L2JMobius

Public Development => Solved/Invalid Bug Reports => Topic started by: baldurian on May 30, 2026, 11:18:32 PM

Title: Possibly exploitable crafted bypass for class change throught ClassMaster.java
Post by: baldurian on May 30, 2026, 11:18:32 PM

https://gitlab.com/MobiusDevelopment/L2J_Mobius/-/blob/master/L2J_Mobius_CT_2.6_HighFive/dist/game/data/scripts/ai/others/ClassMaster/ClassMaster.java?ref_type=heads

The ClassMaster receives the requested classId from the client through a bypass.  It only checks for existing level of class and it doesnt validate if the tree path is allowed.

For example a Gladiator sending a crafted bypass to become Cardinal, is never checked. What stops the users from doing that is the existence limited html options sent to client, but a crafted bypass can avoid it.

What is your opinion ?

Title: Re: Possibly exploitable crafted bypass for class change throught ClassMaster.java
Post by: baldurian on May 30, 2026, 11:41:07 PM

Confirmed in my server

https://imgur.com/a/fNis94N

Title: Re: Possibly exploitable crafted bypass for class change throught ClassMaster.java
Post by: baldurian on May 30, 2026, 11:47:53 PM

So a decently secure fix would be to add a check for class hierarchy on ClassMaster when evaluating canChange conditions

final PlayerClass target = PlayerClass.getPlayerClass(classId);
canChange = (target != null) && target.equalsOrChildOf(player.getPlayerClass());

Title: Re: Possibly exploitable crafted bypass for class change throught ClassMaster.java
Post by: baldurian on May 31, 2026, 02:31:47 AM

After the player re-logins, he loses the invalid skills he gained on previous class changes, so the exploit severity is high only if hte player doesnt relog.

Title: Re: Possibly exploitable crafted bypass for class change throught ClassMaster.java
Post by: Mobius on June 01, 2026, 02:38:29 AM

Fixed with https://gitlab.com/MobiusDevelopment/L2J_Mobius/-/commit/b1c1c173f0173d2a74169231f49b6fd0410f9505
Thanks :D