Page MenuHomeFeedback Tracker
Create Task
Maniphest T86208

[Security feature request] Adding variable for caller for remoteExec
New, WishlistPublic
Actions

Description

Like for old publicVariable _fnc_MP funcs there is still a BIG security lack. It's not possible to check who has called this function per remote. This allows script kiddies or even "hackers" to execute functions for other users. It would also obviate the player object as a param if I could get this by a hardcoded variable in the executed script.

My solution for this problem:

Add a hardcoded variable "_caller" or "_from" handled by the engine that can be accessed in the executed script. Content should be the executed player object. In case caller is server this should be a representative server object or just objNull. Alternatively the content could be the netID.

Details

Legacy ID
3722170509
Severity
None
Resolution
Open
Reproducibility
N/A
Category
Scripting
Additional Information

This is a major problem since Arma 3 exists and even before regarding Arma 2. A engine based solution would remove this lack and would make it easier to handle remote executed functions by getting direct info about the executor. I would appreciate a quite quick solution because this is a terrible cheating possibility.

An example to prove the actual lack:

Our actors are: PlayerA (PA) and PlayerB (PB).

Our mentioned function can delete specific users data e.g. a house saved in database or a vehicle.

PA is just playing like each other.

PB is a hacker/cheater and wants to delete PAs user data. He requests PAs user data by remoteExec. He can do this because everyone can. He just has to give a player object as a param. He recieves the data and now he is going to sell (which means deleting) a house of PA. He has data of this house and executes the sell function remotely on the server. Param for this function would be id of the house and owner of this house (which is PA). He executes the function remotely and PAs house will be removed.

A scripted solution would be very "hacky". This would mean you had to check if the uid of player object is matching with the uid of the owner of the house. This would end in much more database traffic. Also this would slower the function at all. It isn't impossible to double check this but it is not possible in every situation.

The cheater/hacker can act as a other player regarding this problem. He can inject everything via another player. This would produce false positives and the cheater is still on the server.

Event Timeline

chris579 edited Additional Information. (Show Details)Feb 8 2016, 7:31 PM
chris579 set Category to Scripting.
chris579 set Reproducibility to N/A.
chris579 set Severity to None.
chris579 set Resolution to Open.
chris579 set Legacy ID to 3722170509.May 8 2016, 1:41 PM
TheMasterofBlubb added a comment.Feb 9 2016, 1:00 AM

The problem is if the variable comes from the client it will be hackable. Better would be if the server autocompletes the IP to the object. or the GUID by IP-List.

chris579 added a comment.Feb 9 2016, 3:03 AM

As the server is handling remoteExecs anyway, this wouldn't be a problem. The server knows who executed this and can send this data to the target.

© Bohemia Interactive a.s. Bohemia Interactive® is a registered trademark of Bohemia Interactive a.s. All rights reserved. · Privacy Policy · Terms and Conditions