Login bypass + MapleQuestlineFetcher

Solved an exploit where anyone (via packet editing) could be able to login as any registered character after authenticating and selecting a character. New tool: MapleQuestlineFetcher. It reports ids from quests which quest script files were not found on the scripts folder.
2018-04-22 20:58:56 -03:00
parent a1fcf21ac9
commit b7a259e2c4
25 changed files with 1223 additions and 44 deletions
--- a/docs/feature_list.md
+++ b/docs/feature_list.md
@@ -126,6 +126,7 @@ External tools:
 * MapleMesoFetcher - Creates meso drop data for mobs with more than 4 items (thus overworld mobs), calculations based on mob level and whether it's a boss or not.
 * MapleMobBookIndexer - Generates a SQL table with all relations of cardid and mobid present in the mob book.
 * MapleMobBookUpdate - Generates a wz.xml that is a copy of the original MonsterBook.wz.xml, except it updates the drop data info in the book with those currently on DB.
+* MapleQuestlineFetcher - Searches the quest WZ files and reports in all questids that currently doesn't have script files.
 * MapleQuestItemCountFetcher - Searches the quest WZ files and reports in all relevant data regarding missing "count" labels on item acts at "complete quest".
 * MapleQuestItemFetcher - Searches the SQL tables and project files and reports in all relevant data regarding missing/erroneous quest items.
 * MapleQuestMesoFetcher - Searches the quest WZ files and reports in all relevant data regarding missing/erroneous quest fee checks.
@@ -141,6 +142,12 @@ Project:
 * Heavily reviewed future task management inside the project. Way less trivial schedules are spawned now, relieving task overload on the TimerManager.
 * ThreadTracker: embedded auditing tool for run-time deadlock scanning throughout the server source (relies heavily on memory usage, designed only for debugging purposes).

+Exploits patched:
+
+* Player being given free access to any character of any account once they have authenticated their account on login phase.
+* Player being given permission to delete any character of any account once they have authenticated their account on login phase.
+* Player being able to start/complete any quest freely.
+
 Localhost:

 * Removed the 'n' problem within NPC dialog.
--- a/docs/mychanges_ptbr.txt
+++ b/docs/mychanges_ptbr.txt
@@ -872,4 +872,8 @@ Adicionado scripts para a questline de Full Swing de Aran.

 19 Março 2018,
 Tentativa de correção em reactors desconectando jogadores que tentam ativá-los com ataque básico ao mesmo tempo.
-Adicionado feature de AutoJCE (créditos ao Kradi-a).
+Adicionado feature de AutoJCE (créditos aos Acernis devs).
+
+20 - 22 Março 2018,
+Resolvido exploit com login, onde qualquer um (via packet editing) podia logar livremente com personagem de outras contas.
+Nova ferramenta: MapleQuestlineFetcher. Busca nos XMLs e registra questids que ainda não possuem quest scripts.
--- a/docs/todo.txt
+++ b/docs/todo.txt
@@ -46,8 +46,6 @@ ToDo / Missing features list:

 ---------------------------
 ** Jobs **
- Check Aran
- Check Cygnus Knights
 ---------------------------