You obviously don't read the mailing list everyday otherwise you would have known that he did in fact email Tobi already. I'd prefer to know about this myself so that I can patch it without waiting for Tobi.
--Chris -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jani Tiira Sent: Monday, June 23, 2008 11:05 AM To: Half-Life dedicated Linux server mailing list Cc: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds_linux] HLStastX usage Great post.. dumb post.. all the same.. I personally would have mailed this to Tobi17 instead of posting it here. But good catch anyway.. -- Tirppa On Mon, Jun 23, 2008 at 7:22 PM, Keeper <[EMAIL PROTECTED]> wrote: > Ok, here is the exploit ... and one way to fix it. > > If you are playing in a server that has HLStatsX installed, you can put log > output in chat to create fake events. > > You can just say or say_team the following to trick HLStatsX: > > L 06/23/2008 - 01:00:00: Started map "dm_no_such_map" (CRC "-123456789") > > The log output would be: > > L 06/23/2008 - 01:00:00: "Keeper<1><STEAM_0:1:12345678><Unassigned>" say "L > 06/23/2008 - 01:00:00: Started map "dm_no_such_map" (CRC "-123456789")" > > The way the current hlstats.pl perl script parses this, is it looks for the > last occurrence of the date stamp. In this case, it would show that > dm_no_such_map was loaded on your server ... even though it doesn't exist. > So you could logically put in headshot kills with crowbars in hl2dm. > Create > fake captures and kills in TF2. You could even mimic VAC Bans that would > eliminate players from being able to join servers with HLStatsX installed. > > These exploits could range from being a small nuisance, to being a huge > headache for server operators. > > To fix this, and I'm no regex expert, I found the following to work with > both streaming servers and importing logs from the command shell: > > In your hlstats.pl files do the following two things: > > [#1 - SEARCH] ( around line 1494 ) > my $last_attacker = ""; > my $last_attacker_hitgroup = ""; > [ADD AFTER] > my $is_streamed = 0; > my $test_for_date = 0; > [END]------------------------------------------------------------ > > [#2 - SEARCH] ( around line 1821 ) > # Get the datestamp (or complain) > if ($s_output =~ s/^.*L (\d\d)\/(\d\d)\/(\d{4}) - > (\d\d):(\d\d):(\d\d):\s*//) > { > [REPLACE WITH] > # Get the datestamp (or complain) > $is_streamed = 0; > $test_for_date = 0; > $is_streamed = ($s_output !~ m/^L\s*/); > > if ( !$is_streamed ) { > $test_for_date = ($s_output =~ s/^L (\d\d)\/(\d\d)\/(\d{4}) - > (\d\d):(\d\d):(\d\d):\s*//); > } else { > $test_for_date = ($s_output =~ s/^\S*L (\d\d)\/(\d\d)\/(\d{4}) - > (\d\d):(\d\d):(\d\d):\s*//); > } > > if ($test_for_date) > { > [END]------------------------------------------------------------ > > This will allow the hlstats.pl parser to get the full event after the FIRST > log stamp, and will stop this method of spoofing. > > Let me state, that I in no way support HLStatsX, nor will I do so in the > future. But I wanted to post about this so server operators could keep the > integrity of their databases. > > Keeper > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux No virus found in this incoming message. Checked by AVG. Version: 8.0.100 / Virus Database: 270.4.1/1514 - Release Date: 6/23/2008 7:17 AM _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
