DescriptionAmanieu d'Antras
2007-11-13 11:53:21 EST
Because the server will reuse a challenge if it already exists, it is possible to exploit this as follows:
1 - Ask for a challenge
2 - Wait for reply
3 - Save the challenge number
4 - Ask for a challenge again
5 - Immediately after send a connect message with the saved challenge number
This can be done with stock tremulous by increasing the timescale cvar while in the menu to trigger the resend faster than normal.
Created attachment 1607[details]
Proposed patch based on svn 1043
Disables my patch when there is no max ping, caused problems on servers without max ping.
Created attachment 1608[details]
Proposed patch based on svn 1043
An alternative patch, much cleaner implementation, the client gets the correct error message ("low pings only" instead of "bad challenge") and client is allowed to take > 3 seconds to connect.
Created attachment 1571 [details] Proposed patch based on svn1035 This patch simply resets the challenge number to a random value if it already exists.Created attachment 1607 [details] Proposed patch based on svn 1043 Disables my patch when there is no max ping, caused problems on servers without max ping.Created attachment 1608 [details] Proposed patch based on svn 1043 An alternative patch, much cleaner implementation, the client gets the correct error message ("low pings only" instead of "bad challenge") and client is allowed to take > 3 seconds to connect.Created attachment 1609 [details] Alternative patch based on svn 1043 Sorry about the previous patch, I totally messed it up. This one should work.Created attachment 1610 [details] Alternative patch based on svn 1043 Fixes a few bugs