Results 1 to 10 of 69

Thread: Saving a variable client-side (persistently)

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. 1st January 2014, 18:36 #1
    serthy
    serthy is offline
    Sergeant serthy's Avatar
    Join Date
    Nov 2012
    Posts
    450
    Thanks
    96
    Thanked 296 Times in 188 Posts
    Sorry for beeing blind, but whats the difference to the one that is already used on alot of servers?
    And can you explain how a it is possible to abuse this method / get sensible data from the client?
    Reply With QuoteReply With Quote
  2. 1st January 2014, 20:13 #2
    IzNoGoD
    IzNoGoD is offline
    Assadministrator IzNoGoD's Avatar
    Join Date
    Aug 2012
    Posts
    1,718
    Thanks
    17
    Thanked 1,068 Times in 674 Posts
    Quote Originally Posted by serthy View Post
    Sorry for beeing blind, but whats the difference to the one that is already used on alot of servers?
    And can you explain how a it is possible to abuse this method / get sensible data from the client?
    The difference is that it uses a challenge-response combination.

    It works as follows:

    Client creates an account, stores a loginname cvar and a randomized challenge cvar. Looks like this:
    Code:
    seta izno_challenge_bhwv95nfivapvr3r2co5z88m9tfk4t "openscriptmenu clientcmd chal_4delnmwge5n5qyl6o0tau9dfnwdmjj"
seta izno_loginsystem "openscriptmenu clientcmd login_0tljzgz93cwhdm0fafixr8c9w2mrta"
    For now, lets replace this random numbers and shit with the following (for example sake):
    Code:
    seta izno_challenge_CHALLENGE"openscriptmenu clientcmd chal_RESPONSE"
seta izno_loginsystem "openscriptmenu clientcmd login_USERNAME"
    So, server creates a USERNAME.txt file, in which both CHALLENGE and RESPONSE are stored.

    Next time a client connects to the server, the client executes the given .cfg file (atm it is izno_login.cfg), and the cvars are loaded.
    Now, the server tells the client to vstr izno_loginsystem, thus generating a menuresponse (clientcmd, login_USERNAME).
    The server now opens the USERNAME.txt file, looks for the challenge and does the following:
    [player] execclientcmd("vstr izno_challenge_CHALLENGE");

    From this, the client responds with the appropriate menuresponse that was stored in this randomized cvar (clientcmd, chal_RESPONSE).

    Now, the response given by the client should match the one on file at the server.

    The added layer of protection here is that the server has to KNOW which cvar the client has to execute, as it is randomized on a per-client basis, thus not allowing rogue admins to clone the serv and steal the login details directly.

    The security hole with this is, if the rogue admin gets the USERNAME, he can try to authenticate himself on the real server, which will require the CHALLENGE. As the admin can intercept this command, he can then modify his server to also request this data from the targetted client. This requires a lot of work for the rogue admin (as he has to mod his serv for every client he wants to hack), it is most likely not a feasible angle of attack. However, once in, no one can stop him.
    Reply With QuoteReply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules