-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvulnerabilities.json
More file actions
169 lines (167 loc) · 14.8 KB
/
Copy pathvulnerabilities.json
File metadata and controls
169 lines (167 loc) · 14.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
{
"Title": "Online Game Vulnerabilities - Full List (IN PROGRESS)",
"Entries":
[
{
"Game": "MapleStory",
"Year Range": [2010, 2017],
"Vulnerabilities":
[
{
"ID": "MS-01",
"Region": "All",
"Categories": ["Currency/Item Generation", "Incorrect Integer Signage", "Major virtual economy manipulation"],
"Name": "Negative Town Donation Exploit (Incorrect integer signage in server code)",
"Year": 2010,
"Severity": "Critical",
"Description": "Involved an in-game 'donation' feature allows players to donate currency (mesos) to towns, allowing a user-provided amount of currency from the player. Modifying the input amount of currency (4-byte signed integer field) in the outbound packet to a negative number caused a subtraction of a negative integer, resulting in an addition operation, thus adding the amount to the player's inventory (ex: 10 - (-20) = 30). The value 0x80000000 could be used to return the maximum possible currency amount (2.147 billion) to the attacker, making this the fastest and most powerful currency-related exploit in the game's history (and was also the first major exploit found by the author).",
"Packet": "[2-byte opcode] [1-byte subcommand] [4-byte meso input amount, ex: 0x01 0x00 0x00 0x00]",
"Modified Packet": "[2-byte opcode] [1-byte subcommand] [4-byte meso input amount, ex: 0xFF 0xFF 0xFF 0xFF]",
"Result": "As the maximum amount of currency per-inventory could be generated with a single crafted outbound packet, the in-game economy had hundreds of billions of mesos added to it at a relatively early stage in the game's history, resulting in significant economic damage and devaluation of any perceived value of the currency.",
"Likely Root Cause": "Local variable in packet handler routine which was used for temporarily storing the client-to-server packet's 'currency amount' field was declared in code incorrectly as a signed integer, causing the compiler to treat user input above `MAX_INT` as a negative number."
},
{
"ID": "MS-02",
"Name": "Negative/Reverse-Purchase Dark Crystal Exploit",
"Region": "All",
"Categories": ["Currency/Item Generation", "Incorrect Integer Signage", "Minor virtual economy manipulation"],
"Year": 2010,
"Description": "Derivative of the 'negative NPC input' concept seen in \"MS-01\", Dark Crystal items could be 'forged' at one NPC and also purchased through a second different NPC, allowing the attacker to forge the item, then purchase a negative amount of them from the second NPC (forced through packet manipulation). Purchasing -1 quantity of the item would subtract 1 item from your inventory while giving you the amount of currency/meso it normally costs to purchase one (essentially performing the literal reverse transaction). Exploit was chained with a minor exploit which allowed a character to teleport to another in the same 'family' without spending 'family points' in order to easily travel to maps where each NPC resided.",
"Result": "Selling the forged crystals for roughly double the cost (a gain of 100,000 mesos per crystal). A 'clientless' or 'headless' bot was then used to run 24/7, with each character earning roughly 2 billion mesos per 24 hours & Remediation",
"Likely Root Cause": "Incorrect integer signage in server-side packet handler code (likely used 'int' rather than 'unsigned int', along with a lack of input validation."
},
{
"ID": "MS-03",
"Name": "Item Enhancement Scroll 'No Boom'",
"Region": "All",
"Categories": ["State Machine Manipulation", "Major virtual economy manipulation"],
"Severity": "Critical",
"Year": 2011,
"Description": "By making use of a specialized map in the 'Happyville' Christmas Event town which allows you to drop inventory items (which cannot be looted by other players and are auto-returned to the player's inventory when leaving), items could be dropped, then the packet sent for using an item enhancement scroll on that dropped item's unique ID. Even if the enhancement scroll fails and destroys the item at a scaling percentage chance, the item will be restored to your inventory after leaving the map, essentially being able to bypass or prevent items from being destroyed even when the item enhancement scroll fails (which normally destroys the item completely at a high chance). The exploit could also be done by placing an item inside a trade slot window and then sending a packet to use an enhancement scroll on the item, and if the item was destroyed by the scroll, it would be re-obtained when closing the trade window.",
"Result": "Equipment items were made en-masse with 200+ successful enhancements applied (which would have a chance of <0.0000000001% of occuring without the exploit), making them the most powerful and 'broken' items in the game's history. The items were later duped using other methods and sold on RMT markets, and in some regions of the game (such as Europe) given away for free, leading to database rollbacks and scripted deletions of all the items over time. Proved to be a particuarily damaging vulnerability, taking over a year to successfully delete all of the mass-enhanced items, as people found ways to 'hide' them from auto-detection or database queries by finding further ways to manipulate the item's states.",
"Likely Root Cause & Remediation": "Faulty/bad logic behind item states, allowing items to be in 'intermediate' states, such that if the item gets destroyed by the enhancement scroll failing, the faulty state allows the attacker to 'restore' the item under special circumstances. Checks were likely added to see if an item was inside a trade or dropped inside the Happyville map, although the exact root cause and fix remains unknown."
},
{
"ID": "MS-04",
"Name": "Item Duplication via Channel Crash (Von Leon Quest)",
"Year": 2011,
"Severity": "High",
"Categories": ["Inventory State Rollback", "Currency/Item Generation", "Major virtual economy manipulation"],
"Description": "Modifying the 'subcommand' field from 4 to 5 for a specific newly released quest (which could be accepted from any map) would crash the channel, causing a state rollback to the last time a database commit was performed on characters/accounts in the channel.",
"Packet": "[2-byte opcode: Quests][1-byte Subcommand: 0x04][2-byte QuestID][2-byte NpcID][2-byte MouseX][2-byte MouseY]",
"Modified Packet": "[2-byte opcode: Quests][1-byte Subcommand: 0x05][2-byte QuestID][2-byte NpcID][2-byte MouseX][2-byte MouseY]",
"Result": "Due to a state rollback occuring from this vulnerability, attackers could set up 'personal shops' where a second client/character buys out the shop, logs out (which commits the state of that character), and then the character in the shop sends the modified quest packet to crash (and thus rollback) the channel, resulting in item duplication - as character state is normally only committed after a certain time period, changing channels, or logging out.",
"Likely Root Cause & Remediation": "While the exact method remains unknown, the logical explanation is that packet handling code on the server-side for the subcommand value of 5 (of the quest-related opcode) for that particular quest caused an invalid pointer dereference or tried to access non-existent resource files, resulting in an unhandled exception being thrown - terminating the thread or process which that channel was being hosted on, and thus freeing/releasing the virtual memory which held the state of all characters on the channel before the database could commit it to storage on disk."
},
{
"ID": "MS-05",
"Name": "Item Duplication via Channel Crash (Cake vs. Pie Quest) - [IN-PROGRESS]",
"Year": 2011,
"Severity": "High",
"Categories": ["Inventory State Rollback", "Currency/Item Generation", "Major virtual economy manipulation"],
"Description": "Same concept as \"MS-04\" but involved a different quest,",
"Result": "",
"Likely Root Cause & Remediation": ""
},
{
"ID": "MS-06",
"Name": "Generic No-Delay Attacks [IN-PROGRESS]",
"Year": 2014,
"Description": "A one-byte memory patch inverses a conditional jump and allows the attacker to use skills/attacks as fast as packets can be sent by the game.",
"Result": "",
"Likely Root Cause & Remediation": "checksum/CRC being finally 'solved', allowing attack packets to be spammed"
}
]
},
{
"Game": "DragonNest (SEA)",
"Year Range": [2014, 2017],
"Vulnerabilities":
[
{
"ID": "DN-01",
"Name": "Insecure Direct Object Reference (IDOR) - Administrator/Event Gifts",
"Year": 2016,
"Severity": "Critical",
"Categories": ["Currency/Item Generation", "Major virtual economy manipulation"],
"Description": "Administrators can issue item gifts or rewards to players for events or downtime compensation. Each item/gift is represented in the outbound packet for retrieving it by a 4-byte unique identifier. No server-side check on gift ownership existed in the corresponding packet handler, allowing the attacker to enumerate sequentially through them and gain the gift's items. Administrators of the different regional versions of the game gave out different item gifts, with regions such as South East Asia (SEA) and North America (NA) having both Gold/currency and cash points as possible items you could get.",
"Result": "The vulnerability was exploited for approximately one year before being fixed on all regions of the game.",
"Likely Root Cause": "Lack of gift/item ownership check in the server's packet handler code when a player attempts to retrieve/accept the gift."
},
{
"ID": "DN-02",
"Name": "'Limitless' Returned Hero Gift - [IN PROGRESS]",
"Year": 2015,
"Categories": ["Replay Attack", "Server Logic Flaw", "Major virtual economy manipulation"],
"Description": "",
"Result": "",
"Likely Root Cause": ""
}
]
},
{
"Game": "Path of Exile",
"Year Range": [2018, 2021],
"Vulnerabilities":
[
{
"ID": "PoE-01",
"Name": "Delve Node Instance Repetition",
"Year": 2018,
"Categories": ["Currency/Item Generation", "Major virtual economy manipulation"],
"Credits": "Dillon Gabrielli ('Mojito')",
"Description": "Replay attack where if the packet to travel to or start a Delve node instance is sent during an existing instance before its completed, the same node can be started again, allowing the attacker to repeatedly complete the same node while collecting the rewards.",
"Packet": "[2-byte opcode] [00] [2-byte delve grid X-position] [2-byte delve grid Y-position]",
"Result": "A high value node (such as a high-grade fossil reward) can be searched for and then completed repeatedly, allowing the attacker to obtain rare and valuable items in short periods of time. Automation was developed by the author to exploit the vulnerability using multiple client instances unattended. Dumping large/abnormal amounts of valuable items onto the in-game marketplace resulted in diminishing returns.",
"Likely Root Cause & Remediation": "Faulty state machine in server code. Since sending the 'start node instance' packet before completion of the instance would force a new instance to be prepared without kicking the attacker out from the current one, the current one could be completed and rewards collected while the server thought a new/different instance had already been started, resulting in the server not thinking the current instance was completed and thus letting you attempt to complete it again."
},
{
"ID": "PoE-02",
"Name": "Item State Rollback Through Instance Crash - [IN-PROGRESS]",
"Year": 2019,
"Categories": ["Currency/Item Generation", "Minor virtual economy manipulation"],
"Description": "",
"Packet": "[2-byte opcode] [1-byte subcommand: 0x01]",
"Result": "",
"Likely Root Cause & Remediation": ""
}
]
},
{
"Game": "Mir4",
"Year Range": [2022, 2023],
"Vulnerabilities":
[
{
"ID": "MIR4-01",
"Name": "Acquisition of 'Legendary'-grade items (Protobuf field-handling logic flaw) - [IN PROGRESS]",
"Year": 2022,
"Categories": [],
"Description": "",
"Packet": "",
"Modified Packet": "",
"Result": "",
"Likely Root Cause & Remediation": ""
}
]
},
{
"Game": "Tree of Savior",
"Year Range": [2014, 2015],
"Vulnerabilities":
[
{
"ID": "ToS-01",
"Name": "Currency Generation Exploit through faulty server logic [IN PROGRESS]",
"Year": 2014,
"Categories": ["Currency/Item Generation", "Major virtual economy manipulation"],
"Description": "",
"Packet": "",
"Modified Packet": "",
"Result": "",
"Likely Root Cause & Remediation": ""
}
]
}
]
}