[Potential Security Flaw] Cheat Engine Model Change

kasuganosoras / esx_realparking

🅿️ A real car parking script for FiveM

GNU General Public License v3.0

51 stars 31 forks source link

[Potential Security Flaw] Cheat Engine Model Change #26

Open benzon opened 4 years ago

benzon commented 4 years ago

After a quick review, the resource looks to have a security flaw by design, it never checks the model in db before saving new vehicle prop data to the db.

This allows for an old exploit to be used, where you alter the model hash via cheat engine, this can ruin a server economy and is a cheaters dream, they can make quick money quite fast, exploiting that there is no security check in place.

kasuganosoras commented 4 years ago

You can fix it easy https://github.com/kasuganosoras/esx_realparking/blob/master/server/main.lua#L27

if type(v.plate) ~= 'nil' and string.trim(plate) == string.trim(v.plate) and v.vehicle.model == vehicleData.props.model then

But it's not necessary, because any modify of the game data will get a FiveM global banned

benzon commented 4 years ago

I know :) since i did a few security PR's for ESX - and other ESX related resources :)

And no Cheat Engine is not picked up by Fivem Global Ban system that is a myth :)

Since Cheat Engine Alters Memory patterns :)