Regarding the Exploitation of Loopholes in the Use of Assistive Software in Games

[13440130]

ServUO Version

Publish Unknown

Ultima Expansion

None

Assistive software such as Razor, RazorEnhanced, ClassicAssist, UOSteam, etc.

Specific effects:

1. Record a macro in the game that double-clicks any container inside the BANKBOX (taking its absolute Serial value). Then, at any time and from any location, playing this macro will open that container and allow manipulation of the items inside it.
2. Record a macro in the game that double-clicks any item inside the BANKBOX (taking its absolute Serial value). Then, at any time and from any location, playing this macro will allow the use of that item from the BANKBOX. On the Sphere v51a server, this is mainly used to quickly switch magic scrolls for PvP purposes.
3. Record a macro in the game that moves any item from the backpack to the BANKBOX. Then, at any time and from any location, playing this macro—with only the Serial value of the moved item modified—will place the item intended to be deposited into the BANKBOX.

I have tested these vulnerabilities on both Sphere v51a + 1.26.4 and ServUO/RunUO + 6.0–7.0.103, and they work on all of them.

Does anyone have a way to fix these vulnerabilities?

 

[PyrO]

Hmm cant confirm or test at the moment.

But I think what you can do is either
- have a check if the bankbox is open
- have a range check to a bank
- block the assistants (as far as possible)

 

[13440130]

Blocking assistants can do it, and that's how my own shard does it. I use ClassicUO+ServUO
But my friend's shard doesn't want to block the assistant, so they need other ways. He uses ClassicUO+Sphere v51a

 

[PyrO]

Then he can use either 1 of the 2 other options.

Not sure how sphere handles it, but I bet you could also make it so that the bankbox is getting "moved" to a different storage system, and only moved back when they talk to a banker or open the bank box in another way (like a bank bell / hive or something)

 

[13440130]

What a headache inducing problem
I also tried to start with the source code of Razor, but couldn't find a way

 

[Dramoor]

Looks like a bug with Spheres' way of handling it. You should only check before dropping items into or onto it to ensure the bank is open first. Also, you should ensure that lifting items from the bank requires the bank to be open as well, so they cannot remove items. Range check won't really do anything since a bank is a layer. I know ServUO used to have a bug like this. I am unsure if I only fixed it on my server or if it was fixed in the repo, but you could reference it on git with checking for opened references and close references from the methods in BankBox.cs.

Also, blocking assistants will give leverage and dominance to those who make their own custom version.

 

[13440130]

I have taken defensive measures on ServUO and the effect is still good. But I'm still at a loss for Sphere v51a. This server is too unfamiliar and there is no source code available