fix bugs in anti-cheat system

[BranD]

Good morning, sorry for the inconvenience, I own an MTA server and we have spent several days investigating a possible vulnerability in the MTA anti-cheat system, as you can see several servers are being affected by cheating players, I have demonstrable evidence where the player has a life infinite, can shoot missile launchers and even vehicles appear out of thin air, but what is more worrying is that the hacker can even inject lua from the client, which is why we recently got a massive console spam attack that flooded the CPU and the server is late, please contact me privately to provide information and find a solution to this serious problem.
Similar servers like SX have fallen victim to these cheats.

 

Edited July 7, 2023 by BranD

[-ffs-PLASMA]

Quote

We will continue to bring AC improvements and get rid of emerging cheats and cheaters, but at our own pace, without external pressure or too high community expectations, from now on everything is on a best-effort basis and the point is that there may be periods during which we can't make any waves due to manpower constricts.

See https://forum.multitheftauto.com/topic/139550-cheater-reports-ban-appeals-in-2023/

 

Dont rely solely on anti cheat, get some staff/admin people to check players, AC aint bulletproof.

[FlorinSzasz]

1 hour ago, BranD said:

Good morning, sorry for the inconvenience, I own an MTA server and we have spent several days investigating a possible vulnerability in the MTA anti-cheat system, as you can see several servers are being affected by cheating players, I have demonstrable evidence where the player has a life infinite, can shoot missile launchers and even vehicles appear out of thin air, but what is more worrying is that the hacker can even inject lua from the client, which is why we recently got a massive console spam attack that flooded the CPU and the server is late, please contact me privately to provide information and find a solution to this serious problem.
Similar servers like SX have fallen victim to these cheats.

 

maybe there are some bugs in scripts or they are not compiled also is the cache set the false to the scripts. Also there are maybe no checks when u send data from client to server and there will be some exploits. The Mta AC will do what it can but we also should build our server anti-cheat by scripts i mean some simple hard coded checks on servers-side and that`s it. Only you or your server scripter knows in which way they gamemode is made and what checks can be made.

Edited July 7, 2023 by FlorinSzasz

[RekZ]

4 hours ago, FlorinSzasz said:

maybe there are some bugs in scripts or they are not compiled also is the cache set the false to the scripts. Also there are maybe no checks when u send data from client to server and there will be some exploits. The Mta AC will do what it can but we also should build our server anti-cheat by scripts i mean some simple hard coded checks on servers-side and that`s it. Only you or your server scripter knows in which way they gamemode is made and what checks can be made.

I'm sorry, but this problem is not the server owner's or their staff's responsibility. These are issues that cannot be combated in any way. I have literally banned the same person three times because they join the server with fake serials. There are Russians who join and kick everyone on the server just because they can. There are Brazilians who fly across the map, going through all kinds of obstacles. They teleport to players and kill them with aimbot and wallhack. I don't believe all of this is my server's problem because I don't have any aimbot or wallhack systems in place.

It's a headache to combat an entire community of people who dedicate themselves to ruining other people's game just because they are bored at home

[BranD]

1 hour ago, RekZ said:

Lo siento, pero este problema no es responsabilidad del propietario del servidor ni de su personal. Estos son problemas que no se pueden combatir de ninguna manera. Literalmente he baneado a la misma persona tres veces porque se une al servidor con seriales falsos. Hay rusos que se unen y patean a todos en el servidor solo porque pueden. Hay brasileños que vuelan por el mapa, atravesando todo tipo de obstáculos. Se teletransportan a los jugadores y los matan con aimbot y wallhack. No creo que todo esto sea problema de mi servidor porque no tengo ningún sistema de aimbot o wallhack.

Es un dolor de cabeza combatir a toda una comunidad de personas que se dedican a arruinar el juego de los demás solo porque están aburridos en casa

This is a worrying issue because attackers can inject triggers from the client, causing the server to lag until it crashes. I am 100% sure that it is not just any system on my server because it is precisely the same pirates that have been playing. with aimbot, speedhack, being able to fly and among other things. When they are kicked, the lag disappears.

5 hours ago, FlorinSzasz said:

maybe there are some bugs in scripts or they are not compiled also is the cache set the false to the scripts. Also there are maybe no checks when u send data from client to server and there will be some exploits. The Mta AC will do what it can but we also should build our server anti-cheat by scripts i mean some simple hard coded checks on servers-side and that`s it. Only you or your server scripter knows in which way they gamemode is made and what checks can be made.

do you think a possible solution is to compile all the client files ? I have several in protected mode, it's something similar to cache but I think it's safer, I still have to compile all my clients because some clients are from the community and are not compiled, do you think they have a way to use those decompiled files and execute functions from the client?

[FlorinSzasz]

7 hours ago, BranD said:

This is a worrying issue because attackers can inject triggers from the client, causing the server to lag until it crashes. I am 100% sure that it is not just any system on my server because it is precisely the same pirates that have been playing. with aimbot, speedhack, being able to fly and among other things. When they are kicked, the lag disappears.

do you think a possible solution is to compile all the client files ? I have several in protected mode, it's something similar to cache but I think it's safer, I still have to compile all my clients because some clients are from the community and are not compiled, do you think they have a way to use those decompiled files and execute functions from the client?

i am not sure but it could be. If they are not compiled they can see the code so they can change stuff and inject data from client and if the server script doesnt check from where is the data then it will pass. On the other hand i am not a pro in mta security there older people here who have more knowledge on this topics, but i try to see if you have the basic stuff done things which we can do to protect our servers.

[DiSaMe]

Improving the anti-cheat can make it harder for malicious users, but it can never solve the problem, because one way or another, it has to rely on things being checked on the client side. It's just impossible to make sure that whatever runs on the client is authentic - what is possible, is to make it harder to replicate the appearance of authentic. But there will always be ways around that.

However,

15 hours ago, BranD said:

but what is more worrying is that the hacker can even inject lua from the client

9 hours ago, RekZ said:

There are Russians who join and kick everyone on the server just because they can.

These don't sound like anti-cheat problems at all - more like problems in the server. Unless they are MTA server bugs (which would be a huge security issue, very worrying indeed, but I find that very unlikely), they must be caused by scripts you run on the server. Like a server-side script that receives events from the client side and processes them without performing any validation. It's definitely not up to the anti-cheat to take care of that. Just because the anti-cheat makes it harder for hackers to exploit the server's script security holes, that doesn't mean those security holes should be there in the first place.

Likewise, compiling the client scripts increases the amount of effort the hackers need to put in, but that's not going to make much difference for someone who can overcome the anti-cheat.

[BranD]

2 hours ago, DiSaMe said:

Improving the anti-cheat can make it harder for malicious users, but it can never solve the problem, because one way or another, it has to rely on things being checked on the client side. It's just impossible to make sure that whatever runs on the client is authentic - what is possible, is to make it harder to replicate the appearance of authentic. But there will always be ways around that.

However,

These don't sound like anti-cheat problems at all - more like problems in the server. Unless they are MTA server bugs (which would be a huge security issue, very worrying indeed, but I find that very unlikely), they must be caused by scripts you run on the server. Like a server-side script that receives events from the client side and processes them without performing any validation. It's definitely not up to the anti-cheat to take care of that. Just because the anti-cheat makes it harder for hackers to exploit the server's script security holes, that doesn't mean those security holes should be there in the first place.

Likewise, compiling the client scripts increases the amount of effort the hackers need to put in, but that's not going to make much difference for someone who can overcome the anti-cheat.

But most of my systems have anti-spam in the triggers, also the hacker executes a trigger that doesn't exist on the server-side I used the Winrar search engine to see if some of my codes had that sequence and it's as if he executed an event from your client but from server clients that event does not exist.

[DiSaMe]

2 hours ago, BranD said:

But most of my systems have anti-spam in the triggers, also the hacker executes a trigger that doesn't exist on the server-side I used the Winrar search engine to see if some of my codes had that sequence and it's as if he executed an event from your client but from server clients that event does not exist.

I don't understand what you're saying. Do you mean the hacker triggers events on behalf of other players? So it appears as if a different player triggered it? I've seen enough poorly written scripts to expect that to happen. People tend to pass localPlayer as source element to triggerServerEvent and then use the source variable on the server to identify the caller. But like any data passed to triggerServerEvent, the source element can be faked so the hackers do exactly that to make the events appear to originate from other players. The variable client is the correct way to identify the client that triggered the event.

If it is possible to write a client-side script to do something, then that something can be done by hackers. The anti-cheat is there to keep the hackers from doing it but it cannot in principle solve the problem "once and for all" and shouldn't be relied upon for script security.

[-ffs-PLASMA]

As many people said in past and will say in future: DO NOT TRUST THE CLIENT

Always expect the data coming from client to be manipulated. Perform important validations on server side.

And as DiSaMe already said, 99% of problems are caused by bad scripts/resources. Use client for server events, try to avoid elementdatas, if you need elementdatas then check if they got changed by client and revert them back, perform movement validations of players.

[FlorinSzasz]

4 hours ago, DiSaMe said:

I don't understand what you're saying. Do you mean the hacker triggers events on behalf of other players? So it appears as if a different player triggered it? I've seen enough poorly written scripts to expect that to happen. People tend to pass localPlayer as source element to triggerServerEvent and then use the source variable on the server to identify the caller. But like any data passed to triggerServerEvent, the source element can be faked so the hackers do exactly that to make the events appear to originate from other players. The variable client is the correct way to identify the client that triggered the event.

If it is possible to write a client-side script to do something, then that something can be done by hackers. The anti-cheat is there to keep the hackers from doing it but it cannot in principle solve the problem "once and for all" and shouldn't be relied upon for script security.

i want to ask if this is a good way to make it ->

something = function(player)    --player form the client
	if player == client then 
  	-- do something
end 
  
-- and also this 
something = function(player)    --player form the client
	if source == player and source == client then -- is the same thing right?
  	-- do something
end 

I dont have my own server, however when i will open one i want to be sure if what i did is right.

[DiSaMe]

35 minutes ago, FlorinSzasz said:

i want to ask if this is a good way to make it ->

Good way to make what? If you always pass localPlayer as source and the first argument when triggering from client to server, you may as well not have the first argument, ignore the value of source and just use client variable. Doing comparison of values may help you detect some of the faked calls (if the values don't match, it's obviously faked), but unless you do something different in those cases (such as logging/kicking/banning), I don't see any use in that - if you rely on equality of received values to silently ignore the obviously-faked calls, the hackers will pass equal values to avoid the calls getting detected as faked.

[RekZ]

6 hours ago, DiSaMe said:

I don't understand what you're saying. Do you mean the hacker triggers events on behalf of other players? So it appears as if a different player triggered it? I've seen enough poorly written scripts to expect that to happen. People tend to pass localPlayer as source element to triggerServerEvent and then use the source variable on the server to identify the caller. But like any data passed to triggerServerEvent, the source element can be faked so the hackers do exactly that to make the events appear to originate from other players. The variable client is the correct way to identify the client that triggered the event.

If it is possible to write a client-side script to do something, then that something can be done by hackers. The anti-cheat is there to keep the hackers from doing it but it cannot in principle solve the problem "once and for all" and shouldn't be relied upon for script security.

the Russians and Brazilians go to the server and kick out the players with that message and I don't have any triggerServerEvent where the player is kicked out... I don't understand how it could be a security flaw in my server that allows a player to come in and kick everyone out just like that. If it's a security issue, it should be with the administration panel, not my server. The problem is that when someone comes to seek help on the forum, all they find is people judging their comments and others downplaying the situation, nothing new.

[DiSaMe]

10 hours ago, RekZ said:

the Russians and Brazilians go to the server and kick out the players with that message and I don't have any triggerServerEvent where the player is kicked out... I don't understand how it could be a security flaw in my server that allows a player to come in and kick everyone out just like that. If it's a security issue, it should be with the administration panel, not my server. The problem is that when someone comes to seek help on the forum, all they find is people judging their comments and others downplaying the situation, nothing new.

If you know for sure the problem is not in your code, then yes, resources that come with MTA could be another place to look. I would try replacing kickPlayer with a wrapper that calls debug.traceback and outputs it to the log in all running resources, so whenever a player gets kicked by a script, the server log would tell where the call came from. Then, if the traceback doesn't show up in the log, most likely it was done directly using /kick command. Which either means they somehow managed to gain access or there's actually a vulnerability in MTA server. I'm not ruling out any possibilities, but I assume user mistakes first.

[ds1-e]

On 09/07/2023 at 00:25, RekZ said:

the Russians and Brazilians go to the server and kick out the players with that message and I don't have any triggerServerEvent where the player is kicked out... I don't understand how it could be a security flaw in my server that allows a player to come in and kick everyone out just like that. If it's a security issue, it should be with the administration panel, not my server. The problem is that when someone comes to seek help on the forum, all they find is people judging their comments and others downplaying the situation, nothing new.

Make sure to update all default (and community) resources. Keeping them outdated could lead to such scenarios, where they could make use of incorrectly written logic.
Disable access to load and loadstring in ACL, unless you have certain reason to keep it enabled (latest MTA builds have it disabled by default).
 

<right name="function.loadstring" access="false"/>
<right name="function.load" access="false"/>

You could take a look at Script security article, which i've recently updated.
Also, there's no such anti-cheat which would protect you from vulnerable Lua code running on your server, so blaming it in first place isn't reasonable - which most of people nowadays shamelessly do. Including ungratefulness towards AC team, which provided nearly cheat-free experience for a few good years.

Edited July 31, 2023 by srslyyyy

[BranD]

On 30/07/2023 at 21:55, srslyyyy said:

Make sure to update all default (and community) resources. Keeping them outdated could lead to such scenarios, where they could make use of incorrectly written logic.
Disable access to load and loadstring in ACL, unless you have certain reason to keep it enabled (latest MTA builds have it disabled by default).
 

<right name="function.loadstring" access="false"/>
<right name="function.load" access="false"/>

You could take a look at Script security article, which i've recently updated.
Also, there's no such anti-cheat which would protect you from vulnerable Lua code running on your server, so blaming it in first place isn't reasonable - which most of people nowadays shamelessly do. Including ungratefulness towards AC team, which provided nearly cheat-free experience for a few good years.

This is very interesting, but currently cheaters can inject malicious code without any type of restriction. They can also pause detectors such as addDebugHook to avoid anti-cheat.