[crossfire] SVN revions in version

Mark Wedel mwedel at sonic.net
Sun Oct 15 23:42:15 CDT 2006 

Christian Hujer wrote:
> On Friday 13 October 2006 19:15 Brendan Lally wrote:
>> Likewise, although the clients need only open a connection to the
>> metaserver to recieve the server list, having the official clients
>> send their revision numbers by default would give some indication as
>> to which versions of the clients are in use. (assuming the metaserver
>> were suitably modified to read that information from the socket).
> Oh that would make it easy for a bogus server to abuse or exploit known client 
> bugs to hack client machines.

  Well, right now, the client does support some basic information to the server 
when it connections (type of client, its last official version (1.9.0, 1.9.1, etc).

  Since generally speaking, there isn't any real way to fix old clients (if 
someone is still using 1.8.0 client, making a patch for known bugs to that 
client isn't likely to help, as most likely, person isn't going to get it 
updated), there could already be a pretty large list of exploits.  Things like 
'if client is older than 1.9.1, these bugs exist which I could exploit'.

  Whether the server knows the SVN number or not probably won't make a big 
difference.  However, I do agree, there really isn't much reason for the server 
to know the SVN number.

  What would be more interesting, from a data collection standpoint, is knowing 
the number of people that are actually compiling out of SVN vs using officially 
downloaded clients.  I'm not sure what I would do with that knowledge, other 
than to say 'hmm, interesting, x% of players get there client from SVN'.

  Related to that could be precompiled vs non precompiled clients somehow 
reporting that.  However, that really is more dangerous.

  If a server admin was going to try to hijack a client, using a precompiled 
client is the way to do it.  Any 'compile it yourself' client has so many 
variables (compiler options, version of the compiler, type of system it is 
compiled on) to make most all exploit bugs (typically buffer overflows) 
virtually impossible.

  However, if the developer can download the same client that players are using 
(precompiled), they can play around with the exploit, write the code that 
properly hijacks it, etc with a high level of success (different versions of 
some of the libraries may make a difference).

  So if anything, not having clients report their version doesn't make it harder 
for server admins, they just can't know who to target.  And if the 'fixed' 
clients have some form of reporting (server abc sending bogus data that looks to 
be trying to exploit bug abc), and the server can't know which of those clients 
might report, that may make it so that the server admin won't try it.

  I would say that any server that is trying to do such things should be 
blacklisted from the metaserver (and potentially reported to the service provider).

More information about the crossfire mailing list