============================================================================
VULNERABILITY #3: ITEM COUNT DUPLICATION
============================================================================
Severity:
CRITICAL
Type: Logic Bug / Game Exploit
CVSS Score: 8.2 (High) - Economic damage
Impact: Item Duplication, Economy Destruction, Revenue Loss
Location:
File: game/src/item.cpp
Functions: SetCount(), RemoveFromCharacter()
Lines: 237-288
Description:
────────────
The SetCount() function validates item count using MIN() but does NOT validate
input before processing. Combined with item destruction logic triggered on
count=0, this allows duplication.
Vulnerable Code:
bool CItem::SetCount(DWORD count)
{
// Only applies MIN, no validation!
if (GetType() == ITEM_ELK)
m_dwCount = MIN(count, INT_MAX);
else
m_dwCount = MIN(count, g_bItemCountLimit);
// If count becomes 0, destruction logic triggers
if (count == 0 && m_pOwner)
{
// Item is destroyed
M2_DESTROY_ITEM(this);
}
UpdatePacket();
Save();
return true;
}
Attack Scenario - Race Condition:
─────────────────────────────────
Timeline:
1. T0: Player has 1x Rare Item
2. T1: Player sends ItemMove packet: count=1, from inventory to ground
3. T2: Server calls SetCount(1) - valid operation
4. T3: Player rapidly sends ItemMove packet: count=0 (drop item)
5. T4: Server begins destruction (M2_DESTROY_ITEM)
6. T5: Simultaneously, another packet handler calls SetCount(1) on same item
7. T6: Race condition: both destruction and update try to modify m_dwCount
8. T7: Item persists on ground AND in inventory
9. RESULT: Item duplicated!
Technical Details:
──────────────────
Root Causes:
1. No atomic operations on m_dwCount
2. No mutex/lock protection
3. No transaction handling
4. Destruction can be triggered mid-update
Attack Code (conceptual):
────────────────────────
// In game client, send packets rapidly:
for (int i = 0; i < 1000; i++)
{
// Send: Move item to ground
ItemMove(item, ground_pos);
// Send: Set count to 0 (drop)
SetItemCount(item, 0);
// Send: Move item again
ItemMove(item, inventory_pos);
// Race condition window where item exists in both places
}
Game Economy Impact:
────────────────────
Scenario:
- Rare item drops value 100,000,000 gold
- Item duplicated 100 times via exploit
- 10,000,000,000 gold of items flooded market
- Item value crashes to 1,000,000
- Legitimate players lose 990,000,000 per item (99% loss)
Real-World Examples:
────────────────────
1. World of Warcraft had similar exploit (Diablo cloning)
2. RuneScape had duplication bugs causing rollbacks
3. Final Fantasy XIV had item duplication (forced server maintenance)
4. Metin2 servers have had duplication exploits historically
Detection Methods:
──────────────────
1. Database audit: check for impossible item combinations
2. Player statistics: sudden wealth increase
3. Item usage: rare items appearing on many accounts
4. Price monitoring: sudden price crashes
Proof:
──────
To verify vulnerability exists:
1. Create test account with 1x Rare Item
2. Send ItemMove + SetItemCount(0) rapidly in parallel
3. Observe item appearing in multiple places
4. Item duplicated
Database Evidence:
──────────────────
SELECT player_id, item_vnum, COUNT(*) as count
FROM player_items
WHERE item_vnum = 'RARE_ITEM'
GROUP BY player_id
HAVING count > legitimate_max;
-- Shows accounts with impossible item duplicates
Attack Tools Available:
────────────────────────
- Packet sniffer/modifier (WinPcap, Wireshark)
- Macro recorder (AutoIt, Python bot)
- Parallel request sender
- Race condition timing tools
Similar Vulnerabilities:
────────────────────────
- Exchange system (simultaneous trade cancel?)
- Drop/pickup (rapid drop+pickup?)
- Item selling (sell+cancel race?)
VULNERABILITY #3: ITEM COUNT DUPLICATION
============================================================================
Severity:
CRITICALType: Logic Bug / Game Exploit
CVSS Score: 8.2 (High) - Economic damage
Impact: Item Duplication, Economy Destruction, Revenue Loss
Location:
File: game/src/item.cpp
Functions: SetCount(), RemoveFromCharacter()
Lines: 237-288
Description:
────────────
The SetCount() function validates item count using MIN() but does NOT validate
input before processing. Combined with item destruction logic triggered on
count=0, this allows duplication.
Vulnerable Code:
bool CItem::SetCount(DWORD count)
{
// Only applies MIN, no validation!
if (GetType() == ITEM_ELK)
m_dwCount = MIN(count, INT_MAX);
else
m_dwCount = MIN(count, g_bItemCountLimit);
// If count becomes 0, destruction logic triggers
if (count == 0 && m_pOwner)
{
// Item is destroyed
M2_DESTROY_ITEM(this);
}
UpdatePacket();
Save();
return true;
}
Attack Scenario - Race Condition:
─────────────────────────────────
Timeline:
1. T0: Player has 1x Rare Item
2. T1: Player sends ItemMove packet: count=1, from inventory to ground
3. T2: Server calls SetCount(1) - valid operation
4. T3: Player rapidly sends ItemMove packet: count=0 (drop item)
5. T4: Server begins destruction (M2_DESTROY_ITEM)
6. T5: Simultaneously, another packet handler calls SetCount(1) on same item
7. T6: Race condition: both destruction and update try to modify m_dwCount
8. T7: Item persists on ground AND in inventory
9. RESULT: Item duplicated!
Technical Details:
──────────────────
Root Causes:
1. No atomic operations on m_dwCount
2. No mutex/lock protection
3. No transaction handling
4. Destruction can be triggered mid-update
Attack Code (conceptual):
────────────────────────
// In game client, send packets rapidly:
for (int i = 0; i < 1000; i++)
{
// Send: Move item to ground
ItemMove(item, ground_pos);
// Send: Set count to 0 (drop)
SetItemCount(item, 0);
// Send: Move item again
ItemMove(item, inventory_pos);
// Race condition window where item exists in both places
}
Game Economy Impact:
────────────────────
Scenario:
- Rare item drops value 100,000,000 gold
- Item duplicated 100 times via exploit
- 10,000,000,000 gold of items flooded market
- Item value crashes to 1,000,000
- Legitimate players lose 990,000,000 per item (99% loss)
Real-World Examples:
────────────────────
1. World of Warcraft had similar exploit (Diablo cloning)
2. RuneScape had duplication bugs causing rollbacks
3. Final Fantasy XIV had item duplication (forced server maintenance)
4. Metin2 servers have had duplication exploits historically
Detection Methods:
──────────────────
1. Database audit: check for impossible item combinations
2. Player statistics: sudden wealth increase
3. Item usage: rare items appearing on many accounts
4. Price monitoring: sudden price crashes
Proof:
──────
To verify vulnerability exists:
1. Create test account with 1x Rare Item
2. Send ItemMove + SetItemCount(0) rapidly in parallel
3. Observe item appearing in multiple places
4. Item duplicated
Database Evidence:
──────────────────
SELECT player_id, item_vnum, COUNT(*) as count
FROM player_items
WHERE item_vnum = 'RARE_ITEM'
GROUP BY player_id
HAVING count > legitimate_max;
-- Shows accounts with impossible item duplicates
Attack Tools Available:
────────────────────────
- Packet sniffer/modifier (WinPcap, Wireshark)
- Macro recorder (AutoIt, Python bot)
- Parallel request sender
- Race condition timing tools
Similar Vulnerabilities:
────────────────────────
- Exchange system (simultaneous trade cancel?)
- Drop/pickup (rapid drop+pickup?)
- Item selling (sell+cancel race?)
Sa fie adevarat ?
CRITICAL FINDINGS
...
