Trinitycore: New Hack Exploit TC!
player tell me please wis me ! and i wis to player = Wow , Error!
i see on chat.log
just this!
Player hitsho says (language 0): :||
is ready!
ChatStrictLinkChecking.Severity = 3
ChatStrictLinkChecking.Kick = 0
version: https://github.com/TrinityCore/TrinityCore/commit/66a87c4642d25f27ca24254cfeb0a0c4b21036b1
os: windows 2012 server
ghost
All 15 comments
I don't think this would be labeled as an exploit. Sounds like an internal error and you can just revert back to your working source before that pull.
Meltie2013
on 8 Sep 2018
This sounds a lot like the exploit with chat where if you sent an invalid chat link the client crashed and you could crash other ppls clients with this method.
The solution was to turn on stricter chat filtering in worldserver config.
Not sure if the issue was resolved in some other way through making the default chat filtering better etc. Cant find the issue.
Rochet2
on 8 Sep 2018
Here it is https://github.com/TrinityCore/TrinityCore/issues/15302
Check your ChatStrictLinkChecking.Severity
Rochet2
on 8 Sep 2018
is ready! but don't work!
ChatStrictLinkChecking.Severity = 3
ChatStrictLinkChecking.Kick = 0
And
@rochet2 please check this issue!
https://github.com/TrinityCore/TrinityCore/issues/22374
new exploit hacks is coming!
ghost
on 8 Sep 2018
"Brace yourselves... Winter is coming."
illfated
on 8 Sep 2018
The hacker put invalid characters in AFK or DND Message, then who reply to them wow client cannot handle it, So crash
Ali-Khazaee
on 9 Sep 2018
Just out of curiosity: is the server supposed to deal with this, or is it a client problem?
illfated
on 9 Sep 2018
Today someone created ( and immediately edited a ticket ) with below content and my client will crash when i try to view the ticket ( i guess he edited ticket content with wpe pro somehow ).
|cFFDDD000|Hquest:|hS.eXpl0it3r|h|r
tje3d
on 9 Sep 2018
tested what @tje3d said:
|cFFDDD000|Hquest:|hS.eXpl0it3r|h|r in a ticket text leads to client crashes as soon as I try to read the ticket ingame. That is due to the questid is invalid (not even provided)
correct scheme would be |color|Hquest:quest_id:quest_level|h[name]|h|r
tl;dr: invalid questids are not parseable by client and this leads to client crashes.
Fix: Check every chat message which a player can receive if there's an invalid link. (i'm quite sure item links are also affected) and if its invalid do not send it or replace with <invalid bleh>. (checking stuff sometime before SMSG_CHAT packet is sent would be 'good', better just check every case where user may input stuff themselves)
EDIT: its exactly this: https://github.com/TrinityCore/TrinityCore/issues/15302 just that it is not checking tickets but chat. We might apply this to tickets too to prevent GM only crashes :D
mdX7
on 10 Sep 2018
I think
this hack is exploit program , packet sender!
FOR
Core = Crashs / Client = Crashs
ghost
on 10 Sep 2018
only client crashes, not the core
mdX7
on 10 Sep 2018
The information on https://github.com/TrinityCore/TrinityCore/issues/22399#issuecomment-419645753 post seems troubling.
It seems that the message Player hitsho says (language 0): :|| comes from the chat log "Player %s says (language %u): %s", which suggests that the message the player sent was either :|| or :\124\124 or similar.
However, I cannot reproduce a crash with these messages. Are you guys able to?
Even if tickets would crash, it does not explain why a chat message would crash if severity is set to 3. Unless of course the crash was caused by something else than the message in the logs.
We may need more information on what happened.
I took a look at the link filtering on blizz and on TC and it seems that there are a few things to improve with the current system to make it work properly and to match blizzard behavior. Making those changes _may_ not fix the this current issue however, as we do not know what causes it yet. Below you can see the info I gathered.
Blizz
Current (8.0.1.27602) blizz behavior seems to be to completely ignore messages that contain links with invalid format.
The messages do not appear in chat when sent through a script.
If an item link is otherwise correct but has wrong name, the name is shown as text, but link is removed.
(1) Example of invalid chat link that is ignored on blizz (crashes client if not filtered). Any invalid format or invalid ID seems to be included in this case.
/run SendChatMessage("\124cFFDDD000\124Hquest:\124htest\124h\124r", "WHISPER", nil, GetUnitName("PLAYER"))
(2) Example of message that passes all checks on blizz (double pipe to escape pipe characters, will not crash)
/run SendChatMessage("\124\124cFFDDD000\124\124Hquest:\124\124htest\124\124h\124\124r", "WHISPER", nil, GetUnitName("PLAYER"))
(3) Example of message that contains valid link but invalid text, only "asd" without brackets is shown as normal text. If the brackets are not in the link or itemid doesnt exist then the message belongs to case 1 and is ignored.
blizz:
/run SendChatMessage("\124cffffffff\124Hitem:2589::::::::20:71::::::\124h[asd]\124h\124r", "WHISPER", nil, GetUnitName("PLAYER"))
335 branch:
/run SendChatMessage("\124cffffffff\124Hitem:6948:0:0:0:0:0:0:0:1\124h[Hearthsssstone]\124h\124r", "WHISPER", nil, GetUnitName("PLAYER"))
Images should probably be blocked in all severity >= 1 since normally you cannot even send them with SendChatMessage and exploits can do this https://www.reddit.com/r/wow/comments/2nz2sr/somebody_broke_trade_chat/ or impersonate GM etc.
TC
e5b8b1e99a4e7361be862ae6e1f29189907167e4
TC severity 0: messages 1,2,3 pass checks
TC severity 1: messages 1,2,3 pass checks
TC severity 2: the message 1 and 3 pass but 2 does not pass. (not blizzlike, 2 should pass)
TC severity 3: the message 1 and 3 does not pass but 2 passes. (not blizzlike, 3 should show text only without link)
From https://github.com/TrinityCore/TrinityCore/issues/15302#issuecomment-132464861
perhaps we should set default level to 2 and make changes to link validator so it at least checks if it has the expected format (currently it does not do that) to prevent crashing clients
Suggested prioritized todo
- [ ] https://github.com/TrinityCore/TrinityCore/issues/22399#issuecomment-419723075 remove check ignoring from afk and dnd message, however make sure that commands are not parsed from the afk/dnd message (no clear reason why validity check was skipped in the first place
https://github.com/TrinityCore/TrinityCore/commit/4b0ffeb0bd02c2be666a9712ec5597b1bcefb442) - [ ] https://github.com/TrinityCore/TrinityCore/issues/22399#issuecomment-419778588 add link validity check to ticket create packet handler
- [ ] make changes to link validator so you can use it to check link format only to prevent crash (for severity 2)
- [ ] use the new link format checking and remove existing checks that are invalid and block messages with double pipes for severity 2
- [ ] change default validation setting to check for link validity in config and in core (default to severity 2)
- [ ] make changes to link validation so that correct link with wrong text returns only text (for severity 3)
Rochet2
on 10 Sep 2018
@Shauren
ghost
on 12 Sep 2018
@Hir0shi not me.
Shauren
on 12 Sep 2018
core currently doesn't do link checking on AFK/DND autoreply messages, i'm honestly not sure why.
willfix as part of #22417
Treeston
on 12 Sep 2018
Related issues
Keader
路
3Comments
daddycaddy
路
3Comments
Lopfest
路
3Comments
Rochet2
路
3Comments
DDuarte
路
3Comments
Most helpful comment
The information on https://github.com/TrinityCore/TrinityCore/issues/22399#issuecomment-419645753 post seems troubling.
It seems that the message
Player hitsho says (language 0): :||comes from the chat log"Player %s says (language %u): %s", which suggests that the message the player sent was either:||or:\124\124or similar.However, I cannot reproduce a crash with these messages. Are you guys able to?
Even if tickets would crash, it does not explain why a chat message would crash if severity is set to 3. Unless of course the crash was caused by something else than the message in the logs.
We may need more information on what happened.
I took a look at the link filtering on blizz and on TC and it seems that there are a few things to improve with the current system to make it work properly and to match blizzard behavior. Making those changes _may_ not fix the this current issue however, as we do not know what causes it yet. Below you can see the info I gathered.
Blizz
Current (8.0.1.27602) blizz behavior seems to be to completely ignore messages that contain links with invalid format.
The messages do not appear in chat when sent through a script.
If an item link is otherwise correct but has wrong name, the name is shown as text, but link is removed.
(1) Example of invalid chat link that is ignored on blizz (crashes client if not filtered). Any invalid format or invalid ID seems to be included in this case.
(2) Example of message that passes all checks on blizz (double pipe to escape pipe characters, will not crash)
(3) Example of message that contains valid link but invalid text, only "asd" without brackets is shown as normal text. If the brackets are not in the link or itemid doesnt exist then the message belongs to case 1 and is ignored.
Images should probably be blocked in all severity >= 1 since normally you cannot even send them with SendChatMessage and exploits can do this https://www.reddit.com/r/wow/comments/2nz2sr/somebody_broke_trade_chat/ or impersonate GM etc.
TC
e5b8b1e99a4e7361be862ae6e1f29189907167e4
TC severity 0: messages 1,2,3 pass checks
TC severity 1: messages 1,2,3 pass checks
TC severity 2: the message 1 and 3 pass but 2 does not pass. (not blizzlike, 2 should pass)
TC severity 3: the message 1 and 3 does not pass but 2 passes. (not blizzlike, 3 should show text only without link)
From https://github.com/TrinityCore/TrinityCore/issues/15302#issuecomment-132464861
Suggested prioritized todo
https://github.com/TrinityCore/TrinityCore/commit/4b0ffeb0bd02c2be666a9712ec5597b1bcefb442)