Exploit able to shutdown server immediately upon connecting, without a character

shayner32 · April 14, 2020, 12:58pm

@Raspy_Pi is this the issue you were experiencing with Phantom Forces? perhaps you could post the info you have

Improper_Username · April 14, 2020, 4:34pm

I got a report from a staff member a streamer keeps getting someone joining and crashing his servers on phantom forces.

pobammer · April 14, 2020, 4:37pm

SynapseX can do that. My friend has a stream sniper feature as well as a server crasher that you can’t do much about. I don’t know how the crash works, but it does null the character and uses a tool.

I’ll reverse engineer it when he wakes up and I’ll update this post accordingly if I can.

bunny_hop · April 14, 2020, 5:01pm

This can be reproduced in Studio by editing a CoreScript (e.g. %localappdata%\Roblox\Versions\version-dea4928194014ca7\ExtraContent\scripts\CoreScripts\StarterScript.lua) to create a Player before one exists:

if game:GetService"RunService":IsClient() then
	print("Creating player client-side")
	game:GetService"Players":CreateLocalPlayer()
end

The Player will replicate to the server (excluding any properties set on client?) before the server is meant to create it and PlayerAdded is fired. Immediately after, though, the server crashes due to some engine code expecting the player to exist in a hash map (?) where it does not.

Technical info for any engineers who don’t already know the cause:
Some instances created before/during join get sent to the server via a JoinData item packet. As far as I’m aware, this is meant for the client to receive only (to stream server objects in) but the server accepts it anyway. Only the Player instance seems to replicate, though (?). In the JoinData packet deserializer/processor, on the server, after the Player has been created, the Player is used for a lookup inside of a hash map (?) inside ServerReplicator. The map is empty or the key doesn’t exist, and a null pointer access occurs as a result.

Disclaimer: My explanation makes some assumptions and should be considered an educated guess.

wravager · April 14, 2020, 5:10pm

If this were the case, wouldn’t core scripts still be calling CreateLocalPlayer() themselves to connect to the server? I don’t think this would crash the server. I’m thinking maybe this method is being spammed because there should already be in place precautions for a local player being created multiple times due to either internet or multiple devices.

If I’m wrong however, this should still be an easy fix if the server is the one that creates it as it should be able to just reject client created connections.

bunny_hop · April 14, 2020, 5:19pm

I’m pretty sure the server creates the player now (although it didn’t used to be this way, hence the existence of CreateLocalPlayer) which replicates to the client upon join. Not sure why the API still exists.

buildthomas · April 14, 2020, 6:00pm

Hiding this topic because apparently repro steps are shared in multiple replies. This is not how you are meant to handle sensitive details related to exploits, in the future please send them to @Exploit_Reports.

Staff have seen this topic so you don’t have to worry about them not seeing it now that it is unlisted. It will probably be relisted once this is fixed.

RenownHavoc · April 14, 2020, 7:46pm

I vouch for this, this needs IMMEDIATE attention!

Gu4rana · April 14, 2020, 8:05pm

We are aware of the issue. Our team is currently working on a fix.

RewrittenCode · April 14, 2020, 8:57pm

This one doesn’t require a backdoor, I’m fairly sure any game is vulnerable.

Hopefully we get an update on the situation soon!

coefficients · April 15, 2020, 4:14pm

This should now be fixed. Thanks for bringing it to our attention!

coefficients · April 15, 2020, 4:20pm

RewrittenCode · April 15, 2020, 4:52pm

It had been stopping in the servers I was modding in (Would be getting crashed every 20 minutes or so yesterday) - But literally the same thing has been happening all of a sudden.

Game Link: Flex Your Account Age

EDIT: Unable to tell if the issue is tied to this, but it seems to be.

MetatableIndex · April 15, 2020, 5:11pm

Not sure if this is related, but now I’m unable to join Team Test sessions (it’s always stuck on Requesting access) and starting a new server on my development place takes a long long time.

(this being the fourth attempt)

BetterNotDie · April 15, 2020, 5:15pm

Yeah it’s started happening again on a group I develop for. I’m assuming it’s the same exploit, because a user joined the game, then left immediately (so probably banned from the game) and then the server crashed.

EDIT: I just asked a friend of a friend to try it in my server, and the server crashed. The server was a new server which I’d just joined

RewrittenCode · April 15, 2020, 5:25pm

The servers in flex were getting crashed every time they were created pretty much. I loaded into a fresh one and tabbed out briefly, and it was crashed when I got back to it.

coefficients · April 15, 2020, 5:30pm

The fix was turned off temporarily and is now back on.

buildthomas · April 16, 2020, 2:05pm

This issue is apparently fixed, so if you find another exploit / the same exploit with different reproduction steps, please send a message to the @Exploit_Reports group with all of those details (please hold off on sending them a message until you have somewhat clear reproduction steps).

wevetments · April 17, 2020, 3:33pm

He means that this specific issue (adding player object before character loads to crash server) is fixed. So if you are experiencing another form of server crashing due to an exploit, it is caused by another exploit, not the one identified in this thread. So kindly follow the steps he mentioned above

buildthomas · April 20, 2020, 11:46am

Please file new bug/exploit reports for new issues.