#Mass Exploit Report Thread

jesus christ clients can force file system changes?!

the actual feasibility of this is dubious. We'll ensure it's impossible in the next patch.

Yeah I saw on main that you'd noted a few of his other assertions were factually incorrect but it's very reassuring to hear from you personally. Thanks mate.

excuse him I dunno why he thinks he can rce/touch fs with an html escape that's not happening unless your parser is REALLY bad (it's not)

"Mirror Multiplayer has a vulnerability involving Client Authority that allows a majority of implementations of protection to be bypassed by sending commands as the server (can be fixed by ensuring that some commands can only be called by the localplayer or server, respectively)"
there is also no vulnerability in mirror, just a lot of authority bypassing on commands that don't need it

the text boxes in unity use rich text, not html. there should be no way to execute code inside that. so worst case they can cause badly formatted text

\t is just a tab, but looks like it is rendering it as a single space

@violet harness Yeah so like most of the stuff vizoplez posted in here is kind of like garbage theory stuff (what remote file changing exploit..?)
I think a big change you can make with not much effort is removing requiresAuthority = false tags on a lot of Mirror Commands - I managed to make a patch and it seemed like there was no issues with it, consdering you already correctly pass connections to NetworkServer.Spawn in most cases

This is a much easier change to make with source code tbh

We're prioritizing the authority implementation now that it's clear cheaters are out there in the wild. Vizoplez was helpful in bringing that to our attention.

Yeah the authority implementation isn't even too bad right now

The largest issue is by far the Spawner class

Best way to fix that I'd think is validating what hardpoints are actually on the aircraft/can be fired

And for like spawning aircraft making sure you're not in one already, basic stuff

Like clients already have correct authority for everything they're calling commands on other than like FactionHQ and Spawner; its just that commands have requiresAuthority = false which ends up not being necessary for most of them

requiresAuthority is used by Mirror's code gen, just removing the flag from the attribute wont do anything. the code gen would have too run again to add the code that checks for authority

In my patch I also manually edited the internal registerCommand calls generated by Mirror to change the requiresAuthority arg, no worries :D

So it does actually work with most of them removed. In actual game source all that would be required is removing the flag from the attribute since code gen handles the rest

Some other easy stuff was like in FactionHQ/Spawner commands, instead of having the client send their Player NetworkBehaviour, you can just use connection.identity.GetComponent<Player>();

I saw that bug sometimes too, now sure what is causing it yet

although I was seeing it when re-spawning in the same hanger, and colliding with locally on the client that didn' exist on the server 🤔

some stuff needs to be validated server side. I might try fix it when I go through the Authority stuff

AI should only be running on server, but I'm not 100% sure, havn't looked much that that code yet

Vizoplez is schizophrenic AI runs only on the server

It just uses commands that are called on the server for some reason iirc

Yeah i figuredo ut it only runs on server

Man, this is like the wikileaks version of trying to be helpful and get something patched. You should have PM'd this to the dev, not made a public post... If there's an explosion of griefers, I would say this "Vulnerability Post" is 100% to blame...you literally made things most people would never THINK to try public knowledge. This post is like a griefers HOW TO and should be removed until its patched

Dev was fine with it and cheaters already found all this shit anyway