.
    Actually, it might be a slightly different issue (very similar though) to the one you're referring to. The one I think you're referring to is actually linked from that thread, but I posted a couple of years ago now (05 May 2011 - 02:00 AM), which tracks with your statement.

    Having said that, it's really the first time I've seen this abused mainly because all my servers have the procs behaving correctly to begin with. Nobody's really ever brought it up otherwise... or I'd have looked into it. Better late than never? :/

  14. #14
    Banned Member
    Join Date
    Sep 2013
    Posts
    91

    Default

    Well yeah it's definetly helpfull for some admins like nickos.. infact i know it happend to pryzdet one of the donators on nickos server... But the question is ' why didn't he have this 'patched' before?..
    Definetly some people that are new to development will found this usefull,but if they will even know how to settle things up..

    And yeah the exploit doesn't work like some cheap mykohack lol.. Only certain few people can perform that,and most of those people doesn't aim the low servers,so the low servers are save even if they dont have patched this...( I still don't know how to perform the exploit tho ) but im looking in it to make it work and see how it can happen

  15. #15
    I am Timmeh Senior Member
    Join Date
    Aug 2007
    Posts
    1,152

    Default

    Quote Originally Posted by Karlskrone View Post
    Well yeah it's definetly helpfull for some admins like nickos.. infact i know it happend to pryzdet one of the donators on nickos server... But the question is ' why didn't he have this 'patched' before?..
    Definetly some people that are new to development will found this usefull,but if they will even know how to settle things up..

    And yeah the exploit doesn't work like some cheap mykohack lol.. Only certain few people can perform that,and most of those people doesn't aim the low servers,so the low servers are save even if they dont have patched this...( I still don't know how to perform the exploit tho ) but im looking in it to make it work and see how it can happen
    Too bad you know nothing about deving, you just pay acme people to do shit for you, Yeah I will admit I don't either, but I don't act like I do.

Page 1 of 3 123 LastLast

Similar Threads

  1. ARE YOU BORED AT SERVERS GOING DOWN
    By Flux in forum Media
    Replies: 148
    Last Post: 06-13-2008, 02:19 PM
  2. Replies: 5
    Last Post: 10-31-2007, 07:03 PM
  3. Replies: 5
    Last Post: 11-03-2006, 08:44 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •