-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exploitable Behavior with ADD_OWNED_EXPLOSION #2326
Comments
Why are you using the sender from the event at all? The events all pass the client source (as a string) of the person who actually called the event, and that cannot be "spoofed". Also is it a weird coincidence that this passes |
The sender in the event is manipulated, and in server events, the "source" is not included, being nil when printed.
RegisterNetEvent("explosionEvent", function(sender, data) -- sender getting spoofed
print("----------------------- [explosionEvent] -----------------------")
print("Name", GetPlayerName(source)) -- returns Name nil
print(json.encode(data))
end) |
Do you have a way to reproduce this? |
Nothing to reproduce except the print of the data parameter. Is currently done with a mod menu called “Lumia”. |
Also this shouldn't be defined as a net-event (use |
I did not notice that |
Of course not as a net event, I just tried it for testing purposes but the source is not sent to show it @AvarianKnight |
source isn't defined because this isn't a net event, try using the |
The sender is the one being exploded (the victim from the modder). That's what's being manipulated. In the sender, I'm listed when I'm the one being exploded, even though I didn't trigger it. The manipulation occurs through AddOwnedExplosion, where the target ped is specified to manipulate the sender. |
I don't see how that adds up, as |
Server console: ----------------------- [explosionEvent] -----------------------
Name Louis
{"posX":0.85693401098251,"f208":8191,"f210":8191,"f218":0,"isInvisible":false,"posZ":1.02783203125,"f242":false,"f240":false,"unkX":0,"f191":false,"posY":0.46142601966857,"f243":true,"posY224":0,"f214":0,"cameraShake":0.69291341304779,"posX224":0,"f164":539292904,"f126":true,"posZ224":0,"f241":false,"f186":1,"f104":34,"f216":false,"f189":false,"damageScale":1,"unkZ":0.99999397993087,"ownerNetId":0,"f190":false,"isAudible":true,"unkY":0,"explosionType":7}
true
0
8191 AddEventHandler("explosionEvent", function(sender, data)
print("----------------------- [explosionEvent] -----------------------")
print("Name", GetPlayerName(sender))
print(json.encode(data))
if data.ownerNetId == 0 then
CancelEvent()
end
if data.posX == 0.0 and data.posY == 0.0 then
CancelEvent()
end
local victim = NetworkGetEntityFromNetworkId(data.ownerNetId)
victim = NetworkGetEntityOwner(victim)
local explodePostion = vec3(data.posX, data.posY, data.posZ)
local positionNearByZero = #(explodePostion - vec3(0, 0, 0)) < 3.0
print(positionNearByZero)
print(GetVehiclePedIsIn(GetPlayerPed(sender), false))
print(data.f210) Cheater execute following: local playerIdx = GetPlayerFromServerId(16)
local ped = GetPlayerPed(playerIdx)
local coords = GetEntityCoords(ped)
print(coords)
AddOwnedExplosion(ped, coords.x, coords.y, coords.z, 7, 1.0, true, false, 0.6) |
The only thing I notice so far is that the explosions are all near vector3(0.0, 0.0, 0.0). |
And the |
Correct, |
I still cannot reproduce this with your provided code, executing this on a remotely-owned player ped still returns the peer-id of the sending client and not of the client that owns the ped. For clarification: |
Then I think there's more built in there that you can't see. The executor with which the code was executed is called redEngine. |
I can only repeat myself and say that the player ID that is specified in the sender for the explosionEvent is the one that was specified natively as the target ped for the AddOwnedExplosion. |
This check has even been present since the initial release of GTA:O to avoid such abuse in MP sessions ( Did you verify the "cheater" used this specific native and not something like Maybe try FXServer version |
No, it's exactly the code I posted above. I'll make a video later |
I think it solved by using |
What happened?
Bug Description:
Currently, there is a vulnerability in the handling of ADD_OWNED_EXPLOSION in various mod menus. This allows the abuse of the explosionEvent event, resulting in a manipulated sender field.
Here is a snippet of the data in the explosionEvent:
Consider implementing a solution similar to the network sounds handling (sv_enableNetworkedSounds variable). Introduce a variable to control the routing of owned explosions, preventing the manipulation of the sender field. (sv_enableNetworkedExplosions)
Expected result
The sender in the explosionEvent should accurately represent the entity responsible for the explosion, without being susceptible to manipulation or abuse.
Reproduction steps
Importancy
Security issue
Area(s)
FXServer
Specific version(s)
FXServer-master SERVER v1.0.0.6683 win32
Additional information
Thank you for your attention to this matter. If you need further clarification or details, please don't hesitate to ask.
The text was updated successfully, but these errors were encountered: