Major Security Issue With Servers



  • Our servers have been hit by several people who use a ‘master’ console command to log in as server admin. These people ban random players and essentially take down our whole server. This is the fourth time this has happened today.

    There is a HUGE security flaw with the console. Anybody with the right command can log in as an admin on ANY server.



  • I believe this has been fixed in the new patch which will be released imminently.



  • You should probably consider patching any other dev commands…

    I mean this command pops up when you type the first two letters of the command in the console. I hate to think what other dev commands exist that are waiting to be found.



  • If you want to double-check, you can try the beta. Info is in the Announcements and Beta Feedback sections :)



  • After yet another attack I have had to take down our six game servers. Including the third most popular Chivalry server in the game.

    Thanks Torn Banner for leaving such a gaping security hole in the game.

    Can you release a hot fix for this? How can you let random people abuse admin rights on any server for one hour, let alone twenty four hours!

    Oh and how about global ban the idiot who leaked this? Or are you going to let him keep his account? I have PMd you a link to his profile.



  • This patch is going to fix this issue, as well as bring swift punishment for people who abused it. I apologize for the trouble it has caused you.



  • When is the patch coming? Today? or some time next month? This security hole must be patched with a hotfix in the next few hours… not in days



  • @[IO:

    StabYou]When is the patch coming? Today? or some time next month? This security hole must be patched with a hotfix in the next few hours… not in days

    Now!

    viewforum.php?f=2



  • Thanks, the guy who leaked it is yet to be banned though…



  • This issue has been fixed.

    PM me the steam id link as well. I have a whole of list of abusers/hackers/etc that will need to be dealt with when the new global ban list is revealed.



  • @[IO:

    StabYou]Oh and how about global ban the idiot who leaked this? Or are you going to let him keep his account? I have PMd you a link to his profile.

    For someone who is awfully self-righteous about their server security, you have the wrong perspective here. The guy who leaked the insecurity is your ally. TB did mess up hugely by leaving this in, but you don’t ban the person who exposed it. He did you a favor by making sure this was known now and not later.



  • @Kimiko:

    This issue has been fixed.

    PM me the steam id link as well. I have a whole of list of abusers/hackers/etc that will need to be dealt with when the new global ban list is revealed.

    I will take serious, serious issue with it and I will make it known to the nether regions of the internet if you globally ban a user for making known a console command that was left in the game. Only someone with no perspective/experience with IT security would take such a stance, and it would be a completely tyrannical thing to do.



  • @Swayze’s:

    @[IO:

    StabYou":nms43gsp]Oh and how about global ban the idiot who leaked this? Or are you going to let him keep his account? I have PMd you a link to his profile.

    For someone who is awfully self-righteous about their server security, you have the wrong perspective here. The guy who leaked the insecurity is your ally. TB did mess up hugely by leaving this in, but you don’t ban the person who exposed it. He did you a favor by making sure this was known now and not later.

    I take issue with the fact that the idiot raided one of my servers and banned everybody on it. He then raided another server and changed the server speed.



  • @Swayze’s:

    @Kimiko:

    This issue has been fixed.

    PM me the steam id link as well. I have a whole of list of abusers/hackers/etc that will need to be dealt with when the new global ban list is revealed.

    I will take serious, serious issue with it and I will make it known to the nether regions of the internet if you globally ban a user for making known a console command that was left in the game. Only someone with no perspective/experience with IT security would take such a stance, and it would be a completely tyrannical thing to do.

    There’s a BIG difference between making an exploit or something like that known to the people who need to fix it, and spreading it allover the damn place so EVERYONE knows, and also personally abusing it themselves. BIG BIG BIG difference. Exploits and hacks can take time to fix, spreading them allover the internet just lets abuse become even more prevalent in that time, it helps nothing.

    Torn Banner obviously WANT to fix stuff like this and DO care, because they have! Abuse of the Dev commands / tag have been addressed in the latest patch.

    If I haxx0red your bank and stole all your money (and taught everyone else how to do it too, every time you put a penny back in), sure the bank’s security would be at fault, but would that make me any less of a criminal? Rather than me quietly informing the bank about it instead.



  • Bob, the correct “white hat” thing to do is to notify the developers of the hole/insecurity/whatever, give them time to fix it, and then make it known if the developers do not fix it in a timely manner. White hat hackers do this constantly with large companies like Microsoft, Adobe, Novell, etc. There has been more than one case of a huge corporation getting egg on their face because white hat hackers revealed that the company didn’t fix the issue despite having been notified some time earlier.

    However, you cannot expect anyone who ever discovers a hole to exhibit “white hat” behavior. This does not mean they are worthy of a ban. Spreading the knowledge of the issue was doing just that- spreading knowledge. Exploiting the issue is another thing. I should be clear that I’m all for banning someone who exploited the issue, but banning someone just for making the issue known is ethically wrong. Pretty much anyone in the security world or anyone who respects free speech would agree. Torn Banner is ultimately responsible for this issue occurring, as leaving dev commands in final builds is basically a newbie mistake. There must be a clear, public, and consistent difference in how you enforce bans for spreading knowledge of an exploit vs exploiting. The former is a non-offense in my opinion.

    And once again this brings to bear the obvious conflict of interest and frankly bad policy I think it is to have forum moderators in charge of manually banning people. I cannot expect each mod gives this type of depth of introspection to each “exploitive” user, nor can I expect them to have knowledge or experience in the security world. How many users have been globally banned so far for using console commands?



  • @Swayze’s:

    I should be clear that I’m all for banning someone who exploited the issue

    That’s all any mod has mentioned, people who actually took advantage of and abused it, as in those who (like the OP mentioned), ran round abusing the exploit and taking down people’s servers for shits and giggles.

    The OP hasn’t been banned for making this topic has he? If INSTRUCTIONS are posted, we would move them to Private forum sections for review by the devs if it wasn’t already known, and ask the user not to publicly post actual instructions for people to reproduce it, but we certainly wouldn’t dish out bans for simply wishing to inform that there’s a problem, that would be silly and make everyone paranoid about reporting anything in future. I’ve actually been trying to think of ways to HELP people to let the devs know about exploits and so on, without risking informing everyone of how to use them, unfortunately we’re not sure if our forum software is compatible at the moment.

    I’d certainly not take kindly to someone who CONTINUED to post exact steps to reproduce such exploits allover the forums though after being asked not to, that’s NOT being responsible and is as bad as posting hacking demonstrations on any other site. Someone demonstrating people’s personal information or financials COULD be vulnerable, or finding life-threatening problems with software in the real-world and trying to encourage fixes is very different to spoiling people’s fun in an online video game just to make a point. With gaming that’s not being a “white-hat”, that’s just being an arrogant dick, only the developers know the actual timeliness that the fix will take, and it would only be themselves who ended up losing out if they stupidly decided to ignore such issues. If people find an exploit, we’d certainly love them to report it, however we’d ask they not publicly provide steps for reproduction of it.

    May I also make it clear that the forums are moderated ENTIRELY seperate to the in-game servers, we wouldn’t ban someone on a game server who got banned from the forums and vice-versa, that would again be silly.

    Like I said Torn Banner DO listen and HAVE fixed it. As to it being a newbie mistake well, brand new company, first game…hello? I’m sure they’ll learn from it and keep a tighter handle on dev commands in future. No-one has died or lost out financially as a result of this.

    Regarding banning, I don’t think there have been any just yet, but I’ll have to let the other mods comment on that, I can assure you that I personally haven’t banned anyone from a single server, and had to use the Kick command only twice. I’m unsure what your problems are since if anyone HAD been using such methods unprofessionally, we’d have heard a lot more about it already.



  • I should also clarify that I’m not really being negative by saying they made a “newbie mistake”. It was just that. We all make them in life when doing things above our normal level.

    The quality of Chivalry, having come from what is basically a glorified and funded mod team, is outstanding. TBH the kickstarter didn’t raise enough money to justify the game being as high-quality as it is. I hate that I never knew about the kickstarter so I’ll never be able to get an awesome hat.



  • @Swayze’s:

    I should also clarify that I’m not really being negative by saying they made a “newbie mistake”. It was just that. We all make them in life when doing things above our normal level.

    The quality of Chivalry, having come from what is basically a glorified and funded mod team, is outstanding. TBH the kickstarter didn’t raise enough money to justify the game being as high-quality as it is. I hate that I never knew about the kickstarter so I’ll never be able to get an awesome hat.

    That’s no problem, and I’m sure they admit it too.

    It was a similar story with the Magicka team, fantastic game, but it was their first attempt so there were a LOT of problems on launch. The head dev litterally just said “We’re sorry, we were noobs!” heh.

    Fortunately the game was practically already done by the time the Kickstarter came out, it was in late Alpha and about to move into Beta. A lot of stuff change and got fleshed out of course, but the development was practically done, the devs had been funding the development out of their own time and pockets for years. I believe the Kickstarter funds were used primarily for license purchasing and launch related stuff, and were mainly as a way of letting people pre-order it. So yeah you missed out on the helmet, but didn’t really harm the game’s development any, since you bought it anyway. :)



  • @BobT36:

    So yeah you missed out on the helmet, but didn’t really harm the game’s development any, since you bought it anyway. :)

    Thank you for the confirmation that I did not hurt the game by buying multiple copies and being active in the community ;P

    Chivalry needs visual armor/weapon DLC. No stats, only visuals. Make fifty different longswords. Make them cost ten bucks. I will buy five of them at least.



  • We’re dealing with this issue 100% based on intent. If someone was going around with the tag on, or even just testing out what they could do with it - nothing will happen to them. That’s obviously a big mistake on our part by having left that in, it would be extremely arrogant and uncalled for to take action against players just for using the command.

    However, those players who were using it with the clear intent of worsening the experience of others through repeated abuse of server settings or kicking and harassing players will be treated just as if they had gone and downloaded some kind of hack to achieve the same ends - they’ll no longer be welcome on our servers or on the servers of any operator who chooses to employ our banlist once we decide to make it available to the public.


Log in to reply