L2JMobius

High Five Possibly exploitable crafted bypass for class change throught ClassMaster.java

baldurian · 5 · 132
Pages: 1

Offline baldurian

  • Vassal
  • *
    • Posts: 4
on: May 30, 2026, 11:18:32 PM
https://gitlab.com/MobiusDevelopment/L2J_Mobius/-/blob/master/L2J_Mobius_CT_2.6_HighFive/dist/game/data/scripts/ai/others/ClassMaster/ClassMaster.java?ref_type=heads

The ClassMaster receives the requested classId from the client through a bypass.  It only checks for existing level of class and it doesnt validate if the tree path is allowed.

For example a Gladiator sending a crafted bypass to become Cardinal, is never checked. What stops the users from doing that is the existence limited html options sent to client, but a crafted bypass can avoid it.

What is your opinion ?

Offline baldurian

  • Vassal
  • *
    • Posts: 4
Reply #1 on: May 30, 2026, 11:41:07 PM
Confirmed in my server

https://imgur.com/a/fNis94N

Offline baldurian

  • Vassal
  • *
    • Posts: 4
Reply #2 on: May 30, 2026, 11:47:53 PM
So a decently secure fix would be to add a check for class hierarchy on ClassMaster when evaluating canChange conditions

final PlayerClass target = PlayerClass.getPlayerClass(classId);
canChange = (target != null) && target.equalsOrChildOf(player.getPlayerClass());

Offline baldurian

  • Vassal
  • *
    • Posts: 4
Reply #3 on: May 31, 2026, 02:31:47 AM
After the player re-logins, he loses the invalid skills he gained on previous class changes, so the exploit severity is high only if hte player doesnt relog.

Online Mobius

  • Distinguished King
  • *****
    • Posts: 19715
Reply #4 on: June 01, 2026, 02:38:29 AM

Pages: 1