Author Topic: cache.db security? (Read 1093 times)

Pwnon · January 04, 2015, 01:14:33 PM

Correct me if I'm wrong, but doesn't cache.db store data you get from servers? (Ex. addons, music, textures) Assuming this is the case, couldn't someone just create an addon with a RAT in it, and disguise said RAT as a typical addon? It would then end up in the player's computer, and depending on how many players connect to aforementioned server (take for example a popular one like tezuni's), the host could create a botnet.

If this is possible, can it be fixed?

If it isn't possible, apologies for a stupid question.

Ad Bot · Advertisement

Tetro Block · January 04, 2015, 01:19:36 PM

Quote from: Pwnon on January 04, 2015, 01:14:33 PM

Correct me if I'm wrong, but doesn't cache.db store data you get from servers? (Ex. addons, music, textures) Assuming this is the case, couldn't someone just create an addon with a RAT in it, and disguise said RAT as a typical addon? It would then end up in the player's computer, and depending on how many players connect to aforementioned server (take for example a popular one like tezuni's), the host could create a botnet.

If this is possible, can it be fixed?

If it isn't possible, apologies for a stupid question.

This is why GUIs can't be downloaded, and textures/sounds have an option, model files are automatically downloaded.

I'd say this is impossible to the average "RAT Placer".

Pwnon · January 04, 2015, 01:20:24 PM

But even then, if a virus is packaged correctly, could it be spread to another player's computer?

Tetro Block · January 04, 2015, 01:21:52 PM

Quote from: Pwnon on January 04, 2015, 01:20:24 PM

But even then, if a virus is packaged correctly, could it be spread to another player's computer?

I'm sure a top black-hat hacker would find some exploit and write it in binary to be executed on server join. But for most script-kiddies they couldn't. Trust me those top hackers aren't going to worry about some $9.99 Blockland Key.

otto-san · January 04, 2015, 01:27:27 PM

pretty sure the game just rips its weewee off if you try to load data files that aren't quite right. not sure if that's true in the case of sound files or textures, but i doubt that torque is a very powerful medium of virus power. i think there was some exploit you could use to modify files outside the game directory, but i'm p sure badspot patched it ages ago. cache.db is likely, in a lot of ways, safer than the old system wherein the files were literally just dropped into add-on subfolders. (i think it goes without saying but i'm not experienced with malicious code)

Dannu · January 04, 2015, 01:35:13 PM

Trying to memorize some old topic, there was something said about like in any game, there is no way to directly execute code. You give predefined commands to the engine and it manages what to do with the information. In Blockland's case, most likely flip stuff.

Ipquarx · January 04, 2015, 02:02:58 PM

Arbitrary code execution through dts files has been investigated and has been deemed impossible.

Tetro Block · January 04, 2015, 02:14:22 PM

Quote from: Ipquarx on January 04, 2015, 02:02:58 PM

Arbitrary code execution through dts files has been investigated and has been deemed impossible.

You'd probably need to know how the torque engine handles dts, And you can't buy it anymore so I doubt anyone would know how here.

ZSNO · January 04, 2015, 02:22:00 PM

Quote from: Tetro Block on January 04, 2015, 02:14:22 PM

You'd probably need to know how the torque engine handles dts, And you can't buy it anymore so I doubt anyone would know how here.

The version of TGE that Blockland was built off of is floating around.