Page 1 of 11

BaseJKA Security Fix

Posted: Mon Mar 26, 2007 3:08 pm
by Gamall

-> Download:

Note: Update to version 1.1a available -> here.
Adds fix for forcestring crash.
(3.12 MiB) Downloaded 1916 times
-> See on Filefront

Code: Select all

**                  JEDI KNIGHT: Jedi Academy                  **
  #           TITLE : BaseJKA Security Fix + SOURCE           #  
  #                       VERSION : 1.1                       #  
  #               AUTHOR : Gamall Wednesday Ida               #  
  #               E-MAIL :               #  
  #              WEBSITE :              #  
  #                                                           #  
  #       FILENAME Windows : basejka_Gamalls_fix_11.pk3       #  
  #             FILENAME Linux :              #  
  #                     FILESIZE : ~ 4 Mo                     #  
  #               DATE RELEASED : October 2007                #  
+   INSTALLATION INSTRUCTIONS:                                   
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o          +
 Just  put  the  relevant  file  in  your  server's base folder. 
+   DESCRIPTION                                                  
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o          +
 (version  1.0e,  see  below  for  changelog   to   final   1.1) 
 This  patch (technically it is a mod, so do not expect it to be 
 compatible with JA+ or anything else) corrects the three Denial 
 of Service vulnerabilities I am aware of affecting basejka, and 
 makes the logs more useful to  an  experienced  admin,  without 
 attempting  to alter the gameplay or admin etc in any way. Some 
 random fixes and features were also added  at  the  request  of 
 IMPORTANT:  My  patch only affects the component "jampgame". In 
 order to completely protect a  server,  you  must  also  use  a 
 patched  "jampded". Here is one link to ready to use jampdeds : 
 Note that it seems that Windows servers are still vulnerable to 
 targeted attacks on jampded. I won't say more since this is out 
 of the scope of this mod.                                       
+   CHANGELOG v1.0e -> v1.1                                      
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o          +
 > The help page is now automatically displayed only on the very 
 first connection,  as  opposed  to  connections  when  you  are 
 carried over from a previous map, or at the end of a duel turn. 
 >  Names  such as "**Spamzor" are automatically converted to "* 
 Spamzor", so a display bug, causing  chat  lines  from  such  a 
 player  to  be  displayed  in  both the chat box and the server 
 broadcast line, cannot be exploited anymore.                    
 > Fixed a false positive in my bot detection scheme: bots  were 
 detected  as  a  fake player attack ; although this had no real 
 consequence,  it  was  a  source  of  confusion  in  the  logs. 
 >  Logs  now  differentiate connections from bots and from real 
 > Messages from the dedicated server have  been  made  slightly 
 more  visible:  the  tag  is now [SERVER], with colors. I would 
 have liked to do the same with the /svsay command, but it can't 
 be altered, as  it  is  hard  coded  into  jampded  instead  of 
 jampgame. Go figure...                                          
 >  The IP is now logged each time somebody changes their names. 
 > Added the /(t)ime client command, displaying the  local  time 
 of the server:                                                  
       	# Server time:
       	Sun Sep 09 13:37:03 2007
 >  Added  cvar ga_doNotAllowDualKataSpin, default 0, preventing 
 anyone in a dual kata from spinning like  a  madman.  (slightly 
 buggy,  as  the  screen seems to vibrate when moving the mouse, 
 but it works.)                                                  
 > Added cvar ga_nameLengthLimit: names will be truncated not to 
 exceed that length. Note that color escape sequences,  such  as 
 ^1, are not counted.                                            
 >  Some ga_* cvars are now marked as serverinfo (external tools 
 can read them).                                                 
 > Added the /info client command and ga_serverInfo cvar.  /info 
 displays the contents of the cvar. Admins can put rules, etc in 
 there, and any player can read it anytime.                      
 >  Anti  model/color change spam/lag: any player can now freely 
 change their info only 50 times per map (unless they  reconnect 
 of  course).  After  that,  they  need  to  wait for three full 
 seconds between each change. This should not inconvenience  any 
 legitimate player, and protects everyone on the server from the 
 lag which can be created by fast and furious sustained userinfo 
 >  Added  another  log  file,  ga_ConnectLog.txt, listing every 
 connection and full userinfo, and nothing but  that,  which  is 
 now created by the server: for instance                         
       	[Sun Sep 16 20:23:02 2007] [========================== SERVER START ==========================]
       	[Sun Sep 16 20:23:11 2007] Connect :: name(num) = [^5G^7amall ^5W^7ednesday ^5I^7da]( 2) :: ip = [] :: userinfo = [COMPLETE USERINFO STRING LOGGED HERE]
 > The logs now use real time:                                   
       	[Sun Sep 16 20:24:03 2007]  Kill: 2 1 3: ^5G^7amall ^5W^7ednesday ^5I^7da killed Desann by MOD_SABER
       	[Sun Sep 16 20:24:07 2007]  say: (1)Desann: Impressive, most impressive... but you are not a Jedi yet!
       	[Sun Sep 16 20:24:11 2007]  Kill: 2 4 3: ^5G^7amall ^5W^7ednesday ^5I^7da killed Imperial Saboteur by MOD_SABER
+   SUMMARY OF THE CHANGES in v1.0e:                             
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o          +
   -   Client disconnect buffer overflow: fixed                  
   -   trap_SendServerCommand().                                 
   -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o          -
    The  possibility to cause a DoS disconnecting all clients by 
    sending overlong strings  to  the  server  has  been  fixed. 
    Incorrect commands are just ignored.                         
   -   Ingame buffer overflow (say/tell): fixed Cmd_Say_f()      
   -   and Cmd_Tell_f().                                         
   -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o          -
    The  possibility to crash the server by using say or tell to 
    pass overlong  strings  to  the  server  has  been  removed. 
    Incorrect  calls  are  truncated  to  a decent length (150). 
   -   Fake Players Attack: heavily secured, customisable        
   -   ClientConnect().                                          
   -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o          -
    The possibility to lag and even crash the server by  sending 
    a  great  number  of  fake  connection request using a third 
    party program such as q3fill has been removed. See below for 
    more information.                                            
   -   Improvement of the log file/server messages.              
   -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o          -
    Each time a client connects, the complete userinfo string is 
    logged, even is the connection is denied. This includes  the 
    IP,   port,  qport,  name  of  the  client  and  much  more. 
    If the connection is denied, a  message  explaining  why  is 
    displayed by the server, and relevant information is written 
    down  in the log file. Since those messages could be used to 
    spam the screen in case of a fake players attack, and in the 
    case you just  don't  want  to  know  about  that,  you  can 
    deactivate  the  public messages : just set those cvars to 0 
    (default = 1):                                               
       	ga_showBadPassClient | 0 or 1 : 
       	   -> display a message when a client connects with a bad password.
       	ga_showBannedClient  | 0 or 1 : 
       	   -> display a message when a banned client connects.
    The "Infostring length exceeded" console error  message  has 
    been  made  a tad more explicit. I noticed a bug which would 
    cause it to be sent each frame. It is hard to debug  if  you 
    don't know what caused it ;)                                 
    Each time a user changes name, it is written down in the log 
    When   a   client   disconnects,   their   name  is  logged. 
    Each time a client says/tells something, their client number 
    is logged along with their name.                             
   -   Random unimportant fixes/improvements.                    
   -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o          -
    The annoying timelimit when changing name  has  been  dulled 
    down from five seconds to 0.7 second.                        
    The  ^0 (black) colour now works properly. If you don't want 
    to see black in names, you can deactivate  this  by  setting 
    the following cvar to 0:                                     
         | 0 or 1 (default = 1)
    When a player's name is incorrect, it is set to "Padawan" in 
    basejka,  which  is  annoying,  since  you  end up with many 
    "Padawan"s. You can now decide what it will be, and  if  you 
    so  choose,  you can add the player's client number to their 
    name by typing "%i" in the name.                             
         | (default = "^4P^7adawan ^5(^7%i^5)")
    For instance, with the default setting, the client 9 will be 
    renamed to "Padawan  (9)".  Note  that  I  put  many  spaces 
    between  the  name and number: normal players can't use more 
    than three spaces in a  row,  so  nobody  will  be  able  to 
    imitate  the  default  name with the number of someone else, 
    and trick you  in  kicking  that  other  player  instead  of 
    If  you  don't  like  that,  you  can just change it back to 
    Insignificant names, such as "Padawan", can be black-listed, 
    which will result in them  being  replaced  by  the  default 
         | default =  "Padawan;otherunacceptablename"
    Note  that  the  black  list  is  case insensitive, and that 
    spaces, underscores and dashes are ignored. So  do  not  put 
    any "_" etc in ga_nameBlackList.                             
    Admins  can  now  close  the server and display a message to 
    connecting clients explaining  why  the  server  is  closed, 
    instead of putting a password.                               
         | 0 or 1 or 2
         | default = "^1The server is closed at the moment\n^2Please come back later"
    As you have undoubtedly noticed, you can use colors and line 
    breaks  in  the  message.  Try  and  keep  it  short though. 
    If ga_closeServer is set to 0, the server  is  open  (normal 
    behaviour).  If  set to 1, the server is closed, and you are 
    notified each time somebody connects to the server.  If  set 
    to  2,  the  server  is closed, and you won't be notified of 
    connecting clients.                                          
    Every client can use the /list (or /l) function,  displaying 
    information  on  the  connected  clients, which is useful in 
    order to know who is who. (the  server  status  function  is 
    useless  as  it  doesn't  always  yield  the  correct client 
    There is also the /help (/h)  command,  displaying  a  small 
    help text.                                                   
+   PROTECTION AGAINST THE FAKE PLAYERS :                        
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o          +
 There are three different protections against the q3fill attack 
 :  When  a  client connects, three protection layers activate : 
   -   Clever Fake Detection                                     
   -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o          -
    The connection string is checked for a value specific to JKA 
    players, of which the bots are devoid by default. If no such 
    value is found, then the connection is denied,  and  the  IP 
    can be automatically added to the banlist.                   
    This   aspect   is  controlled  by  the  following  cvars  : 
       	ga_cleverFakeDetection | default = "model"
       	ga_cleverfakeAutoBan   | default = "1"
    This first protection alone will get rid of 99.99 %  of  all 
    If  the  attacker knows what he is doing, he can easily fool 
    that by altering the attack. Most script-kiddies do not have 
    that kind of know-how though.                                
    You    can    deactivate    this    feature    by    setting 
    ga_cleverFakeDetection "none".                               
   -   Hard-Coded Fake Detection                                 
   -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o          -
    Check  for a value specific to bots, that does not appear in 
    legitimate players. This is a viewpoint  completely  opposed 
    to  the  first  layer,  but  works  exactly  the  same  way. 
       	ga_hardFakeDetection | default = "cl_guid"
       	ga_hardFakeAutoBan   | default = "1"
    To fool this  layer  is  tricky,  as  the  target  value  is 
    hard-coded  into  q3fill.  The  attacker would need to alter 
    q3fill's source code in an appropriate way without  breaking 
    anything  and  recompile it... definitely not something your 
    average dumb server crasher can do :D                        
    You    can    deactivate    this    feature    by    setting 
    ga_hardFakeDetection "none".                                 
   -   Connect Flood Detection                                   
   -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o          -
    If  the  two  first  layers  fail (or are deactivated), then 
    there is no way to tell a genuine player and a bot apart. So 
    we must detect them by the speed at which they connect  from 
    the same IP.                                                 
       	  | default = "5"
       	  | default = "30"
       	  | default = "1"
       	  | default = "1"
    With  the  default  settings,  the connection of more than 5 
    players from the same ip in less than  30  seconds  will  be 
    deemed  a fake players attack. As usual, the connection will 
    be denied, and the  IP  can  be  banned,  depending  on  the 
    admin's  choice.  The  bots that got in can also been kicked 
    Setting ga_sameIpNumber to  0  will  deactivate  this  third 
    NOTE: Be very careful when playing with ga_hardFakeDetection 
    and  ga_cleverFakeDetection.  Putting incorrect values there 
    may prevent ANY player from entering the  game,  or  in  the 
    best  case  scenario  render  the  protection  useless.  The 
    default values are good. Don't alter them  unless  you  know 
    what you are doing.                                          
+   TECHNICALITIES:                                              
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o          +
 This  patch  has  been  compiled  with the following compilers: 
   -   On Windows:                                               
   -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o          -
    Visual C++ 2005 (8);                                         
    It is the same compiler Raven Software used to  compile  the 
    original jampgame (albeit they used version 7), and the very 
    same  compilation  parameters.  So there is NO reason at all 
    that the  damages/blocks  should  be  altered  in  any  way. 
   -   On Linux:                                                 
   -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~o          -
    GCC   2.96   on  a  Red  Hat  Linux  release  7.2  (Enigma); 
    GCC is a very good compiler, but Raven used ICC, which is  a 
    commercial  product  I  don't  have. So the damages might in 
    theory be slightly altered, although I personally can't tell 
    the difference.                                              
    This would come from  the  way  each  compiler  handles  the 
    computation of float variables.                              
+   SOURCE CODE:                                                 
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o          +
 I  won't  be  working  on that mod anymore, unless a 'real' (as 
 opposed to 'alleged', you know ;)  )  unless  a  real  security 
 exploit  is  brought  to  my  attention,  so I chose to make it 
 completely open-source, under the GPL. That way anyone can  add 
 or  remove features as they please, or use some of my tricks in 
 their own mod if they want to.                                  
 A copy of the source code has been shipped with  this  package. 
 My  modifications to raven's source code are released under the 
 GNU General Public License (GPL), which  means  (roughly)  that 
 you  are  free  to  use  the code as you please, so long as you 
 release your own work under the GPL.                            
 A copy of the GPL has been shipped with this package. You  must 
 read  and  understand  it if you intend to use the source code. 
 In addition, I would appreciate it if anyone using any part  of 
 my  code  took  the time to post a link to their own project on 
 the fix's thread:                                               
+   CONTACT / SUPPORT                                            
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o          +
 If you need help or have suggestions, comments, insults, praise 
 or in general, anything to say  about  this  program  that  you 
 expect  me  to read and answer to, please post on the program's 
 topic on my website:                                            
+   CREDITS:                                                     
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o          +
 Kudos to Trimbo for his linux-ready version of the vanilla SDK. 
 Warm regards to Luigi Auriemma for his work on JKA and  the  q3 

  | File generated with 'GaTeX',|
  | an ASCII typesetting system |
  | by  Gamall  Wednesday  Ida. |
  |     |
  Build: Sun Oct 21 12:32:47 2007
  File : f:readme.GaTeX.source

Posted: Tue Apr 10, 2007 12:12 am
by cybermaniac
admin enhancements.

as per our chat on the email, i had the idea of (much like JA+) to add a "anti multiple padawan" protection.

of course, this would be a 0 or 1 setting in your config, but the gist is this:

imagine a typical server:


one of the padawans is being a twat, he's erm...........lets say laming the scepter.

who do you kick?!

if you have rcon access, you could cross reference padawan with ping vs score and do it that way (tedious, but doable).

however......what happens.......if you dont?

you fumble around in vote, hope its the right padawan, and pray as you click "vote kick".

to be perfectly honest, many people do not care if they get renamed to padawan (number)

so here is my solution (using same scenario):

PADAWAN (1) (would require 3 spaces as per blankname protection)

this might be a fix you might have to work on a while, mainly because its got to work when:

a) a person JOINS as a padawan
b) a person RENAMES as a padawan
c) a person renames/joins as blank and is renamed by server.

also, maybe might be useful to have "same name protection", very useful as part of an anti-laming protection "suite".

My server is available for certain types of testing, and is one of the 3 most popular siege servers in JKA base.

Posted: Tue Apr 10, 2007 12:52 am
by Gamall
Working on a names "blacklist" cvar.

Just put meaningless names such as "Padawan" in it, and it will be dealt with as an "empty" name.
this might be a fix you might have to work on a while, mainly because its got to work when:

a) a person JOINS as a padawan
b) a person RENAMES as a padawan
c) a person renames/joins as blank and is renamed by server.
Technically, there is a bottleneck in the code, so this is all the same thing ;)
also, maybe might be useful to have "same name protection", very useful as part of an anti-laming protection "suite".
Knowing who is who is always best. I'll probably implement that as well. (but maybe later)


These features are on the very edge of being "admin" features, rather than security fixes.

However, in my experience clever hooligans use uncertainty with names to get other people kicked (especially admins ;) ), so I shall consider the possibility of having non-significant names a security issue (albeit fairly minor) and incorporate these fixes in version 1.0e.

-> While I was at it, I have also doubled the number of vehicles supported by the server so as to avoid crashes on vehicle maps.

-> I also have much real life work to do, but I think it will be done in about a week.

Posted: Tue Apr 10, 2007 8:46 pm
by Gamall
-> blacklist : done :y

-> added client-side command (everybody on the serv can use it) for listing players ingame (since serverstatus doesn't yield the right client numbers ;) ) cf screen.

Posted: Tue Apr 10, 2007 10:26 pm
by cybermaniac

good work m8

Posted: Tue Apr 10, 2007 10:32 pm
by Gamall
Thanks :)

I've also added some other things. I have yet to test, compile for both win and lux, write the doc etc. So let us say I'll release it next weekend.

PS : What does "m8" mean ?

Posted: Tue Apr 10, 2007 10:34 pm
by cybermaniac
Gamall wrote:Thanks :)

I've also added some other things. I have yet to test, compile for both win and lux, write the doc etc. So let us say I'll release it next weekend.

PS : What does "m8" mean ?
m8 means mate = meight = mate :P

if u want me to test it on my server, i'm all up for it

Posted: Tue Apr 10, 2007 10:43 pm
by Gamall
cybermaniac wrote:if u want me to test it on my server, i'm all up for it
Thanks, but I have my own servers, both under Win and Lux, to beta-test my mods :)

This being said, you'll have the next version from that site long before I submit anything else to jk3 files, so this might be considered "testing" :P

edit: cleaned posts so as to remain on-topic :livre

Posted: Wed Apr 11, 2007 8:49 am
by Gamall
Test linux serveur set : Dragon's Lair Base

running 1.0e-dev

-> type /h for help
-> /list for the player list. (I'll probably make that more tidy ;) )
-> name blacklist = padawan; other_unacceptable_name (case & space insensitive, so Padawan = "padawan"="P A D a w A N" etc...

Posted: Wed Apr 11, 2007 1:58 pm
by Gamall
Better looking users list (it was really ugly ;) )

Posted: Wed Apr 11, 2007 2:45 pm
by Maikoru
Hey ! C'est pas mal ton truc :)

Quand est-ce que tu le mets en ligne ?

Posted: Wed Apr 11, 2007 3:34 pm
by Gamall
Gamall wrote:-> I also have much real life work to do, but I think it will be done in about a week.

Sinon, une version pas très à jour tourne sur Dragon's Lair.

Posted: Wed Apr 11, 2007 6:15 pm
by Gamall
Bad news. I just wanted to do a quick compile for linux, and I realized the .so has become corrupted under linux. It still works flawlessly under windows, but I've got a biiig Sys_Error: Sys_LoadDll(jampgame) failed dlopen() completely! under linux.

It compiles though. Worst thing is that I've changed nothing essential between now and the last time I did a linux comp....

Since I don't have a clue what causes this strange error, it may take a very long time before I sort things out.

Posted: Wed Apr 11, 2007 6:31 pm
by Gamall
I have a rough idea where the problem is, so I am confident I can overcome this problem quickly.

I don't have time to go any further today though.

Meanwhile, the test server is back to 1.0e, but neither /n nor /l work (that is where the problem lies ;) ). The name blacklist is still functional though...

Posted: Fri Apr 13, 2007 1:41 pm
by Gamall
Found the bug:

Code: Select all

strcpy_s(buff, length, text);
gcc doesn't like that.... 8|

replaced by

Code: Select all

Q_strncpyz(buff, text, length);
And everything works fine.