ATTN: Server owners (are you vulnerable?)

**twostars** · 10-03-2013, 08:45 PM

There's an issue going around that would appear to be more common than I'd have thought. It allows players to log into any account while only knowing the account name.
It's exploitable on any server, provided they're vulnerable. Please see my - hopefully detailed enough - post to identify whether you're vulnerable and ensure it gets fixed. One guy abusing it's apparently blackmailing owners with it.

[Any version] Fix unauthorised access exploit to any account - Releases - Snoxd

@Players: Another good reason to avoid using the same account name as your character's name.

**Karlskrone** · 10-03-2013, 10:28 PM

Good share,good advertisment of snoxd as well.

**ReesesPieces** · 10-03-2013, 10:29 PM

Wonderful job Two!

@Karlskarone, he put the link there so people who don't browse snoxd know.

**Karlskrone** · 10-03-2013, 10:31 PM

In a week or 2 we will see new topics on random ko forums.. '' Account exploit fix by ~ IamCoolz ''

**twostars** · 10-03-2013, 10:33 PM

Originally Posted by Karlskrone

good advertisment of snoxd as well.

Yes, because players will definitely want to go visit a dead forum that currently really only focuses on server development. I'm sure the benefit of server owners who don't check it all that often (because as stated, it's pretty much dead) actually seeing and fixing it outweighs the whole "herp derp players be introduced to a dev forum" (and yes, despite the forum's intent, it's otherwise completely dead & dated as a hacking forum. So derp.).

Troll elsewhere please.

**Karlskrone** · 10-03-2013, 10:35 PM

Originally Posted by twostars

Yes, because players will definitely want to go visit a dead forum that currently really only focuses on server development. I'm sure the benefit of server owners who don't check it all that often (because as stated, it's pretty much dead) actually seeing and fixing it outweighs the whole "herp derp players be introduced to a dev forum" (and yes, despite the forum's intent, it's otherwise completely dead & dated as a hacking forum. So derp.).

Troll elsewhere please.

Snoxd is not dead at all. Its quite frankly more alive than ko4life,and if SNOXD would have smart admins they would triple their activity within a week.. But you could also just copy the texture of snoxd topic and post it here instead of posting a redirect link... But hey,it's alright atleast its something usefull.

**twostars** · 10-03-2013, 10:42 PM

Originally Posted by Karlskrone

But you could also just copy the texture of snoxd topic and post it here instead of posting a redirect link... But hey,it's alright atleast its something usefull.

No, I couldn't because I kept editing it. It would mean I'd have to keep editing both of them. Not repeating myself is a good idea.

Also, the post itself links to another Snoxd thread to ensure they're patched up elsewhere.

Don't take this the wrong way, but kindly fuck off now. This topic doesn't concern you.

**ilovemyko1** · 10-03-2013, 10:59 PM

Originally Posted by Karlskrone

Snoxd is not dead at all. Its quite frankly more alive than ko4life,and if SNOXD would have smart admins they would triple their activity within a week.. But you could also just copy the texture of snoxd topic and post it here instead of posting a redirect link... But hey,it's alright atleast its something usefull.

Man this guy is the #1 troll in every fucking private server topic lol

**Karlskrone** · 10-03-2013, 11:13 PM

Originally Posted by ilovemyko1

Man this guy is the #1 troll in every fucking private server topic lol

All i know is that you chargebacked 180.00 USD! Without any proper excuses.. Please?

---------------
I got this 'patched' for like ages according to your text on snoxd...LOL but, since exploit like this never occured to me. Im not sure what u are talking about
Is there any server that is vulnerable? Is there any server that has experience with this?... Or is there anyone at all that find this usefull?
I know people here giving you a +1,and saying good job twostars... But is this really effective or its just a made up story.. I won't belive it untill i see it. ( The exploit of taking acc infos )

I don't understand the exploit
The basis of the exploit is this:
- User logs in to get to server list
- User memory edits their account ID in memory to the victim's account ID.
However one thing we can be sure about it is making seperate database for account data and just name it diffrent like 'account'.. But whats the catch in the procedures it should be obvious? lol #8376490 - Pastie

its not concering me,so who is it concering?

**ilovemyko1** · 10-03-2013, 11:19 PM

Originally Posted by Karlskrone

All i know is that you chargebacked 180.00 USD! Without any proper excuses.. Please?

---------------
I got this 'patched' for like ages according to your text on snoxd...LOL but, since exploit like this never occured to me. Im not sure what u are talking about
Is there any server that is vulnerable? Is there any server that has experience with this?... Or is there anyone at all that find this usefull?
I know people here giving you a +1,and saying good job twostars... But is this really effective or its just a made up story.. I won't belive it untill i see it. ( The exploit of taking acc infos )

I don't understand the exploit
The basis of the exploit is this:
- User logs in to get to server list
- User memory edits their account ID in memory to the victim's account ID.
However one thing we can be sure about it is making seperate database for account data and just name it diffrent like 'account'.. But whats the catch in the procedures it should be obvious? lol #8376490 - Pastie

its not concering me,so who is it concering?

Oh this must be cyrus lol, Excuse I don't have to have an excuse, I have a reason pvphosting is a bunch of shit giving 2 people the same dedi I mean come on, I had no advertisement on my project what so ever and I had random people from turkey connecting to my server and I had my files being moved everywhere of course I'm going to charge back.

**twostars** · 10-03-2013, 11:44 PM

Originally Posted by Karlskrone

I got this 'patched' for like ages according to your text on snoxd...LOL but, since exploit like this never occured to me. Im not sure what u are talking about

I didn't say that at all. Thread says that it's similar to another exploit which should already be patched, but be sure that it's patched properly because I found some people thought they were fine by simply using the default proc (which had a similar check, but was inherently broken).

Little bit confusing, but long story short: different issue, make sure it's actually patched.

Originally Posted by Karlskrone

Is there any server that is vulnerable? Is there any server that has experience with this?... Or is there anyone at all that find this usefull?
I know people here giving you a +1,and saying good job twostars... But is this really effective or its just a made up story.. I won't belive it untill i see it. ( The exploit of taking acc infos )

Yes. ProfessionalKO was one, the guy mentioned abusing it in OSKO (no way of verifying this is true though), and I recall another server owner having this issue at least a month or so ago.
Looking back, I recall a lot of servers where this was the case (didn't consider it a huge issue as I wasn't aware of the exploit then, but I did usually remind them that they should probably fix it [the screwed up procs]), so I doubt much has changed since.
As for whether or not you believe it: why do I care? I really don't. Nickos3 mentioned it was happening, I (somewhat accidentally) figured out the fault. I know other servers suffer from the issue, so I released it. End of story.

Originally Posted by Karlskrone

I don't understand the exploit
The basis of the exploit is this:
- User logs in to get to server list
- User memory edits their account ID in memory to the victim's account ID.

I wasn't trying to release the exploit, I was trying to release the fix. Having said that, if you can't figure out how that works, I feel for you. No wait, I lied.
Seriously, the point is for people to fix it.

(also, thanks for pointing out the typo)

Originally Posted by Karlskrone

However one thing we can be sure about it is making seperate database for account data and just name it diffrent like 'account'.. But whats the catch in the procedures it should be obvious? lol #8376490 - Pastie

its not concering me,so who is it concering?

No idea what you're saying about the databases, but it doesn't really matter what you do. If the procedure doesn't return 0 on error, you're vulnerable, regardless of what the database is named or whether it's split.
This procedure is fine, which means you're not vulnerable. Congratulations.

**Kallop** · 10-04-2013, 04:02 AM

Originally Posted by twostars

There's an issue going around that would appear to be more common than I'd have thought. It allows players to log into any account while only knowing the account name.
It's exploitable on any server, provided they're vulnerable. Please see my - hopefully detailed enough - post to identify whether you're vulnerable and ensure it gets fixed. One guy abusing it's apparently blackmailing owners with it.

[Any version] Fix unauthorised access exploit to any account - Releases - Snoxd

@Players: Another good reason to avoid using the same account name as your character's name.

Funny how the fix was posted now when the exploit is at least 2 years old. I've been a victim once and seen ppl abuse it multiple times. Oh well gj with the fix.

**twostars** · 10-04-2013, 04:30 AM

Originally Posted by Kallop

Funny how the fix was posted now when the exploit is at least 2 years old. I've been a victim once and seen ppl abuse it multiple times. Oh well gj with the fix.

Actually, it might be a slightly different issue (very similar though) to the one you're referring to. The one I think you're referring to is actually linked from that thread, but I posted a couple of years ago now (05 May 2011 - 02:00 AM), which tracks with your statement.

Having said that, it's really the first time I've seen this abused mainly because all my servers have the procs behaving correctly to begin with. Nobody's really ever brought it up otherwise... or I'd have looked into it. Better late than never? :/

**Karlskrone** · 10-04-2013, 04:38 AM

Well yeah it's definetly helpfull for some admins like nickos.. infact i know it happend to pryzdet one of the donators on nickos server... But the question is ' why didn't he have this 'patched' before?..
Definetly some people that are new to development will found this usefull,but if they will even know how to settle things up..

And yeah the exploit doesn't work like some cheap mykohack lol.. Only certain few people can perform that,and most of those people doesn't aim the low servers,so the low servers are save even if they dont have patched this...( I still don't know how to perform the exploit tho ) but im looking in it to make it work and see how it can happen

**ilovemyko1** · 10-04-2013, 04:42 AM

Originally Posted by Karlskrone

Well yeah it's definetly helpfull for some admins like nickos.. infact i know it happend to pryzdet one of the donators on nickos server... But the question is ' why didn't he have this 'patched' before?..
Definetly some people that are new to development will found this usefull,but if they will even know how to settle things up..

And yeah the exploit doesn't work like some cheap mykohack lol.. Only certain few people can perform that,and most of those people doesn't aim the low servers,so the low servers are save even if they dont have patched this...( I still don't know how to perform the exploit tho ) but im looking in it to make it work and see how it can happen

Too bad you know nothing about deving, you just pay acme people to do shit for you, Yeah I will admit I don't either, but I don't act like I do.