There used to be NWNX plugins that plugged these vulnerabilities. Sometimes distributed without the sources even. I know niv wrote one that fixes an RCE exploit; best check with him what's the status there.
I haven't actually run a server in a long time, so I didn't pay too much attention to it, sorry.
So, NWNX plugins to fix dangerous program vulnerabilities and... where are they? This thread has been alive for two months. I'm going to take a wild guess and suppose that this plugin to fix RCE isn't a part of the new NWNX:EE, nor is it intended to be. Unless you have a professionally trained programmer on your staff, you're stuck, and this is a perfect example of a feature that someone decides is not for you or your server.
They are no longer needed for EE. AFAIR all known issues with the engine are fixed in NWN:EE, so there is no need for a NWNX plugin. I'm sure there's still plenty of bugs in the default scripts, but PW admins can fix those on their own, and there's several PW starter kits on the vault that fix plenty of them. These script bugs are unfortunate, but their scope is item duplication or XP gain or whatever, not something that can actually take down a server (or worse). You can report these on redmine, as it'd be nice to get them fixed, but they are far from priority.
If you find an exploit in the game code (e.g. sending a malformed network packet cases server crash), report this privately to a dev so it can get fixed. These kinds of exploits are important and they are getting fixed in the base game, so you don't have to have a list and NWNX plugins and whatnot.
If it is a bug in one of the stock scripts, sure. If it is a security sensitive issue, please reach out to a dev directly rather than going through redmine.
... exploits should be fixed. Keeping them secret so that only the in-the-know crowd can protect themselves is fine as long as people who care have a way to be in that elite, special, shiny group. But that has not been the case in NWN. If there are server-side fixes for known exploits, then keeping them secret is a disservice to PW admins.
I agree - I was run out of an 'administrator group' because I advocated some security measures the others did not like - totally valid measures just they did not want to make them so excluded me from their group. This only makes it necessary for all us outsiders to do our own research and such redundant wastes of human effort is a SIN.
I am a server admin, to deny me information that could protect my server is a huge disservice to the community.
There used to be NWNX plugins that plugged these vulnerabilities. Sometimes distributed without the sources even. I know niv wrote one that fixes an RCE exploit; best check with him what's the status there.
I haven't actually run a server in a long time, so I didn't pay too much attention to it, sorry.
It is a questionable method to blindly trust the code of others. Source code or we don't use it is our rule. Doubly so for anything from a community member rather than a company that has a public front (can be sued for bad behavior).
Most likely because those with less technical expertise are most at risk and publicly posting what could effectively be a tutorial on how to hack your server for anyone curious isn't in your best interest.
Besides that most of the concerns aren't actually exploits and you would probably have better luck asking a question on the scripting forum, or posting a bug report if it's a bug.
The 'bad guys' get that information from their sources so we have to go find their sources to know what we should protect against?!?!?! Gods that is terrible logic. This community should share such lore so we can protect against it better. NOT telling us admins means that EVEN THOSE OF US WHO CAN CREATE SOLUTIONS TO SECURE THE SYSTEM ARE LEFT IN THE DARK. We all know the less than technically apt will faceplant on this but WHY OH WHY DO YOU ADVOCATE MAKING US ALL FIND ALL THE ERRORS UNAIDED?
Perhaps we should crowd source a super secret list of all the known and unknown exploits to send off to the devs so they can actually be patched instead of having to maintain 15 more years of cloak and dagger.
This does not address those which go unfixed, nor the span of vulnerability left prior to anything being 'fixed' - again, why keep fellow admins in the dark. hackers cooperate MUCH better than NWN admins imho.
There's already some stuff on the public redmine if you spend time digging around. See Bug#36817, for example. If something's missing, report it somewhere.
"go search for the answers" is really the least helpful of answers. Yes, I know I can search and find _some_ things, but again, hackers are much better at cooperating with one another than are admins for NWN servers.
I'm beginning to realize that there is probably a misunderstanding going on here. I think what the majority of people are asking for, in these particular "exploit" threads, are common, fixable, already fixed, known, player exploits that many up and coming "would be" PW admins and builders (or even those who've been around awhile and might have missed a memo or two) might otherwise be unaware of and would like to know about ahead of time before they go live or what not. At least this is what I am wanting, hoping for, and am interested in. And I don't think it's wrong or dangerous to ask for it. For every player who see's such a list that would take advantage of it, you would also have a builder who would see it and could fix said issues.
Sure if there is some weird type of thing going on that you suspect has nothing to do with scripting and maybe some pure hardcoded engine exploit or some external program exploit, then of course that should be brought to the attention of the devs and not posted. But I think there are two conflicting sides asking for two different things here.
Wasn't referring to the bugs that came out with the latest additions, i was referring to those OLD bugs that are well documented and known by anyone with a bit of experience.
or the one that give me the chance to get infinite attacks... or when you try to subtract XP from a rdd character and the stats goes busted, and many others...
Wasn't referring to the bugs that came out with the latest additions, i was referring to those OLD bugs that are well documented and known by anyone with a bit of experience.
or the one that give me the chance to get infinite attacks... or when you try to subtract XP from a rdd character and the stats goes busted, and many others...
call me when you reach 1000 bugs. Got an award for you.
If I'm not mistaken Beamdog first wants to tackle technical issues and bugs before going for the more game-related issues. Which is the reason why the community patch project is still a thing as that fixes more. This is also the reason the community patch is still interesting. Check this link, especially the original post in which Shadooow explains the reason for keeping the CPP.
If I'm not mistaken Beamdog first wants to tackle technical issues and bugs before going for the more game-related issues. Which is the reason why the community patch project is still a thing as that fixes more. This is also the reason the community patch is still interesting. Check this link, especially the original post in which Shadooow explains the reason for keeping the CPP.
Does this mean that beamdog will fix the broken stuff in the future or that we will need cpp to cover certain bugs?
Btw I already use 1.72 cpp for one of my module but that because is the 1.69 version of the game, im not going to adopt cpp also for the EE; first of all is not pratical,second i prefer that is who sell me the game to provide me the fix's needed,not a third part ...with all the respect to the great work done by shadooow through this years.
Some things aren't exploits but bugs, like the RDD re-level bug which can make characters illegal and unplayable. Fixing bugs should be the responsibility of the developer.
Some things aren't exploits but features, like the continual flame feature which erroneously increases the price of an item. It can also be the IGMS feature which erroneously deals up to 40d6 magic damage no save on a 6th level spell slot, or many other spells and feats that do things the D&D system did not account for nor intend. Changing unwanted features should be the responsibility of the module or pw builder.
Exploits are always malicious and intended to disrupt or gain some unintended advantage, fixing them should be the responsibility of the developer.
A player is not exploiting if they're the victim of a bug or they're using a feature as intended. Features are more so the responsibility of module and persistent world builders. By leaving spells like continual flame unedited the builder includes it as part of their intended design, through inaction and perhaps some incompetence. However it is not the fault of the player as the (passive) choice to leave it as is was made by the builder. Therefore it cannot be called an exploit, doing so would be absurd and needlessly antagonistic towards your players.
Some things aren't exploits but bugs, like the RDD re-level bug which can make characters illegal and unplayable. Fixing bugs should be the responsibility of the developer.
And if a builder is unaware of this bug (that has a fix/workaround) and doesn't fix it, a player who is aware of it can take advantage of it (exploit it). There IS a workaround for this. But if you can't ask for it, then the builder may never know.
Some things aren't exploits but features, like the continual flame feature which erroneously increases the price of an item. It can also be the IGMS feature which erroneously deals up to 40d6 magic damage no save on a 6th level spell slot, or many other spells and feats that do things the D&D system did not account for nor intend. Changing unwanted features should be the responsibility of the module or pw builder.
Again. If the builder is unaware of these "features", and if known ahead of time would definitely not like them as they are...wouldn't hurt to give people a heads up. The price increase on items with continual flame could definitely be "exploited" by a player who is aware of it while the builder is not. I agree that this may be a feature but as far as I know, I think the majority of PW builders out there who are aware of it, "fix" it.
A player is not exploiting if they're the victim of a bug..
Unless they know about the bug, the builder does not, and the player knowingly takes advantage of it (exploits it). Again, the whole point of this thread.
Features are more so the responsibility of module and persistent world builders. By leaving spells like continual flame unedited the builder includes it as part of their intended design, through inaction and perhaps some incompetence.
And once again I'd like to point out the whole reason for this thread. A builder has to be AWARE of it first. A builder asks about bugs or exploits, is told not to ask about bugs or exploits, doesn't fix them on his PW because he doesn't know about them and now it's because of his inaction and/or incompetence? Wow.
This is the last I will reply in this particular thread and I will just say that I very strongly agree to disagree.
The only issue is that some of you keep conflating different things that aren't remotely the same. Nobody said you can't talk about bugs and features you don't like, there are many threads that discuss these topics openly and ppl offer various solutions. I don't know why anyone would disagree with being able to discuss those things if they want help but hey that's freedom I guess.
Okay so "exploits" that are still possible in NWN:EE and builder should know about:
1) player can enter your module with hacked character, this character can have: - custom items - custom race - any class even prestige class - ability stats way higher than should - any number of skill points - any number of feats - more hitpoints than they should have - non-human appearance (even invalid, invisible apperance, funny one) - wings and tails - any alignment even evil paladin - and few more things I won't specify because you can't even detect them... (reliably at least)
2) delevelling RDD can keep some of the ability increases (afaik this remains unfixed in NWN:EE)
3) familiar healing exploit (player can abuse incorrect script in familiar conversation to trigger Heal spell on specified target, instantly and repeatedly, unlimited times) likewise, some summons can be healed as animal compation (this is case of one of the versions of the air elemental summon)
4) player can select some feats that are normally selectable on specific level sooner. Specifically epic spells, bane of enemies and epic fiend.
5) player can equip weapons into (invisible) monster slots.
6) relog can restore certain feat uses (I assume you know about ini setting to avoid restoring spell uses). Smite evil/good , turning undead and bard song are subject to this.
7) unlimited spellcasting via polymorph (the rest issues were fixed iirc)
8) stacking AC from shadow mage armor and mage armor up to +20 dodge
9) some feats and special abilities can be cast and hurt target in No-PvP areas
To avoid this,
First I recommend to use Enforce Legal Characters=1 option - that for most part prevents 1. Though player will still be able to bring custom items, non human appearance and few more things. if you cannot use ELC for some reason then you need custom scripted ELC. Unfortunately, there are no perfect choices. Sir Elric's custom ELC is full of holes that can be exploited. And because it is public, some players knows exactly what it catches and what not. So can't advice you with that.
Then you should use scripts from my NO-Hak Persistent&Exploit free base module . Although this now includes few no-longer-needed fixes. Merge it or use it as is and improved upon it. It will prevent bringing custom items (1) and should also provide persistency for 6) although now I am not so sure of that.
Then you should install community patch for NWN:EE it will protect you against: 3), 4), 5), 7), 8) and 9). Note to fix 4, you need to use 70_mod_def_lvup in your OnPlayerLevelUp event or Execute it from your own script.
Then you should make sure that all wands and other items for DM will check if their user is DM. This is related to 1).
One way to workaround the RDD delevel bug is to force player to levelup as RDD first, then develel him, this way abilities will be reduced properly (also don't worry, if you delevel player right after taking RDD because of some reason, it won't trigger the bug). Iirc relogging works too if player won't level up after relog again. If you use ELC then player who gets bugged this way will be unable to login next time. If not, you should only allow RDD delevelling with DM supervision or check the abilities with script.
Common PW-specific exploits:
1) Exploiting scripted item requirements. Some script systems allows builder to add some special requirements to the items such as "having X level of class Y", "having ability score X" etc. The older scripts might be vulnerable to the equip spam which will bypass it. I am not using this so I don't remember the exact way to avoid it but iirc it consists of multiple delayed unequip calls.
2) Exploiting persistent storages. The first method (bugging the chest and force it to be permanently open) was fixed in NWN:EE or should be fixed. But there is one additional method I know of and no public persisten storage is immune to it (though I have a feeling only I know this method hehe). If you want to be immune against me logging on your server exploiting chests then the best solution is not to use the classic inventory way for retrieving items but instead use conversation. Though I suppose nobody actually knows about my way so maybe not needed afterall. Also make sure you lock the chest when player opens it so nobody else can access it...
3) Exploiting logout to prevent death (this was discussed a lot in other thread...)
Yeah, builders doesn't like community patch but thats their choice, if they think they can solve all those exploits themselves...
Thank you @Shadooow . A lot of these I didn't know about. I appreciate it. So I'm looking over your starter module and I'm just wondering if beamdog has fixed any of those issues yet. I just want to make sure I'm not trying to fix anything that's already been fixed. Also has beamdog fixed any of the issues that your patch fixes? Are you keeping your patch updated to reflect beamdog fixes? Do we even know for sure what beamdog has already fixed regarding these issues so people aren't trying to fix things that have already been fixed?
Thank you @Shadooow . A lot of these I didn't know about. I appreciate it. So I'm looking over your starter module and I'm just wondering if beamdog has fixed any of those issues yet. I just want to make sure I'm not trying to fix anything that's already been fixed. Also has beamdog fixed any of the issues that your patch fixes? Are you keeping your patch updated to reflect beamdog fixes? Do we even know for sure what beamdog has already fixed regarding these issues so people aren't trying to fix things that have already been fixed?
beamdog fixed throwing weapon exploit and crash exploits, basically ignore the aquire, unacquire, equip´, unequip events in thatstarting module
exporting character in acquire might still be usefull if a new crash exploit will be found but unfortunately it has few side effects with polymorph (all polymorph issues should be fixed in community patch though)
as for community patch, no I am not updating it for NWN:EE, and I didn't remove scripted fixes for issues fixed by BeamDog yet. But thats not problem, it hurts nothing that there is code that won't trigger anymore.
In addition to the exploits reported by Shadooow i think i rememeber there is another exploit at character creation,it is related with conversation field.
In addition to the exploits reported by Shadooow i think i rememeber there is another exploit at character creation,it is related with conversation field.
yes thats exactly the "few more things I won't even mention because..."
nwscript doesn't know GetConversation so this is huge exploit and it could be abused greatly - that is why I proposed checking GetIsDM on DM wands... But there is more to this and despite you aůready named this issue, it is probably better if I say no more, publically at least...
I am to understand that EE made some changes to what acceptable inputs make up text.
Well, we had some items in our module using a particular markup that causes horrendous problems on EE servers.
Here's an example of the markup and text input on item, character or NPC that will reproduce this for you:
And here is an example of what the presence of an item like this key will do to a player character's bic file. It'll inflate the size so badly that connecting to the server crashes it or causes many players to disconnect.
EE sanitizes this input if it is entered into character generation fields, so the real risk is if you as a module builder have items which will be acquired by players that have colorized names or descriptions. There's a new supported input if I remember correctly, so I would read the patch notes for information on that feature so your module design can conform to EE supported input- we are lucky that we could just change a half dozen items and worry about other things.
@DM_Djinn, I'm not seeing this in the stable build, 8176, running on linux (ubuntu 16.04.4 LTS). Are you running into the issue in the dev builds? Are you running a windows server?
Can you offer any other info on the issue? Maybe specific tags cause issues, but not tags in general?
I've tested several chars each with several items with different color coded tags in inventory under 8176, without reproducing your issue:
Comments
These script bugs are unfortunate, but their scope is item duplication or XP gain or whatever, not something that can actually take down a server (or worse). You can report these on redmine, as it'd be nice to get them fixed, but they are far from priority.
If you find an exploit in the game code (e.g. sending a malformed network packet cases server crash), report this privately to a dev so it can get fixed. These kinds of exploits are important and they are getting fixed in the base game, so you don't have to have a list and NWNX plugins and whatnot.
I am a server admin, to deny me information that could protect my server is a huge disservice to the community.
-Dave
Sure if there is some weird type of thing going on that you suspect has nothing to do with scripting and maybe some pure hardcoded engine exploit or some external program exploit, then of course that should be brought to the attention of the devs and not posted. But I think there are two conflicting sides asking for two different things here.
Software Entropy.
like this:
http://nwn.wikia.com/wiki/Darkness
or the one that give me the chance to get infinite attacks...
or when you try to subtract XP from a rdd character and the stats goes busted,
and many others...
call me when you reach 1000 bugs. Got an award for you.
Btw I already use 1.72 cpp for one of my module but that because is the 1.69 version of the game, im not going to adopt cpp also for the EE; first of all is not pratical,second i prefer that is who sell me the game to provide me the fix's needed,not a third part ...with all the respect to the great work done by shadooow through this years.
Some things aren't exploits but features, like the continual flame feature which erroneously increases the price of an item. It can also be the IGMS feature which erroneously deals up to 40d6 magic damage no save on a 6th level spell slot, or many other spells and feats that do things the D&D system did not account for nor intend. Changing unwanted features should be the responsibility of the module or pw builder.
Exploits are always malicious and intended to disrupt or gain some unintended advantage, fixing them should be the responsibility of the developer.
A player is not exploiting if they're the victim of a bug or they're using a feature as intended. Features are more so the responsibility of module and persistent world builders. By leaving spells like continual flame unedited the builder includes it as part of their intended design, through inaction and perhaps some incompetence. However it is not the fault of the player as the (passive) choice to leave it as is was made by the builder. Therefore it cannot be called an exploit, doing so would be absurd and needlessly antagonistic towards your players.
This is the last I will reply in this particular thread and I will just say that I very strongly agree to disagree.
1) player can enter your module with hacked character, this character can have:
- custom items
- custom race
- any class even prestige class
- ability stats way higher than should
- any number of skill points
- any number of feats
- more hitpoints than they should have
- non-human appearance (even invalid, invisible apperance, funny one)
- wings and tails
- any alignment even evil paladin
- and few more things I won't specify because you can't even detect them... (reliably at least)
2) delevelling RDD can keep some of the ability increases (afaik this remains unfixed in NWN:EE)3) familiar healing exploit (player can abuse incorrect script in familiar conversation to trigger Heal spell on specified target, instantly and repeatedly, unlimited times) likewise, some summons can be healed as animal compation (this is case of one of the versions of the air elemental summon)
4) player can select some feats that are normally selectable on specific level sooner. Specifically epic spells, bane of enemies and epic fiend.
5) player can equip weapons into (invisible) monster slots.
6) relog can restore certain feat uses (I assume you know about ini setting to avoid restoring spell uses). Smite evil/good , turning undead and bard song are subject to this.
7) unlimited spellcasting via polymorph (the rest issues were fixed iirc)8) stacking AC from shadow mage armor and mage armor up to +20 dodge
9) some feats and special abilities can be cast and hurt target in No-PvP areas
To avoid this,
First I recommend to use Enforce Legal Characters=1 option - that for most part prevents 1. Though player will still be able to bring custom items, non human appearance and few more things. if you cannot use ELC for some reason then you need custom scripted ELC. Unfortunately, there are no perfect choices. Sir Elric's custom ELC is full of holes that can be exploited. And because it is public, some players knows exactly what it catches and what not. So can't advice you with that.
Then you should use scripts from my NO-Hak Persistent&Exploit free base module . Although this now includes few no-longer-needed fixes. Merge it or use it as is and improved upon it. It will prevent bringing custom items (1) and should also provide persistency for 6) although now I am not so sure of that.
Then you should install community patch for NWN:EE it will protect you against: 3), 4), 5), 7), 8) and 9). Note to fix 4, you need to use 70_mod_def_lvup in your OnPlayerLevelUp event or Execute it from your own script.
Then you should make sure that all wands and other items for DM will check if their user is DM. This is related to 1).
One way to workaround the RDD delevel bug is to force player to levelup as RDD first, then develel him, this way abilities will be reduced properly (also don't worry, if you delevel player right after taking RDD because of some reason, it won't trigger the bug). Iirc relogging works too if player won't level up after relog again. If you use ELC then player who gets bugged this way will be unable to login next time. If not, you should only allow RDD delevelling with DM supervision or check the abilities with script.
Common PW-specific exploits:
1) Exploiting scripted item requirements. Some script systems allows builder to add some special requirements to the items such as "having X level of class Y", "having ability score X" etc. The older scripts might be vulnerable to the equip spam which will bypass it. I am not using this so I don't remember the exact way to avoid it but iirc it consists of multiple delayed unequip calls.
2) Exploiting persistent storages. The first method (bugging the chest and force it to be permanently open) was fixed in NWN:EE or should be fixed. But there is one additional method I know of and no public persisten storage is immune to it (though I have a feeling only I know this method hehe). If you want to be immune against me logging on your server exploiting chests then the best solution is not to use the classic inventory way for retrieving items but instead use conversation. Though I suppose nobody actually knows about my way so maybe not needed afterall.
Also make sure you lock the chest when player opens it so nobody else can access it...
3) Exploiting logout to prevent death (this was discussed a lot in other thread...)
Yeah, builders doesn't like community patch but thats their choice, if they think they can solve all those exploits themselves...
So I'm looking over your starter module and I'm just wondering if beamdog has fixed any of those issues yet. I just want to make sure I'm not trying to fix anything that's already been fixed. Also has beamdog fixed any of the issues that your patch fixes? Are you keeping your patch updated to reflect beamdog fixes? Do we even know for sure what beamdog has already fixed regarding these issues so people aren't trying to fix things that have already been fixed?
exporting character in acquire might still be usefull if a new crash exploit will be found but unfortunately it has few side effects with polymorph (all polymorph issues should be fixed in community patch though)
as for community patch, no I am not updating it for NWN:EE, and I didn't remove scripted fixes for issues fixed by BeamDog yet. But thats not problem, it hurts nothing that there is code that won't trigger anymore.
nwscript doesn't know GetConversation so this is huge exploit and it could be abused greatly - that is why I proposed checking GetIsDM on DM wands... But there is more to this and despite you aůready named this issue, it is probably better if I say no more, publically at least...
Well, we had some items in our module using a particular markup that causes horrendous problems on EE servers.
Here's an example of the markup and text input on item, character or NPC that will reproduce this for you:
And here is an example of what the presence of an item like this key will do to a player character's bic file. It'll inflate the size so badly that connecting to the server crashes it or causes many players to disconnect.
FYI.
-Dave
Can you offer any other info on the issue? Maybe specific tags cause issues, but not tags in general?
I've tested several chars each with several items with different color coded tags in inventory under 8176, without reproducing your issue:
-rw-rw-r-- 1 nwnee nwnee 164855 Jul 1 04:20 absynthe.bic -rw-rw-r-- 1 nwnee nwnee 140794 Jul 1 04:32 rhapsodysanguine.bicThanks,
-Dave
PS - Happy Canada Day everyone!
EE servers running this version are advised to code some on-entry scripts that will check for invalid or hacked characters.