Trinitycore: Buffer overflow exploit

Created on 24 Oct 2016  路  4Comments  路  Source: TrinityCore/TrinityCore

Description:
Somebody hacked into my servers using a buffer overflow. i know that because he sent me emails bragging about it and now all my servers are down whenever i try to put them online again he just uses his exploit and deletes everything. HE EVEN GOT ROOT. Anyways can you guys help me figure out where exactly in the code does the worldserver process incoming packets so that I can try and fix the problem. I'm guessing it's the world server as it's the only server that uses unencrypted data.
Current behaviour: (Tell us what happens.)
buffer overflow
Expected behaviour: (Tell us what should happen instead.)
incoming packets should not be put into memory without processing
Steps to reproduce the problem:
i'm not sure



    1. 2.
    2. 3.

Branch(es): 3.3.5 / master (Tell us which branch(es) this issue affects.)
master
TC rev. hash/commit:
current
TDB version:
doesnt matter, it doesnt affect the problem.
Operating system:
Linux Debian 7

Branch-master Comp-Core Platform-Linux Sub-Exploit
Source
picture tarekwiz
😄2

Most helpful comment

I did not run the server as root, plus he damaged almost everything on the server so I have no dumps. I will report the incident to the police. Thanks for your help gentlemen

picture tarekwiz on 24 Oct 2016
😄3

All 4 comments

I'm not sure how we expect us to follow up on this issue. There are no logs, packet dumps, memory dumps, network dumps, ...

where exactly in the code does the worldserver process incoming packets

https://github.com/TrinityCore/TrinityCore/blob/master/src/server/game/Server/WorldSocket.cpp#L268 is one of the first places where packets are read from the network

P.S Are you running worldserver with root privileges?

DDuarte picture DDuarte on 24 Oct 2016

Debian 7 is unsuported, update your os and all packages, also, you use some php armory? some are known having exploits. also there is no "current" tc revision.

Aokromes picture Aokromes on 24 Oct 2016

HE EVEN GOT ROOT

so you let worldserver to run under root privilegies ?

Most likely you have some default services running with default configuration and not updated to latest security patches so anyone with google can find available exploits and get root access to your server.
Being a system administrator is a full time job (altho most users think it can be just a hobby).
You should report the incident to the police and provide them the emails received.

jackpoz picture jackpoz on 24 Oct 2016

I did not run the server as root, plus he damaged almost everything on the server so I have no dumps. I will report the incident to the police. Thanks for your help gentlemen

tarekwiz picture tarekwiz on 24 Oct 2016
😄3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

daddycaddy picture daddycaddy  路  3Comments
jerbookins picture jerbookins  路  3Comments
DDuarte picture DDuarte  路  3Comments
Keader picture Keader  路  3Comments
Rochet2 picture Rochet2  路  3Comments