Page 2 of 5
Posted: Mon Aug 23, 2010 7:50 pm
by CharlieTester
Zruty wrote:QUOTE (Zruty @ Aug 23 2010, 02:40 PM) I AM NOT SURE.
then stfu?
the key for the scramble is some of the version info for the client binary - this limits only developers (or @#$%@#s that can build the code) to be able to, at most, set your cloud input map to something you don't expect. that's the worse that can happen - a custom build is a prerequisite. and u have to match the version info which is unique to a release - still a PITA and the worst that could happen is you have to re-config your controls again (arg!)
Posted: Mon Aug 23, 2010 8:07 pm
by TheBored
fuzzylunkin1 wrote:QUOTE (fuzzylunkin1 @ Aug 23 2010, 03:47 PM) It will change soon if you ungrateful $#@!s keep complaining about it.
You're only proving his point
TB
Posted: Mon Aug 23, 2010 8:19 pm
by CharlieTester
TheBored wrote:QUOTE (TheBored @ Aug 23 2010, 03:07 PM) You're only proving his point
TB
same case here
the worst that could happen is you have to re-config your controls again (arg!)
Posted: Mon Aug 23, 2010 8:28 pm
by the.ynik
CharlieTester wrote:QUOTE (CharlieTester @ Aug 23 2010, 09:50 PM) the key for the scramble is some of the version info for the client binary - this limits only developers (or @#$%@#s that can build the code) to be able to, at most, set your cloud input map to something you don't expect. that's the worse that can happen - a custom build is a prerequisite. and u have to match the version info which is unique to a release - still a PITA and the worst that could happen is you have to re-config your controls again (arg!)
Uh, and what prevents me from extracting the version information from the officially released build?
Yeah some coding experience is required to perform this exploit, your average anarchist won't mess up any input maps. I would consider this pretty harmless if it was not for the fact that the input map loading code was:
- written by Microsoft
- written in 199x
- never was intended to accept data downloaded from the net
- never went through any security review
As far as I can currently tell, anyone with some coding skills can extract the version info from the client binary, scramble someone else's callsign, upload some buffer-overload-exploiting binary to the cloud, and wait for the victim to press that load button. Mission achieved: full control over the victim's computer.
Sure, given how small the Alleg community is, it's very unlikely that anyone has both the skills and will to pull this off. But it's an unnecessary risk.
Sorry if this stuff is a bit far-fetched, but I'm paranoid when it comes to network security.
Posted: Mon Aug 23, 2010 8:57 pm
by Imago
<pkk|GB> anyway, your system isnt perfect, but it can made perfect with some help of TE
i acknowledge this and agree with pkk
what more do you want from me?
Posted: Mon Aug 23, 2010 8:57 pm
by Imago
LoadMap is safe from buffer overflow BTW
Posted: Mon Aug 23, 2010 8:58 pm
by Imago
TheBored wrote:QUOTE (TheBored @ Aug 23 2010, 03:07 PM) You're only proving his point
TB
again, here, the worst that can happen is you have to re-configure your keys and controls.
Posted: Mon Aug 23, 2010 9:10 pm
by pkk
This is how callsign gets decoded, before input map get's uploaded/downloaded from storage server.
src/Wintrek/trekinput.cpp
Starting the save process:
Code: Select all
MprThread* threadp = new MprThread(doSaveInputMap, MPR_NORMAL_PRIORITY, (void*)pzName, "Allegiance inputmap post thread");
the save function itself (at least the interesting part):
Code: Select all
//Imago #176 7/10 - Similar to doASGS/doDump
static void doSaveInputMap(void* data, MprThread *threadp) {
ZString * szName = (ZString *)data;
ZString strName = szName->GetToken();
if ((isalnum(strName[0]) == 0) && (strName.Left(1) != "_"))
strName = strName.RightOf(1);
if (int leftParen = strName.ReverseFind('(',0))
strName = strName.LeftOf(leftParen-1);
debugf("****** posting input map for:\n\tBefore: %s\n",(PCC)strName);
ZVersionInfo vi; ZString zInfo = (LPCSTR)vi.GetCompanyName(); zInfo += (LPCSTR)vi.GetLegalCopyright();
// scrambles callsign with company name/legal copyright (see above)
strName = strName.Scramble(zInfo);
char* p = new char[strName.GetLength()];
Strcpy(p,(PCC)strName);
// generates number from scrambled callsign
strName = UTL::char2hex((const unsigned char*)p, strName.GetLength());
debugf("\tAfter: %s\n",(PCC)strName);
//sanity check....
MprSocket* socket = new MprSocket();
socket->openClient("build.alleg.net",80,0);
int iwrite = socket->_write("GET /\r\n");
delete socket;
if (iwrite != 7) return;
MaClient* client = new MaClient();
client->setTimeout(10000);
client->setRetries(1);
client->setKeepAlive(0);
int contentLen = 0; char *content;
// Put inputmap into a archive
int iSize = Create7z(GetModeler()->GetArtPath() + "/" + INPUTMAP_FILE + ".mdl", GetModeler()->GetArtPath() + "/" +INPUTMAP_FILE + ".7z");
// uploading starts below (cut, see original code)
is your nickname, shown on lobby. That variable is already used by tons of other functions within Allegiance.
And yes, ASGS sets that var. 
That's the only information of ASGS used on ticket #176.
Suggested improvement:
That "decryption" is pretty useless. It would be more secure, if you use a ASGS generated account assigned hash/ID (client can authenticate the same way like lobby verifies clients "authtoken" to get it). So you could use the same inputmap on all your "hiders".
Posted: Mon Aug 23, 2010 9:50 pm
by notjarvis
Frankly. I would like the option to turn this functionality off.
No drama filled reason about personal data or anything,
I have to play from laptop rather than my normal desktop from time to time, and the keymap is pretty different on there.
I hate the idea of having to mess around every time I switch PCs, and never had a real problem with redoing/saving my keymaps manually to be honest, so i would like this functionality off for my own setup.
Edit:
To clarify I'm using a different joystick too, so the button mappings are different on that, and I map other keys different.
Posted: Mon Aug 23, 2010 10:01 pm
by peet
Is the "problem" not a clash of ego's in stead of a "technical" problem?
If it is pure technical, why not post it in a forum were technical people participate (and understand)?
If you post it to get players input, I suspect you might get 1000 different opinions, hence getting nowhere.