Author Topic: 2020/05/03 - Blockland r2005-r2012  (Read 49667 times)

Badspot

  • Administrator
r2005
This update patches 2 buffer overflow bugs in response to this ongoing incident.

It is also compiled in the latest version of visual studio with Control Flow Guard enabled.  This may provide some general protection against this type of bug.

There may be some side effects.  I have noted a slight performance decrease, but it seems to be unrelated to CFG.


I am planning a more thorough solution to the compromised key problem, please be patient.

r2006
Addressed another potential vulnerability of the same type.

r2007
Many unsafe string copy and concatenation operations updated. 

r2009
Minor cleanup, one additional buffer limit fix
Removed "-1" event on Speedkart_Lighthouse
Removed ultra shortcut on Speedkart_Descent
Brightened lighting on Speedkart_Harbor



I have re-enabled key authentication, with the limitation that it will not work on new IP addresses.  That means you can log in and play as normal, but only if your IP is the same as it was a few days ago (or the last time you logged in). 

Everyone in the list of stolen keys who had a steamID linked to their account has been made steam-only.  Of the remaining keys on the list, I found suspicious log in activity on the following BLIDs:

4578
20406
22324
27013
30372
35295
39877
43110
46163

I reverted their IP addresses to what they were before this started.  There may be other compromised keys, but given the pattern here there probably aren't that many that were actually logged into. 

This isn't a complete solution obviously, it's just a stop-gap to let a few more people play while I implement a more permanent fix.



The permanent solution is going to be using steam for authentication.  Having everyone store a password on their computer is just too high value of a target with too large of an attack surface.  It's stressful enough just keeping them on my server. 

You will be able to host dedicated servers
You will be able to keep your BLID (even alts)
You will be able to have multiple installation folders

It's going to take a little bit of time.  If I don't implement everything at once or the plan changes, try not to sperg out immediately. 



r2011
Removed case where key.dat would be cleared when auth failed
Updated to latest steamworks sdk

r2012
Fix for unintended change in stricmp behavior
« Last Edit: May 08, 2020, 06:48:44 AM by Badspot »


We're saved! Thanks badspot! I knew you'd do it.

Good job now time for to go  sleep


now email us new keys


thanks for the heads up. for those that are compromised, what do you plan to do with those keys?

After i updated blockland and i launch it closes after 5 seconds, i have to use my old blockland folders to play it.
Deleting and installing again doesn't works. But the thing is, when i replace new Blockland.exe file with old Blockland.exe file it works and i launch blockland.
« Last Edit: May 03, 2020, 08:08:31 AM by Aptem000 »


But the thing is, when i replace new Blockland.exe file with old Blockland.exe file it works and i launch blockland.
You're basically just downgrading to a compromised version by doing that
« Last Edit: May 03, 2020, 11:25:58 AM by dargereldren »

You're basically just downgrading to a compromised version by doing that
better than not playing at all.

I'm having the same problem. My steam version of blockland won't even launch, and my key version crashes consistently after console echoes "Activating the OpenGL display device... (NEW)", about 5 seconds after trying to launch.

better than not playing at all.
this is pretty incorrect since this pretty much confirms its an rce exploit and key stealing is the least of your issues (if it actually is one)
« Last Edit: May 03, 2020, 11:36:09 AM by Conan »

I've noticed that Blockland now requires the Visual C++ 2019 runtime, so that will need to be installed (if necessary) first
edit: updated link for the redistributable to VC++ 2019, as that's the one that was enabled for the Steam version

badspot, can you enable that in steamworks?
edit: it's been done, thanks
« Last Edit: May 03, 2020, 02:10:04 PM by dargereldren »

this isnt really an issue in current year (who uses xp anymore), but hey i may as well mention it anyway:
the game no longer runs on xp; you may wish to update the system requirements on the blockland help page

edit: vista also no longer works

windows 7 at minimum is now required to run blockland
« Last Edit: May 03, 2020, 12:30:00 PM by Mr Queeba »