By Gamall
Date: 04-06-2007
***********************************
Jedi Knight: Jedi Academy
***********************************
TITLE : BaseJKA Security Fix
VERSION : 1.0d
AUTHOR : Gamall
E-MAIL : gamall.ida@gmail.com
WEBSITE : http://gamall-ida.com
FILENAME Windows : basejka_Gamalls_fix_10d.pk3
FILENAME Linux : jampgamei386.so
FILESIZE : < 2 Mo
DATE RELEASED : April 2007
INSTALLATION INSTRUCTIONS:
=-=-=-=-=-=-=-=-=-=-=-=-=-
Just put the relevant file in your server's base folder.
DESCRIPTION:
=-=-=-=-=-=-
This patch (technically it is a mod) corrects the three Denial of Service vulnerabilities I am aware of affecting basejka, and makes the logs more useful to an experienced admin, without attempting to alter the gameplay or admin etc in any way. Some random fixes were also added, but they are hardly worth mentionning.
IMPORTANT: My patch only affects the component "jampgame". In order to completely protect a server, you must also use patched "jampded". Here is one link to ready to use jampdeds : http://jediknight2.filefront.com/file/UNOFFICIAL_Patch_for_JA_101_Dedicated_Servers;41652
SUMMARY OF THE CHANGES:
=-=-=-=-=-=-=-=-=-=-=-=
-> Client disconnect buffer overflow: fixed trap_SendServerCommand().
--------------------------------------------------------------------
The possibility to cause a DoS disconnecting all clients by sending overlong strings to the server has been fixed. Incorrect commands are just ignored.
-> Ingame buffer overflow (say/tell): fixed Cmd_Say_f() and Cmd_Tell_f().
-------------------------------------------------
The possibility to crash the server by using say or tell to pass overlong strings to the server has been removed. Incorrect calls are truncated to a decent length (150).
-> Fake Players Attack: heavily secured, customisable ClientConnect().
----------------------------------------------------------------------
The possibility to lag and even crash the server by sending a great number of fake connection requests using a third party program such as q3fill has been removed. See below for more information.
-> Improvement of the log file/server messages.
-----------------------------------------------
> Each time a client connects, the complete userinfo string is logged, even is the connection is denied. This includes the IP, port, qport, name of the client and much more.
> If the connection is denied, a message explaining why is displayed by the server, and relevant information is written down in the log file. Since those messages could be used to spam the screen in case of a fake players attack, and in the case you just don't want to know about that, you can deactivate the public messages : just set those cvars to 0 (default = 1):
ga_showBadPassClient | 0 or 1 : display a message when a client connects with a bad password.
ga_showBannedClient | 0 or 1 : display a message when a banned client connects.
> The "Infostring length exceeded" console error message has been made a tad more explicit. I noticed a bug which would cause it to be sent each frame. It is hard to debug if you don't know what caused it ;)
> Each time a user changes name, it is written down in the log file.
> When a client disconnects, their name is logged.
> Each time a client says/tells something, their client number is logged along with their name.
-> Random unimportant fixes/improvements.
-----------------------------------------
> The annoying timelimit when changing name has been dulled down from five seconds to 0.7 second.
> The ^0 (black) colour now works properly. If you don't want to see black in names, you can deactivate this by seting the following cvar to 0:
ga_allowBlackInNames | 0 or 1 (default = 1)
> When a player's name is incorrect, it is set to "Padawan" in basejka, which is annoying, since you end up with many "Padawan"s. You can now decide what it will be, and if you so choose, you can add the player's client number to their name by typing "%i" in the name.
ga_defaultName | (default = "^4P^7adawan ^5(^7%i^5)")
For instance, with the default setting, the client 9 will be renamed to "Padawan (9)". Note that I put many spaces between the name and number: normal players can't use more than three spaces in a row, so nobody will be able to imitate the default name with the number of someone else, and trick you in kicking that other player instead of them...
If you don't like that, you can just change it back to "Padawan".
PROTECTION AGAINST THE FAKE PLAYERS :
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
There are three different protections against the q3fill attack : When a client connects, three protection layers activate :
-> Clever Fake Detection
------------------------
The connection string is checked for a value specific to JKA players, of which the bots are devoid by default. If no such value is found, then the connection is denied, and the IP can be automatically added to the banlist.
This aspect is controlled by the following cvars :
ga_cleverFakeDetection | default = "model"
ga_cleverfakeAutoBan | default = "1"
This first protection alone will get rid of 99.99 % of all attacks.
If the attacker knows what he is doing, he can easily fool that by altering the attack. Most script-kiddies do not have that kind of know-how though.
You can deactivate this feature by setting ga_cleverFakeDetection "none".
-> Hard-Coded Fake Detection
----------------------------
Check for a value specific to bots, that does not appear in legitimate players. This is a viewpoint completely opposed to the first layer, but works exactly the same way.
ga_hardFakeDetection | default = "cl_guid"
ga_hardFakeAutoBan | default = "1"
To fool this layer is tricky, as the target value is hard-coded into q3fill. The attacker would need to alter q3fill's source code in an appropriate way without breaking anything and recompile it... definitely not something your average dumb server crasher can do :D
You can deactivate this feature by setting ga_hardFakeDetection "none".
-> Connect Flood Detection
--------------------------
If the two first layers fail (or are deactivated), then there is no way to tell a genuine player and a bot apart. So we must detect them by the speed at which they connect from the same IP.
ga_sameIpNumber | default = "5"
ga_sameIpTime | default = "30"
ga_sameIpAutoBan | default = "1"
ga_sameIpAutoKick | default = "1"
With the default settings, the connection of more than 5 players from the same ip in less than 30 seconds will be deemed a fake players attack. As usual, the connection will be denied, and the IP can be banned, depending on the admin's choice. The bots that got in can also been kicked automatically.
Setting ga_sameIpNumber to 0 will deactivate this third layer.
NOTE: Be very careful when playing with ga_hardFakeDetection and ga_cleverFakeDetection. Putting incorrect values there may prevent ANY player from entering the game, or in the best case scenario render the protection useless. The default values are good. Don't alter them unless you know what you are doing.
TECHNICALITIES:
=-=-=-=-=-=-=-=
This patch has been compiled with the following compilers:
On Windows:
-----------
Visual C++ 2005 (8);
It is the same compiler Raven Software used to compile the original jampgame (albeit they used version 7), and the very same compilation parameters. So there is NO reason at all that the damages/blocks should be altered in any way.
On Linux:
---------
GCC 2.96 on a Red Hat Linux release 7.2 (Enigma);
GCC is a very good compiler, but Raven used ICC, which is a commercial product I don't have. So the damages might in theory be slightly altered, although I personally can't tell the difference.
This would come from the way each compiler handles the computation of float variables.
SOURCE CODE:
=-=-=-=-=-=-
The most important parts of the code are available in source_extracts.rtf. Note that many little fixes have been left out, and that the code may not be up to date.
Feel free to reuse part of that code in your mods ; just give me some credit in your readme and I'll be happy :P
CREDITS:
=-=-=-=-
Kudos to Trimbo for his linux-ready version of the vanillia SDK.
Warm regards to Luigi Auriemma for his work on JKA and the q3 engine.
THIS MODIFICATION IS NOT MADE, DISTRIBUTED, OR SUPPORTED BY ACTIVISION, RAVEN, OR
LUCASARTS ENTERTAINMENT COMPANY LLC. ELEMENTS TM & © LUCASARTS
ENTERTAINMENT COMPANY LLC AND/OR ITS LICENSORS.