1. Hercules bug tracker archive
  2. eA Bug Archives
  3. yet another online check bypass technique

yet another online check bypass technique

Issue information

Issue ID
#2292
Status
Fixed
Severity
Critical
Started
Hercules Elf Bot
Sep 29, 2008 20:20
Last Post
Hercules Elf Bot
Sep 29, 2008 20:20
Confirmation
N/A

Hercules Elf Bot - Sep 29, 2008 20:20

Originally posted by [b]theultramage[/b]
http://www.eathena.ws/board/index.php?autocom=bugtracker&showbug=2292

Hello. I have received a report regarding item duplication and problems in the auth system.
This defect was created somewhere during all that wild coding that attempted to get rid of the online/offline auth bypass exploit. To be more precise, it is a race condition that occurs when trying to log into an account that is already attempting to enter the mapserver.

The consequence is 2 clients logged onto the same account, one on the charserver and one on the mapserver. We have not yet identified the exact reason why it is possible to duplicate items at this point, but since no changes in this area have been made since the previous bugreport, we can assume that the exploit still works if we get this far in the procedure. The person who reported this claims he can duplicate items just by putting stuff into cart and alt+f4-ing, then logging in with the second client later.

Steps to reproduce:
  1. modify the login server to delay login requests.
    CODE
        if( login_config.online_check )
        {
            struct online_login_data* data = (struct online_login_data*)idb_get(online_db, sd->account_id);
            if( data )
            {// account is already marked as online!
    +            long i,j;//dupes
    +            for (j = -100; j < 100; j++)
    +                for (i = -1000000; i < 1000000; i++);
  2. prepare two clients, A and B
  3. get client A to charserver
  4. attempt to login with client B, then immediately switch to client A and attempt to enter mapserver
  5. client B gets "account is already online" while client A goes ingame without getting disconnected
  6. wait 15 seconds
  7. client B can now login and reach charserver.
Sequence of events that occur:
  1. as B tries to log in, the login server rejects, spams a kick message and starts a 15 second "just in case" offline timer
  2. since A hasn't reached the mapserver yet, there's no session and therefore the 'kick' will get silently ignored
  3. once the 15 seconds elapse, the login server will set A offline and therefore allow entry, even though A is actually still online.