Skip to content

Common PW Exploits

DM_DjinnDM_Djinn Member Posts: 112
edited August 2022 in General Discussions NWN:EE
{comment deleted by user}
Post edited by DM_Djinn on
RaetzainSelpheadunahan
«13

Comments

  • DM_DjinnDM_Djinn Member Posts: 112
    Re: Doubleboxing, the MAC address might be suitable to allow the module/server to determine that the two player accounts are on the same physical machine, and so if the MAC addresses are different, they could be allowed.
  • ValgavValgav Member Posts: 25
    I was always against any restriction for Stacking Traps and Transition Abuse. First can be overcome by investing in detect skill and limiting access to powerful traps and for me it's more like you spend time to get 5 rare traps because mechanics doesn't allow you to build one powerful.

    Second is also part of planning, knowing that you have computer is like not being a runner, just talk yourself out of situation or if you pursuing someone just make sure to be prepared (traps, hold, flesh to stone spells/scrolls)
    DM_Djinnpscythe
  • MalcorathMalcorath Member Posts: 12
    there other ways of catching multiboxers too. input automation is quite obvious but alt tabbing between characters takes a little more work to catch, i would start out any multi boxing measures by having clear community rules and explaining the reasoning behind them and then trust your core players to help root it out.
    DM_DjinnRaetzain
  • ShadowMShadowM Member Posts: 573
    All of though can be fixed
    Stacking Traps - Replace trap system with cast spell place traps on trap items, that run through a script instead of standard system. This will allow you to check for near by traps before placement and cancel if they are too close, also allow you to control the place trap DC / failure etc... (Did this in my HR base) trap routing system.

    Transition Abuse - This is the same thing in all PVP the guy with the faster computer got the shot off faster and anyone will adjust as need. This can be mitigated with transition scripting. I see this as minor and player understand it.

    Continual Flame and Merchants - Adjust 2da so light property give no boost to value.

    Hostile/Non-Hostile Greater Sanctuary bug - Script on door, placables, actions like casting spells even non-hostile, canceling this / short time duration have already been explained.

    Double Boxing - On client scripts to log and handle this have already been shown and PW people deciding how many players can be on an account has already been established.
    DM_Djinn
  • SherincallSherincall Member Posts: 387
    meaglyn said:

    I have to disagree with this. Keeping exploits secret from PW developers does not help anyone (except maybe the blackhats who already know about the exploits). Many of the exploits have scripting or other mitigations that PWs could use to protect themselves...but only if they know what needs to be protected against. Otherwise each PW has to go through the same pain and discovery process, get shafted for a while, figure out a way to stop it, while losing players etc.

    Certainly telling the devs is a good idea, but others need that information too. Just look at the clusterfsck around the meltdown/spectre embargoes.

    Arguable for exploits that are fixable. Of the ones Djinn mentioned, only the sanctuary would actually be considered an exploit, but that is also easily fixable.

    I'm concerned about actual exploits that are very hard or impossible to patch, or even detect. DJinn reported one of (mostly) that kind in another thread, and it was rightly censored by the devs. There's others, and I really wouldn't want people posting them.

    Funny you should mention spectre - I actually think that was handled relatively well by the industry. There's plenty of room for improvement, but compared to just revealing a vulnerability, this was pretty well done.
    zunath
  • meaglynmeaglyn Member Posts: 146
    Spectre was not handled well. Ask the freebsd people, or any of the other effected vendors who did not find out until it leaked a week before the official end of the embargo. Plus there was a lot of misinformation, partly due to the secrecy and people having to guess. We're still dealing with it and will be for a long time to come. True, some of that is just the nature of the bug but part of the mess was how badly it was handled.

    As to the other parts, I'd consider all of those to exploits. And all those listed can be addressed by PW admins/devs. If there are exploits that can only be fixed with code then BD should fix them. If there is nothing the PW can do then maybe they could be hidden but even then it might be nice to know what to watch for... If one person found it someone else will too.
    DM_DjinnRaetzainGM_ODA
  • LibertyisbackLibertyisback Member Posts: 49
    sometimes i think exploits exist across all mmos/rpgers. the worst exploits are the ones that only tweak you abilities slightly. you get an advantage, but its not so obvious. such exploits are undetectable.
    DM_Djinn
  • SherincallSherincall Member Posts: 387

    the worst exploits are the ones that only tweak you abilities slightly. you get an advantage, but its not so obvious. such exploits are undetectable.

    I disagree. The worst exploits are those that let you take over the server, wipe everyone's characters and use all players as a botnet to mine bitcoin / DDOS websites. Yes, these exist. All known ones are fixed (or will be?) in EE, but there are certainly more we've never seen before. And 1.69 servers are still vulnerable.

    Ask the freebsd people


    They did pretty explicitly say that they will not participate in industry's disclosure practices and would immediately announce any vulnerability they are notified about. That's a sure-fire way to get excluded from the in-the-know group.

    Going back to the previous exploits, I would never share something like described above with anyone who believes all exploits should be public.

    TheUncertainManzunathIndyWendieGo
  • meaglynmeaglyn Member Posts: 146
    Freebsd was just one example. But anyway, exploits should be fixed. Keeping them secret so that only the in-the-know crowd can protect themselves is fine as long as people who care have a way to be in that elite, special, shiny group. But that has not been the case in NWN. If there are server-side fixes for known exploits, then keeping them secret is a disservice to PW admins.

    If not public then what... How do I get the information I need to protect my servers from known exploits? Is there an invite only mailing list or forum? There's at least one listed earlier in this post that I had not come across before that I need to look into. I'm not arguing here strictly from a philosophical difference of opinion about the value of keeping vulnerabilities secret. It's a practical concern too :)
    DM_DjinnRifleLeroyNeverwinterWightsGM_ODA
  • SherincallSherincall Member Posts: 387
    There used to be NWNX plugins that plugged these vulnerabilities. Sometimes distributed without the sources even. I know niv wrote one that fixes an RCE exploit; best check with him what's the status there.

    I haven't actually run a server in a long time, so I didn't pay too much attention to it, sorry.
  • Sylvus_MoonbowSylvus_Moonbow Member Posts: 1,085
    I like the WSAD one that when used into a transition you can jump right across the next area and get loaded in the area after that one. Saves time moving or avoiding large groups of monsters.
  • FreshLemonBunFreshLemonBun Member Posts: 909
    Most of these aren't exploits. Things like item duping, using epic spells repeatedly in rapid succession, and crashing clients are all exploits, something like continual flame on weapons is just unwanted behavior.
    dTdChreelister
  • DM_DjinnDM_Djinn Member Posts: 112
    ShadowM said:

    All of though can be fixed
    Stacking Traps - Replace trap system with cast spell place traps on trap items, that run through a script instead of standard system. This will allow you to check for near by traps before placement and cancel if they are too close, also allow you to control the place trap DC / failure etc... (Did this in my HR base) trap routing system.

    Transition Abuse - This is the same thing in all PVP the guy with the faster computer got the shot off faster and anyone will adjust as need. This can be mitigated with transition scripting. I see this as minor and player understand it.

    Continual Flame and Merchants - Adjust 2da so light property give no boost to value.

    Hostile/Non-Hostile Greater Sanctuary bug - Script on door, placables, actions like casting spells even non-hostile, canceling this / short time duration have already been explained.

    Double Boxing - On client scripts to log and handle this have already been shown and PW people deciding how many players can be on an account has already been established.

    Hi @ShadowM , this is very helpful information. Can you provide further insight on how a replacement of the trap system might operate? The other stuff here is pretty manageable for my small team but overhauling traps and drawing trap triggers via script is not something I currently know how to do. Is there something you can point me to?
  • FreshLemonBunFreshLemonBun Member Posts: 909
    There are several ways you could create an alternative trap system. If you largely want to preserve the current system then you should look at traps.2da and change the blueprint references in the ResRef column to a different item. This item is now used to call a script and set the trap (CreateTrapOnObject and CreateTrapAtLocation) after you do your checks and animations.
  • ShadowMShadowM Member Posts: 573
    edited May 2018
    @DM_Djinn
    FreshLemonBun has pretty much covered the surface, but if you look at the traps.2da you notice that it setup pretty much like the spells.2da because each trap has it own script. You can change all these to point to one script (trap routing script) this will allow you override the standard traps action when triggered with anything you can script or even just allow the trap to function as it intended. For placing traps, just make a new spell called Use: Set Trap and them make be use-able on items and add them to your new trap kits or override the old trap kits blueprints. This will allow you to gather data on the person setting the trap, where they setting it (if their another trap close by) if the pc has X feat give the trap bonus damage etc... Look at my HR Base module in scripts for setting the traps hr_inc_spellab, hr_spell_routab (custom function SET_TRAP) and my traps.2da to get a better idea and come back for any more questions. For when the trap goes off look at scripts hr_traps_router and hr_inc_traps for custom functions. I have few trap kit examples in custom / miscellaneous / kits. Hope that helps

    HR BASE LINK
  • badstrrefbadstrref Member Posts: 124


    Double Boxing - Maybe this is one for a server or module switch to disallow? Simply put, unless a PW has created scripts to detect players who play two accounts from the same IP address, double boxing is an easy exploit to get away with. There is a use-case where multiple players in the same household would create this situation, but "double boxing" is generally prohibited by nearly every roleplay community.

    this is impossible to "fix" without risk of false positive situations
    Shia_Luck
  • NeverwinterWightsNeverwinterWights Member Posts: 339

    I'm sorry, but publicly writing about unfixed exploits is not the best idea. Can we please close this thread before someone posts an actually useful and uncommon one?

    If you know about exploits that should be fixed in the game, please message the devs privately.

    Is there some place or resource or person that 'would be' server admins are supposed to go to to fix all these problems that many in the community have figured out how to fix? I've been wanting some kind of list forever so I can fix/know about all these problems. Or at least have a full list of fixable bugs/exploints with their solutions(keep the unfixable ones out). And I hate to think negatively but I've always felt like part of the community may have been holding back info so that competing PWs fail. I hope thats not the case but I can't help thinking it.
    GM_ODA
  • DM_DjinnDM_Djinn Member Posts: 112
    edited August 2022
    {comment deleted by user}
    Post edited by DM_Djinn on
    NeverwinterWights
  • DM_DjinnDM_Djinn Member Posts: 112
    edited August 2022
    {comment deleted by user}
    Post edited by DM_Djinn on
    RifleLeroy
  • DM_DjinnDM_Djinn Member Posts: 112
    edited August 2022
    {comment deleted by user}
    Post edited by DM_Djinn on
    RifleLeroy
  • FreshLemonBunFreshLemonBun Member Posts: 909
    If you want help from specific people for specific issues it's probably better if you politely asked them about it.
    tfox
  • NeverwinterWightsNeverwinterWights Member Posts: 339
    I believe it was about 2005 when i joined the old bioware forums and started to learn nwnscript from the likes of AxeMurderer, FunkySwerve, Rolo, Krit, to name a few. Even then I remember this same topic coming up several times and again people would shut it down. I mean I get why but at the same time I don't, because the only way to fix it IS to talk about it and to post solutions including scripts and "How Tos" for every PW builder to be aware of. I've figured out some in that time but probably still not aware of all of them.
    DM_Djinn said:

    Feel free to inbox me for any technical questions you have and I'll ask my project manager to spare some time for you.

    I appreciate that. Thank you.
    GM_ODA
  • FreshLemonBunFreshLemonBun Member Posts: 909
    Most likely because those with less technical expertise are most at risk and publicly posting what could effectively be a tutorial on how to hack your server for anyone curious isn't in your best interest.

    Besides that most of the concerns aren't actually exploits and you would probably have better luck asking a question on the scripting forum, or posting a bug report if it's a bug.
  • NeverwinterWightsNeverwinterWights Member Posts: 339
    edited May 2018

    ...and you would probably have better luck asking a question on the scripting forum...

    I've actually tried this over the years (including recently on the topic of how best to go about persistent storage) and have run into the same problem. Here's an anecdotal example.

    ~item duping is a problem
    ~how is it a problem, what exactly are they doing to make it happen
    ~can't post it cause then people will know how to do it
    ~ok well how do I prevent it
    ~cricket...cricket...cricket

    This same back and forth has been going on since the dawn of Neverwinter forum time. If you don't at least know what the fixable exploits are, you can't fix them. And if you can't ask what they are then you won't know what to ask that needs to be fixed or what to even ask for on the scripting forum. So again where is a person supposed to start?
    Post edited by NeverwinterWights on
    GM_ODA
  • voidofopinionvoidofopinion Member, Moderator Posts: 1,248
    I think it's important to remind people that any support offered by the modding community is done so out of the goodness of that persons heart.

    No one is entitled to anyone elses time or expertise.

    If you know of an exploit that needs fixing then please report it to beamdog.

    Otherwise

    If you want help from specific people for specific issues it's probably better if you politely asked them about it.

    clansunstartfox
Sign In or Register to comment.