Jump to content

[PSA] Regarding all RSPS users


puppyslush
 Share

Recommended Posts

It appears that some oldschool rsps clients have a long standing bugs that could be exploited to take over your PC. I could now conclude this isn't a deliberate action but the bug could still be abused. Considering that the community desperately wants updates for the game and Jagex barely does any updates for the PvP Community, thus making RSPSes the only place to go where you can practice, I strongly urge you run all RSPS clients in https://www.sandboxie.com/

 

Spoiler

image.png.b962d564348bbcab1b168db890816871.png

I was informed that some members who played BS had their OSRS accounts hacked, so I took the opportunity to look game files and a couple of abnormalities that raised a number of red flags included a line that executes external programs(like .exes) that are not directly related to classloading process of the BS client.

Furthermore, backstepping the code, it appears that this method4741 is only fired upon command from the BS server, so I can't see what is being run. I could only hazard a guess that the server could remotely install and run malware into your computer.

This means that virus scanning the battlelite client or the gamepack.jar will not yield any results as any malware is contained somewhere else is is only downloaded to your computer on command.

The last sketchy signature of this method is the line to execute external program only appears to run on windows.

I am not an expert at reverse engineering, and my assessment could also mean a pile of junk...so any other members with more experience in this field, please kindly take a look:

gamepack.jar

Remember, do not run untrusted software, and if you totally have to, use a virtual machine or sandbox the program

 

 

Link to comment
Share on other sites

45 minutes ago, ultama said:

@puppyslushthe same method is being ran in the original runelite client (albeit different variable names, same functionallity). You didn't include the entire segment of code either:

 

l3ZmvMP.png

Do you have a link to the runelite source? Also posting the entire method is irrelevant as the the line that raises the red flag is this one:

image.png.865deb685fb2edbca3d0c575aee08520.png

I can't see any plausible reason why the the loader from bscape has this line in there because it is essentially used for executing external programs

----

Edit: Actually I managed to think of reason where the client needs to open up a web browser for example, but I would say other methods of executing a page request is far safer like using Desktop class to launch pages, and possibly even hardcode the URL as it is possible for MiTM attacks to launch pages that download external programs.

Perhaps it is an oversight on Palin's part as bscape is one of the most famous RSPSes out there but like I said, we need more people to look at this especially with rs accounts at risk here.

Link to comment
Share on other sites

56 minutes ago, ultama said:

@puppyslushthe same method is being ran in the original runelite client (albeit different variable names, same functionallity). You didn't include the entire segment of code either:

 

l3ZmvMP.png

I just taken a look at Runelite and they indeed have a similar function, but they chose to use the Desktop class instead

https://github.com/runelite/runelite/blob/8247163fee7165825c46281d671063fc3761046a/runelite-client/src/main/java/net/runelite/client/plugins/info/JRichTextPane.java#L61

image.png.26f695607a008d76c7760bc18c0dc170.png

Link to comment
Share on other sites

Just now, puppyslush said:

I just taken a look at Runelite and they indeed have a similar function, but they chose to use the Desktop class instead

https://github.com/runelite/runelite/blob/8247163fee7165825c46281d671063fc3761046a/runelite-client/src/main/java/net/runelite/client/plugins/info/JRichTextPane.java#L61

https://github.com/runelite/runelite/commit/2dd80f9b597d6f8800af59bddfd0d33ddb895e14 was where I got the code from. Old version and whatever, but need to compare it to the original source to ensure there's nothing dodgy.

Is it dodgy? yes, especially considering there's no validation or anything to check URLs but the risk of BS being a rat is as equal as it is for runelite.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...