Reference and Question to an Old CoD1 Bug

News and discussions about new, recent and work-in-progress security vulnerabilities affecting games and game-related software
Airitech
Posts: 5
Joined: Sun Aug 20, 2017 4:07 am

Reference and Question to an Old CoD1 Bug

Post by Airitech »

Hello! Long time follower of aluigi's work as a security researcher.
This is in reference to an old topic on the old zenhax forum.
http://old.zenhax.com/call-of-duty-fs-h ... -t296.html

I have been hosting cod servers for a long time, but never actually hosted a CoD1 server until a friend of a friend reached out because they knew I had experience in it, and their server kept going down and they didn't know why.
I immediately went to alugis website and just browsed over his patches, saw one in particular that fit the description of the problem (player joins while they are joining, server goes down)
Started up a Linux 1.5b version of the server, copied over there mods etc, got it running, and finally began to investigate what was going on.
A player joins - I get the error fs handle for file.
Also what can happen is you can see a bunch of downloads being requested by the same user and the server crashes with no error.

So I have absolutely narrowed down the exploit they are using, and it appears CoD1 is running rampage with this exploit. Upon talking to multiple people with servers they have server crashes 2-3 times a day and have been told about this "exploit". I am doing what I can (banning those players GUID), but soon after another one comes and does it again. I'm assuming there is a GUID spoofer out there.
I have attempted to do the research that my little security knowledge is letting me do which is basically this - I tried to sniff packets while performing the exploit myself to find some kind of "string" or some type of reoccurring packet being sent by the client to effectively block those request packets from being received through some iptables rules, I have found none and my knowledge of how call of duty in general at the packet by packet-level works is small. Best I can assume is that's is way more complicated than sending a packet with a string containing "download main/.....pk3 fill" etc.
I wished there was a command that completely disabled server downloading and didn't give the option, that forced players to go to the redirect, but to no avail.

So I've come here for some help, hopefully you guys have some type of idea or can lead me in the right direction on how to mitigate or disable this exploit. My only current failed idea was to try to identify the packets being sent by the client, and apply a rate limiter or filter that upon detection would block that IP address. Which in and of itself would be a hard thing to apply even if i was able to identify a similar packet.

I look forward to hearing from some of you if you have any ideas! I am a current cyber security student and absolutely love learning new things.

Thanks
-Airi
aluigi
Site Admin
Posts: 12984
Joined: Wed Jul 30, 2014 9:32 pm

Re: Reference and Question to an Old CoD1 Bug

Post by aluigi »

Wow, that thing is so old that I didn't even remember a bit about it.

As far as I can see I didn't make any patch, I saw some mentions of custom patches for other games on some forums but nothing.

I wished there was a command that completely disabled server downloading and didn't give the option, that forced players to go to the redirect, but to no avail.

Could you please explain it better?
Have you tried to play with the following variable for finding a possible feasible alternative?
sv_wwwDownload
sv_wwwBaseURL
sv_wwwDlDisconnected
Airitech
Posts: 5
Joined: Sun Aug 20, 2017 4:07 am

Re: Reference and Question to an Old CoD1 Bug

Post by Airitech »

Hi Aluigi, thanks for the response!

sv_allowDownload - if its set to 0 downloads are completely disabled, players wont even get redirected to the redirect to download. I was hoping that if you had sv_wwwDownload set to 1, and had the baseUrl set, but had sv_allowDownload set to 0, it would eliminate direct server downloads and force players to go to the redirect download server for the download.

Could you please explain it better?


Well as you know, there's two means of downloading modifications on cod games. One directly from the server (slow) and that's where the exploit lies, the other one is where players get redirected to the HTTP download server.
The exploit lies within setting your client command cl_wwwDownload to 0, which forces the client to download directly from the server, not the redirect, then obviously requesting a bunch of them to overflow the buffer.

What I meant there, was I wish there was a command that disabled the direct server (slow) download, and forced players to only go to the redirect, if there was some command or way to disable the server from ever handling downloads, forcing players to either be redirected, or not download at all.
I'm not sure if that has any feasibility.

The only other thing I'm still trying to figure is a way to identify download request packets, and limiting them by the second, or even detecting and banning after 32 or so of those packets.