RakNetDOS (!) #102
Comments
Hello, have any solution? |
Thanks for the report and analysis @8artek0v0 . We have it on our short term list to resolve it for good in SLikeNet (our fork of RakNet). I just committed the obvious fix for the endless loop case. And will leave a note here once we handled the other reported issue as well (internal case number SLNET-194 / SLNET-204). |
Just to give a quick heads up: We are now working on this issue. We made several changes to the area and are currently testing/reviewing them to ensure this completely resolves this DOS attack vector. If you need an urgent patch for this issue, feel free to get in touch by mail at info@slikesoft.com. |
We are going to release an unplanned hotfix of SLikeNet due to this exploit (SLikeNet 0.1.2) and will also provide a pull request to RakNet (for those who are staying with RakNet). We are currently targeting a release on 2018-05-06. As stated in the previous commit, if you need an urgent fix, feel free to contact us by mail. This exploit has the following CVSS score: Since SLikeNet/RakNet are libraries, there's no CVSS environmental score (since that score heavily depends on how/where the library is utilized). |
@8artek0v0 Thanks for the original report of this exploit. Due to lack of other means to contact you, adding this one as a comment here: As stated above the upcoming SLikeNet release will contain a fix for your reported exploit. If you are fine with that, we'd mention you in the announcement messages which will be posted alongside the release. The statement will read: If you'd rather have a different name stated (f.e. another nick, or your real name) please let me know. You can also reply/discuss this by mail to info@slikesoft.com. |
SLikeNet 0.1.2 which resolves the related cases (SLNET-194, SLNET-202) is available now on https://www.slikenet.com/ and on the GitHub project page: https://github.com/SLikeSoft/SLikeNet/releases/tag/v.0.1.2 . Please note that we are currently in touch with facebook to coordinate the steps to make a fix for the issue available via a pull request. Therefore, we decided not to go ahead with this right now but will rather do so at a later time. If you have a project and rely on a fix, please get in touch with us by mail and we'll make the fix available to you in private ( info@slikesoft.com ). |
Just a couple of small corrections to the initial report from @8artek0v0: As stated: This is just nitpicking to correct some facts. The essence of the report is completely valid. |
RakNet DoS attack.
The problem lays in ACKs and NAKs system in function:
ReliabilityLayer::HandleSocketReceiveFromConnectedPlayer
commit e97c4bb didn't fix it
Specially crafted packet can hang RakNet thread for quite a while or freeze it for good.
ReliabilityLayer.cpp
Line 736:
for (i=0; i<incomingAcks.ranges.Size();i++)
{
...
...
Line 746:
for (datagramNumber=incomingAcks.ranges[i].minIndex; datagramNumber >= incomingAcks.ranges[i].minIndex && datagramNumber <= incomingAcks.ranges[i].maxIndex; datagramNumber++)
}
and
Line 818:
for (i=0; i<incomingNAKs.ranges.Size();i++)
{
...
...
Line 831:
for (messageNumber=incomingNAKs.ranges[i].minIndex; messageNumber >= incomingNAKs.ranges[i].minIndex && messageNumber <= incomingNAKs.ranges[i].maxIndex; messageNumber++)
}
When ranges[i].minIndex = 0 and ranges[i].maxIndex = 0xFFFFFFFE then loop will be executed 4294967294 times. Which is a lot. What is more, a single packet can contain
even 200 "ranges" or more. So loop at line 746 and 818 going to be executed 200 * 4294967294 = 858993458800 times, because ranges.Size() = 200;
This can hang RakNet thread for a while, so no new incoming connections are going to be accepted and all peers already connected will timeout.
Special case:
incomingNAKs.ranges[i].minIndex = 0 and incomingNAKs.ranges[i].maxIndex = 0xFFFFFFFF then loop at line 818 will never end.
In this case RakNet thread will be trapped in an endless loop.
The text was updated successfully, but these errors were encountered: