Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

Neverwinter Nights: Enhanced Edition has been released! Visit nwn.beamdog.com to make an order. NWN:EE FAQ is available.
Soundtracks for BG:EE, SoD, BG2:EE, IWD:EE, PST:EE are now available in the Beamdog store.
Attention, new and old users! Please read the new rules of conduct for the forums, and we hope you enjoy your stay!

Common PW Exploits

Hi folks,

As we look at gearing up for this big launch, the trolls are out in force! These are some of their favorite tactics when they seem to want to troll on NWN servers.

If you know of other common PW exploits, please share them so they can get some attention. I'm aware that some PW owners have already implemented fixes for some of these issues (such as Continual Flame) so this might simply serve as a checklist to make sure your new NWN:EE PW is troll-proof.

Stacking Traps - It is possible stack traps in overlapping patterns that will deliver hundreds of points of damage to unsuspecting PCs. Traps are probably the favorite method of griefing others and this behavior is prohibited in nearly every roleplay community.

Transition Abuse - Depending on the speed of your PC, it is possible to transition sometimes several times before another player can load in one time. In PVP situations, this has lead to considerable grief, considering that the transition break is a free opportunity to re-enter stealth, among other problems such as attacking the other player before they've all the way loaded.

Continual Flame and Merchants - This one is a favorite for trolls looking to break your server economy. By casting Continual Flame on weapons, they can increase the value of the item and sell these items over and over to make massive amounts of wealth. This behavior is prohibited by nearly every roleplay community.

Hostile/Non-Hostile Greater Sanctuary bug - I'll have to look at recreating this, but it's a fairly well known bug where you can toggle non-hostile to reveal a player who is using Greater Sanctuary.

Double Boxing - Maybe this is one for a server or module switch to disallow? Simply put, unless a PW has created scripts to detect players who play two accounts from the same IP address, double boxing is an easy exploit to get away with. There is a use-case where multiple players in the same household would create this situation, but "double boxing" is generally prohibited by nearly every roleplay community.





RaetzainSelpheadunahan
«13

Comments

  • DM_DjinnDM_Djinn Member Posts: 102
    Re: Doubleboxing, the MAC address might be suitable to allow the module/server to determine that the two player accounts are on the same physical machine, and so if the MAC addresses are different, they could be allowed.

  • ValgavValgav Member Posts: 24
    I was always against any restriction for Stacking Traps and Transition Abuse. First can be overcome by investing in detect skill and limiting access to powerful traps and for me it's more like you spend time to get 5 rare traps because mechanics doesn't allow you to build one powerful.

    Second is also part of planning, knowing that you have computer is like not being a runner, just talk yourself out of situation or if you pursuing someone just make sure to be prepared (traps, hold, flesh to stone spells/scrolls)

    DM_Djinnpscythe
  • MalcorathMalcorath Member Posts: 12
    there other ways of catching multiboxers too. input automation is quite obvious but alt tabbing between characters takes a little more work to catch, i would start out any multi boxing measures by having clear community rules and explaining the reasoning behind them and then trust your core players to help root it out.

    DM_DjinnRaetzain
  • ShadowMShadowM Member Posts: 403
    All of though can be fixed
    Stacking Traps - Replace trap system with cast spell place traps on trap items, that run through a script instead of standard system. This will allow you to check for near by traps before placement and cancel if they are too close, also allow you to control the place trap DC / failure etc... (Did this in my HR base) trap routing system.

    Transition Abuse - This is the same thing in all PVP the guy with the faster computer got the shot off faster and anyone will adjust as need. This can be mitigated with transition scripting. I see this as minor and player understand it.

    Continual Flame and Merchants - Adjust 2da so light property give no boost to value.

    Hostile/Non-Hostile Greater Sanctuary bug - Script on door, placables, actions like casting spells even non-hostile, canceling this / short time duration have already been explained.

    Double Boxing - On client scripts to log and handle this have already been shown and PW people deciding how many players can be on an account has already been established.

    DM_Djinn
  • SherincallSherincall Member Posts: 340
    meaglyn said:

    I have to disagree with this. Keeping exploits secret from PW developers does not help anyone (except maybe the blackhats who already know about the exploits). Many of the exploits have scripting or other mitigations that PWs could use to protect themselves...but only if they know what needs to be protected against. Otherwise each PW has to go through the same pain and discovery process, get shafted for a while, figure out a way to stop it, while losing players etc.

    Certainly telling the devs is a good idea, but others need that information too. Just look at the clusterfsck around the meltdown/spectre embargoes.

    Arguable for exploits that are fixable. Of the ones Djinn mentioned, only the sanctuary would actually be considered an exploit, but that is also easily fixable.

    I'm concerned about actual exploits that are very hard or impossible to patch, or even detect. DJinn reported one of (mostly) that kind in another thread, and it was rightly censored by the devs. There's others, and I really wouldn't want people posting them.

    Funny you should mention spectre - I actually think that was handled relatively well by the industry. There's plenty of room for improvement, but compared to just revealing a vulnerability, this was pretty well done.

    zunath
  • meaglynmeaglyn Member Posts: 44
    Spectre was not handled well. Ask the freebsd people, or any of the other effected vendors who did not find out until it leaked a week before the official end of the embargo. Plus there was a lot of misinformation, partly due to the secrecy and people having to guess. We're still dealing with it and will be for a long time to come. True, some of that is just the nature of the bug but part of the mess was how badly it was handled.

    As to the other parts, I'd consider all of those to exploits. And all those listed can be addressed by PW admins/devs. If there are exploits that can only be fixed with code then BD should fix them. If there is nothing the PW can do then maybe they could be hidden but even then it might be nice to know what to watch for... If one person found it someone else will too.

    DM_DjinnRaetzainGM_ODA
  • LibertyisbackLibertyisback Member Posts: 49
    sometimes i think exploits exist across all mmos/rpgers. the worst exploits are the ones that only tweak you abilities slightly. you get an advantage, but its not so obvious. such exploits are undetectable.

    DM_Djinn
  • SherincallSherincall Member Posts: 340

    the worst exploits are the ones that only tweak you abilities slightly. you get an advantage, but its not so obvious. such exploits are undetectable.

    I disagree. The worst exploits are those that let you take over the server, wipe everyone's characters and use all players as a botnet to mine bitcoin / DDOS websites. Yes, these exist. All known ones are fixed (or will be?) in EE, but there are certainly more we've never seen before. And 1.69 servers are still vulnerable.

    Ask the freebsd people


    They did pretty explicitly say that they will not participate in industry's disclosure practices and would immediately announce any vulnerability they are notified about. That's a sure-fire way to get excluded from the in-the-know group.

    Going back to the previous exploits, I would never share something like described above with anyone who believes all exploits should be public.

    TheUncertainManzunathIndyWendieGo
  • meaglynmeaglyn Member Posts: 44
    Freebsd was just one example. But anyway, exploits should be fixed. Keeping them secret so that only the in-the-know crowd can protect themselves is fine as long as people who care have a way to be in that elite, special, shiny group. But that has not been the case in NWN. If there are server-side fixes for known exploits, then keeping them secret is a disservice to PW admins.

    If not public then what... How do I get the information I need to protect my servers from known exploits? Is there an invite only mailing list or forum? There's at least one listed earlier in this post that I had not come across before that I need to look into. I'm not arguing here strictly from a philosophical difference of opinion about the value of keeping vulnerabilities secret. It's a practical concern too :)

    DM_DjinnRifleLeroyNeverwinterWightsGM_ODA
  • SherincallSherincall Member Posts: 340
    There used to be NWNX plugins that plugged these vulnerabilities. Sometimes distributed without the sources even. I know niv wrote one that fixes an RCE exploit; best check with him what's the status there.

    I haven't actually run a server in a long time, so I didn't pay too much attention to it, sorry.

  • Sylvus_MoonbowSylvus_Moonbow Member Posts: 981
    I like the WSAD one that when used into a transition you can jump right across the next area and get loaded in the area after that one. Saves time moving or avoiding large groups of monsters.

  • FreshLemonBunFreshLemonBun Member Posts: 685
    Most of these aren't exploits. Things like item duping, using epic spells repeatedly in rapid succession, and crashing clients are all exploits, something like continual flame on weapons is just unwanted behavior.

    dTd
  • DM_DjinnDM_Djinn Member Posts: 102
    ShadowM said:

    All of though can be fixed
    Stacking Traps - Replace trap system with cast spell place traps on trap items, that run through a script instead of standard system. This will allow you to check for near by traps before placement and cancel if they are too close, also allow you to control the place trap DC / failure etc... (Did this in my HR base) trap routing system.

    Transition Abuse - This is the same thing in all PVP the guy with the faster computer got the shot off faster and anyone will adjust as need. This can be mitigated with transition scripting. I see this as minor and player understand it.

    Continual Flame and Merchants - Adjust 2da so light property give no boost to value.

    Hostile/Non-Hostile Greater Sanctuary bug - Script on door, placables, actions like casting spells even non-hostile, canceling this / short time duration have already been explained.

    Double Boxing - On client scripts to log and handle this have already been shown and PW people deciding how many players can be on an account has already been established.

    Hi @ShadowM , this is very helpful information. Can you provide further insight on how a replacement of the trap system might operate? The other stuff here is pretty manageable for my small team but overhauling traps and drawing trap triggers via script is not something I currently know how to do. Is there something you can point me to?

  • FreshLemonBunFreshLemonBun Member Posts: 685
    There are several ways you could create an alternative trap system. If you largely want to preserve the current system then you should look at traps.2da and change the blueprint references in the ResRef column to a different item. This item is now used to call a script and set the trap (CreateTrapOnObject and CreateTrapAtLocation) after you do your checks and animations.

  • ShadowMShadowM Member Posts: 403
    edited May 2018
    @DM_Djinn
    FreshLemonBun has pretty much covered the surface, but if you look at the traps.2da you notice that it setup pretty much like the spells.2da because each trap has it own script. You can change all these to point to one script (trap routing script) this will allow you override the standard traps action when triggered with anything you can script or even just allow the trap to function as it intended. For placing traps, just make a new spell called Use: Set Trap and them make be use-able on items and add them to your new trap kits or override the old trap kits blueprints. This will allow you to gather data on the person setting the trap, where they setting it (if their another trap close by) if the pc has X feat give the trap bonus damage etc... Look at my HR Base module in scripts for setting the traps hr_inc_spellab, hr_spell_routab (custom function SET_TRAP) and my traps.2da to get a better idea and come back for any more questions. For when the trap goes off look at scripts hr_traps_router and hr_inc_traps for custom functions. I have few trap kit examples in custom / miscellaneous / kits. Hope that helps

    HR BASE LINK

  • badstrrefbadstrref Member Posts: 103


    Double Boxing - Maybe this is one for a server or module switch to disallow? Simply put, unless a PW has created scripts to detect players who play two accounts from the same IP address, double boxing is an easy exploit to get away with. There is a use-case where multiple players in the same household would create this situation, but "double boxing" is generally prohibited by nearly every roleplay community.

    this is impossible to "fix" without risk of false positive situations

    Shia_Luck
  • NeverwinterWightsNeverwinterWights Member Posts: 192

    I'm sorry, but publicly writing about unfixed exploits is not the best idea. Can we please close this thread before someone posts an actually useful and uncommon one?

    If you know about exploits that should be fixed in the game, please message the devs privately.

    Is there some place or resource or person that 'would be' server admins are supposed to go to to fix all these problems that many in the community have figured out how to fix? I've been wanting some kind of list forever so I can fix/know about all these problems. Or at least have a full list of fixable bugs/exploints with their solutions(keep the unfixable ones out). And I hate to think negatively but I've always felt like part of the community may have been holding back info so that competing PWs fail. I hope thats not the case but I can't help thinking it.

    GM_ODA
  • DM_DjinnDM_Djinn Member Posts: 102

    I'm sorry, but publicly writing about unfixed exploits is not the best idea. Can we please close this thread before someone posts an actually useful and uncommon one?

    If you know about exploits that should be fixed in the game, please message the devs privately.

    Is there some place or resource or person that 'would be' server admins are supposed to go to to fix all these problems that many in the community have figured out how to fix? I've been wanting some kind of list forever so I can fix/know about all these problems. Or at least have a full list of fixable bugs/exploints with their solutions(keep the unfixable ones out). And I hate to think negatively but I've always felt like part of the community may have been holding back info so that competing PWs fail. I hope thats not the case but I can't help thinking it.
    You sense correctly the reluctance in the community to help any "competitive" PW get its footing. We founded our server in 2015 and have received very, very little help from anyone. Mostly, "developers" seem to want a stake in the creative control of your project and if they don't have that, they're going to hamstring you. If you've ever banned somebody's friend, you are also toast.

    That said, we would be happy to help you get started. I made this thread because certain (now banned) players were going around and actually teaching other players these well known exploits. If you don't have players that will report this kind of stuff, or if you aren't online 24/7 to watch what people are doing on your server, you'll eventually get runaway issues with server economy, people with unlimited attacks per round, and other ridiculous things that yes, you could have perhaps prevented.

    You've got several years of work ahead of you whether you're doing this solo or have a small team. But don't get too discouraged. NWN needs more servers and players treat each one like the fresh breath of air that it is. You will need to persevere, research, and probably investigate all the links in this thread- I wish I'd found ShadowM's HR base three years ago. I had never heard of it. It's amazing and just like the 3.5 experience I have been striving to create.

    If this feeling you have is something you think you can work through for years, keep going. But it won't go away. As you get into the more technical features of EE (such as NWNX:EE) you'll realize that unless you have some of Arelith's codebase, the features that are going into NWNX aren't for you. You probably want to avoid windows hosting. So, you need to learn Linux (we run Ubuntu), plenty of C programming and probably scope out a team with similar values to your own if you want to be really successful.



    NeverwinterWights
  • DM_DjinnDM_Djinn Member Posts: 102

    There used to be NWNX plugins that plugged these vulnerabilities. Sometimes distributed without the sources even. I know niv wrote one that fixes an RCE exploit; best check with him what's the status there.

    I haven't actually run a server in a long time, so I didn't pay too much attention to it, sorry.

    So, NWNX plugins to fix dangerous program vulnerabilities and... where are they? This thread has been alive for two months. I'm going to take a wild guess and suppose that this plugin to fix RCE isn't a part of the new NWNX:EE, nor is it intended to be. Unless you have a professionally trained programmer on your staff, you're stuck, and this is a perfect example of a feature that someone decides is not for you or your server.

    RifleLeroy
  • DM_DjinnDM_Djinn Member Posts: 102
    The other thing a new or would-be PW owner should do is read every single Beamdog patch note and ask lots of questions. There are not any clear instructions on how to implement most of the features of the new builds. As a result, you'll be updating your server to use a bunch of things that you won't know how to actually implement, like the minimap system. I think the scripting options for transform are some of the only clear things to come across.

    For just about everything else, you must roll persuade and beg, genuflect, or place yourself at the mercy of the creative control of the people who do know how to do this stuff. You must have the same alignment as the target. They won't write documentation. They haven't for the last ten years, why would they do it now? You might be really successful and get tons of players, so who would want you to also have competitive features?

    Or you can point out the obvious and be reviled for it. Good luck. Feel free to inbox me for any technical questions you have and I'll ask my project manager to spare some time for you.

    RifleLeroy
  • FreshLemonBunFreshLemonBun Member Posts: 685
    If you want help from specific people for specific issues it's probably better if you politely asked them about it.

    tfox
  • NeverwinterWightsNeverwinterWights Member Posts: 192
    I believe it was about 2005 when i joined the old bioware forums and started to learn nwnscript from the likes of AxeMurderer, FunkySwerve, Rolo, Krit, to name a few. Even then I remember this same topic coming up several times and again people would shut it down. I mean I get why but at the same time I don't, because the only way to fix it IS to talk about it and to post solutions including scripts and "How Tos" for every PW builder to be aware of. I've figured out some in that time but probably still not aware of all of them.
    DM_Djinn said:

    Feel free to inbox me for any technical questions you have and I'll ask my project manager to spare some time for you.

    I appreciate that. Thank you.

    GM_ODA
  • FreshLemonBunFreshLemonBun Member Posts: 685
    Most likely because those with less technical expertise are most at risk and publicly posting what could effectively be a tutorial on how to hack your server for anyone curious isn't in your best interest.

    Besides that most of the concerns aren't actually exploits and you would probably have better luck asking a question on the scripting forum, or posting a bug report if it's a bug.

  • NeverwinterWightsNeverwinterWights Member Posts: 192
    edited May 2018

    ...and you would probably have better luck asking a question on the scripting forum...

    I've actually tried this over the years (including recently on the topic of how best to go about persistent storage) and have run into the same problem. Here's an anecdotal example.

    ~item duping is a problem
    ~how is it a problem, what exactly are they doing to make it happen
    ~can't post it cause then people will know how to do it
    ~ok well how do I prevent it
    ~cricket...cricket...cricket

    This same back and forth has been going on since the dawn of Neverwinter forum time. If you don't at least know what the fixable exploits are, you can't fix them. And if you can't ask what they are then you won't know what to ask that needs to be fixed or what to even ask for on the scripting forum. So again where is a person supposed to start?

    Post edited by NeverwinterWights on
    GM_ODA
  • voidofopinionvoidofopinion Member Posts: 1,242
    I think it's important to remind people that any support offered by the modding community is done so out of the goodness of that persons heart.

    No one is entitled to anyone elses time or expertise.

    If you know of an exploit that needs fixing then please report it to beamdog.

    Otherwise

    If you want help from specific people for specific issues it's probably better if you politely asked them about it.

    clansunstartfox
«13
Sign In or Register to comment.