Jump to content

[PSA] Regarding all RSPS users

puppyslush

By puppyslush,
in Community Discussion

 Share

Recommended Posts

puppyslush Advanced Member

puppyslush

Posted
  • Author
Posted
10 minutes ago, ultama said:

https://github.com/runelite/runelite/commit/2dd80f9b597d6f8800af59bddfd0d33ddb895e14 was where I got the code from. Old version and whatever, but need to compare it to the original source to ensure there's nothing dodgy.

Is it dodgy? yes, especially considering there's no validation or anything to check URLs but the risk of BS being a rat is as equal as it is for runelite.

That github snippet doesn't appear in the latest runelite versions. It is possible this is an exploit in some RSPSes client loaders and it just only takes an admin to exploit it

I would say this is something BS would need to fix then because this is still open exploit

Also the URL check in BS is indeed sanitized but can be bypassed because some escape characters in cmd are listed in the var10 check

Link to comment
Share on other sites
ultama Advanced Member

ultama

Posted
Posted
1 minute ago, puppyslush said:

That github snippet doesn't appear in the latest runelite versions. It is possible this is an exploit in some RSPSes client loaders and it just only takes an admin to exploit it

I would say this is something BS would need to fix then because this is still open exploit

Also the URL check in BS is indeed sanitized but can be bypassed because some escape characters in cmd are listed in the var10 check

I guess from the time of the snippet, the runelite client was still open source whereas now it's moderated more heavily, they had to make it more secure.

Link to comment
Share on other sites
puppyslush Advanced Member

puppyslush

Posted
  • Author
Posted
6 minutes ago, ultama said:

I guess from the time of the snippet, the runelite client was still open source whereas now it's moderated more heavily, they had to make it more secure.

Possibly, either way i'll edit the main topic asking users to run it in sandboxie, speaking to some of the old school rsps owners, they don't believe it is a deliberate action from pali

Thanks again for the clarifications

Link to comment
Share on other sites
PalidinoDH Newbie

PalidinoDH

Posted
Posted

First off, this code has nothing to do with RuneLite. It was and still is contained inside the official OSRS client, you can decompile the current version of OSRS to see for yourself.

Secondly, if you look closely at the code, it only allows launching a URL. For whatever reason, Jagex chose to launch URLs this way. The code clearly states the command to be executed has to start with http or https. Not only that, but the entire command after that is made sure to only contain the characters "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789?&=,.%+-_#:/*" to make sure it's a legitimate URL. No spaces are allowed to execute a second command after the URL. The command itself attempts to trigger your default browser to open the passed URL, it doesn't download something from a URL in the background.

If you dig a little deeper, you'll also see that the command method is only even executed if another method using Desktop.getDesktop().browse fails.

Next time, I would suggest contacting someone that could have explained what the code does after looking at it for 2 seconds instead of accusing me. Alternatively, being that I've been doing this for over 10 years and have never hacked clans in the past (they've been around BS for almost as long), you could have just asked me to explain what that is.

Link to comment
Share on other sites
Nos Advanced Member

Nos

Posted
Posted

Lmao and to think I was catching backlash in the last topic for telling people to stop playing a shitty knockoff of the real deal when most of them clan on osrs anyway. It's one thing to play p servers for fun, but don't feed me some bs that it's "better than the main game" exhibit A here is one of the many reasons.

I hope this is the last time p servers are revived and finally dies and some competent people leading clans there can move to the main game and we can get some growth and more clans in this small community.

Link to comment
Share on other sites
puppyslush Advanced Member

puppyslush

Posted
  • Author
Posted
9 hours ago, PalidinoDH said:

First off, this code has nothing to do with RuneLite. It was and still is contained inside the official OSRS client, you can decompile the current version of OSRS to see for yourself.

Secondly, if you look closely at the code, it only allows launching a URL. For whatever reason, Jagex chose to launch URLs this way. The code clearly states the command to be executed has to start with http or https. Not only that, but the entire command after that is made sure to only contain the characters "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789?&=,.%+-_#:/*" to make sure it's a legitimate URL. No spaces are allowed to execute a second command after the URL. The command itself attempts to trigger your default browser to open the passed URL, it doesn't download something from a URL in the background.

If you dig a little deeper, you'll also see that the command method is only even executed if another method using Desktop.getDesktop().browse fails.

Next time, I would suggest contacting someone that could have explained what the code does after looking at it for 2 seconds instead of accusing me. Alternatively, being that I've been doing this for over 10 years and have never hacked clans in the past (they've been around BS for almost as long), you could have just asked me to explain what that is.

Thanks for clearing this up. Unfortunately, I taken a look at this code as an external developer and was unaware that this particular method was an archaic legacy code.

With that said, it still doesn't invalidate my concerns where :/, and % are still special characters for windows shell. Off the back of my hand and in the right environment, using windows %variable% in conjunction with colon shell system can escape the encapsulated quotes you have around the shell execution.

Such specially crafted query can still be used to bypass the initial Desktop check because it will just throw a noop exception which will then just proceed over to the next line where this cmd execution call takes place.

Link to comment
Share on other sites
puppyslush Advanced Member

puppyslush

Posted
  • Author
Posted
3 hours ago, Nos said:

Lmao and to think I was catching backlash in the last topic for telling people to stop playing a shitty knockoff of the real deal when most of them clan on osrs anyway. It's one thing to play p servers for fun, but don't feed me some bs that it's "better than the main game" exhibit A here is one of the many reasons.

I hope this is the last time p servers are revived and finally dies and some competent people leading clans there can move to the main game and we can get some growth and more clans in this small community.

That is probably a pipe dream if I am honest considering that 1 man RSPS servers are able to introduce PvP/Clanning updates that somehow take muh 3 year engine work from Jagex... so until Jagex gets their game up, we will have Pservers around

Link to comment
Share on other sites
PalidinoDH Newbie

PalidinoDH

Posted
Posted
23 hours ago, puppyslush said:

Thanks for clearing this up. Unfortunately, I taken a look at this code as an external developer and was unaware that this particular method was an archaic legacy code.

With that said, it still doesn't invalidate my concerns where :/, and % are still special characters for windows shell. Off the back of my hand and in the right environment, using windows %variable% in conjunction with colon shell system can escape the encapsulated quotes you have around the shell execution.

Such specially crafted query can still be used to bypass the initial Desktop check because it will just throw a noop exception which will then just proceed over to the next line where this cmd execution call takes place.

Even so, you singled me and BattleScape out for not stripping code out of the OSRS deob. This code exists in every RSPS that uses the OSRS deob, which is at least a handful of servers. There is even a chance other revisions past 317 have this code as well since the OSRS deob is just an older version of 525/530/600+/700+/etc. It would have been one thing to post a thread to be cautious of RSPS in general, but that's not what this is.

If you don't mind, can you elaborate on this? To execute multiple commands on one line, you would need & and spaces or semi-colons so that Windows recognizes a second command. Both spaces and semi-colons are blocked. I don't really see a way this is exploitable to even warrant this thread even after my previous reply.

Link to comment
Share on other sites
puppyslush Advanced Member

puppyslush

Posted
  • Author
Posted
3 hours ago, PalidinoDH said:

Even so, you singled me and BattleScape out for not stripping code out of the OSRS deob. This code exists in every RSPS that uses the OSRS deob, which is at least a handful of servers. There is even a chance other revisions past 317 have this code as well since the OSRS deob is just an older version of 525/530/600+/700+/etc. It would have been one thing to post a thread to be cautious of RSPS in general, but that's not what this is.

If you don't mind, can you elaborate on this? To execute multiple commands on one line, you would need & and spaces or semi-colons so that Windows recognizes a second command. Both spaces and semi-colons are blocked. I don't really see a way this is exploitable to even warrant this thread even after my previous reply.

Sorry if I intended it that way, I revised my topic originally once @ultamatold me this code is actually is spread quite broadly and I will make an addendum to the OP and editing the topic title if you will.

Regards to the code in question, there are a couple of methods actually: For example, if the user have the appropriate session variable in place, the shell will expand your command as so:

SET DIRECTORY_SPACE="\ "

cmd start "J" "http://google.com%DIRECTORY_SPACE%&&C:/user/downloads/runrogue.exe"

This opens up google chrome and runs the 2nd command afterwards

Another method which does imply a sort of misparsing by the windows shell:

cmd start "J" "http://file://user/downloads/runrogue.exe"

^^ If you actually try that out in the system shell, it doesn't automatically open up chrome or google, but display a prompt saying the file is not found. I believe this is due to how (poorly) windows shell handlers are originally designed..and I am pretty sure a windows shell expert would be able to figure out a way to get it to work, but as it stands at the moment, it is quite dangerous to run command line the way it is.

If you must write commands, I would recommend you throw a try catch on uri parsing first, and i wouldn't recommend even trying to allow the user or the live server to dictate the full url as you may not have ill intentions with your code.. but run-time admins on the other hand...

Link to comment
Share on other sites
Nos Advanced Member

Nos

Posted
Posted

 

On 3/6/2019 at 11:22 PM, puppyslush said:

That is probably a pipe dream if I am honest considering that 1 man RSPS servers are able to introduce PvP/Clanning updates that somehow take muh 3 year engine work from Jagex... so until Jagex gets their game up, we will have Pservers around

How unfortunate. But thanks for the psa.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...