BreakJoints() Vulnerability

My game has recently had issues with a high-end exploit to do with workspace:BreakJoints().
A private exploit may be used with this function to delete ANYTHING in workspace (and potentially more).
It also seemingly can mute players’ chats.

I am not sure how to patch this or deal with it, please lmk if you have any wisdom to offer.

1 Like

Sounds more like you have a backdoor.

The only way users can break joints, delete instances, or do pretty much anything server sided is if they have server side access via said backdoor.
Same thing for muting chat, impossible without server sided access.

Press Control+Shift+F in studio and look for getfenv and require, removing any lines of code (or entire scripts) that you do not recognise/believe are suspicious.
Keep in mind that malicious scripts may not appear if you have a malicious plugin installed (as the plugins can and often do hide malicious scripts by assorted means)
Also keep in mind that normal looking requires can have malicious code inside them (eg fake/stolen admin scripts, it’s all normal code however it loads a module that has the malicious code in)

You seem to not know how BreakJoints work. BreakJoints basically breaks any constraints/welds on a part.

So if you BreakJoints on your own character you would die as all your parts fall apart since their not being held by motor6D’s or welds because you broke them. It would be impossible to mute chat, delete anything/break anything not connected to player.

@Laqotaa
There is no backdoor; from what I’ve been told by not only one of the friends of the exploiters but also a friend of mine is that this is a vulnerability. The client is able to send packets of data to the server, letting them manage workspace.
I’m not entirely sure, but I searched the game inside out for backdoors and it surely isn’t one.

It’s actually impossible. You can’t just control stuff with BreakJoints like workspace because all BreakJoints does is break the welds. And if you do it locally it only breaks them for you and nobody else can see them. This issue would have been brought up after 5-6 years of FE if you think about it, which your the only one.

You can’t just scower through your game to expect to see a backdoor. You possibly have a fake plugin that hides the script which is possible. When you save the game it loads the scripts in a random spot and deletes it after the game has saved. Make sure your plugins are from legit authors (and not some bacon hair)

This seems like a backdoor or lack of proper sanity checks on the server to me.

You should check all of your remote events and make sure you are not letting the server rely too much on the information the client sends.

From what I’ve heard, this is a vulnerability in the packet solution (Raknet) that Roblox uses. There are big security flaws that exploiters only recently learnt how to abuse. This is apparently also the cause of the recent server-crashing exploit

1 Like

@Lakodex @TomazDev this is exactly what I’m talking about;
The game has NO backdoors. no require() or getfenv(), or anything of the sort. I’ve dealt with backdoors before.
There are no functions that have access to deleting ANY PARTS in the map, destroying the character and making it unable to respawn, removing the chat, etc.
I do do sanity checks properly (although there’s one I should double check, but it has nothing to do with the current issue at hand)

Are there any functions / remotes that allow a player to update properties on an instance, or call a function on an instance?

EDIT:
If you can’t seem to figure out what is causing this, you could always just acquire a copy of the exploit and see how it does this.

As everyone has said, this is essentially impossible with FilteringEnabled. There are only a few things that get past this filter, and that has to do with physics simulation and player characters.

Player character positions are automatically updated, and if any part is removed by the client, it also removes on the server. This only applies to their character. Physics simulations are also normally handled by a client on a per-part basis and automatically managed by the server by default (however, this can be changed to be server-only with a server-script).

With that said, none of those potential exploits would allow an exploiter to remove things or modify anything else in the server. The only exception is changing the position of unanchored parts of which the server has given their client physics ownership of.

its an executor which uses raknet to send packets bla bla

1 Like

There is no function that does such.

The exploit is a private exploit; I’m unable to acquire this.

As VizuSR and omnerisk have said, it’s because of a packet vulnerability used with workspace:BreakJoints().

I highly doubt that this particular exploit is a vulnerability in Roblox’s infrastructure, as if it was, there would be way more reports of people bypassing FilteringEnabled. All I can find are reports of DDoS attacks, which are bad but unrelated to this exploit. All I can say is to keep looking for vulnerabilities in your code.

I’m not exactly sure of how it works, but it’s a vulnerability in Raknet, which ROBLOX uses for sending packets. I believe if 3 people have said this, it should be pretty transparent that it isn’t a backdoor.
Unless there’s something other than require or getfenv, or some complicated way to hide them, it’s doubtful that there’s a backdoor, alongside the fact that this isn’t just a bunch of script kiddies joining, but rather a friend group of exploiters who are just trolls, doing it just to be annoying, for their own amusement.

I’ve only seen 2 people say it has to do with Raknet, neither of which have cited any sources. The literal only way for this to happen is if there is a backdoor. Assuming you’ve checked all your scripts, I would go through literally all of your plugins and check that each one is 100% legit.

4, actually; 2 outside of roblox, both of which are exploiters that know some about the exploit itself.
I’ve checked my plugins, too. They’re legit.

This is all very strange. I mean, nobody has ever brought up an issue like this before, it seems so weird that it’s somehow only come up now.

Though, I still don’t fully believe this is an exploit with Roblox’s netcode. Why isn’t this happening to other games? If the answer was larger games would persuade Roblox to fix the bug, it wouldn’t make sense since smaller games can still find a way to get to Roblox, maybe someone more experienced can report this on Roblox’s HackerOne.

Anyway, you could (@anon68363985/@astraIotus) make a bug report in #bug-reports:engine-bugs, or try what this guy did if you don’t have the permissions.

Edit: Try PMing @Bug-Support instead!

How do you know it’s related to :BreakJoints? If you asked an exploiter, they could have just thrown you a red-herring.

You could possible gather more information on the exploit by publishing an update and having the server check the network ownership of things in the workspace, notifying developers in the server of something fishy, maybe even a possible patch by banning players that have ownership of things other than their characters (though you should properly test this out - maybe get an exploiter to see if it works).

Of course, it’s still very hard to give advice on something you know very little about - I still recommend you use a backdoor removal plugin just to be safe. Check through any modules you’re using, maybe one of them nullifies FE in some way.

Probably a better idea.

3 Likes

I’m with you on this one. If something like this actually existed, it would be way more prominent. Plus, and this is not meant to offend anyone, but people often misunderstand the nature of code and how backdoors work. People say they’ve seen things, but they often don’t actually understand how it happened.

Unless you’ve written all of your code or have read every script in your game and fully understand them, then I would first suspect a backdoor. As others have said, plugins can be malicious, however plugins can’t (as far as I’m aware) insert anything right as you publish an update. The script has to “physically” exist within the explorer in order to function.

Now if this is 100% not a backdoor and is indeed something else, I have not been able to find a single valid source on this. The only one I could find was a video, and it was a backdoor. So if anyone has any actual evidence of this, please source it and report it through the proper channels.

I’ve gathered my info from a certain prominent exploiting forum (you can probably guess what I’m talking about), where multiple people were discussing this new exploiting method involving packets. Not sure if you’d count that as a “credible source” but whatever. I’m not sure if BreakJoints() is the culprit here but I have heard about people being able to delete the workspace as a result of this exploit, so make of that what you will.