Minecraft / Blogs

PSA : Minecraft Server Exploit Discovered, Update Immediately!

  • 531
  • 61
  • playlist_add
  • share
  • more_horiz
avatar PMC
Support
Level 72 : Legendary Cake
5,645
Hi there, everybody.

This is just a quick PSA to let everybody know that a recent exploit in servers has caused a bit of a storm on many servers - including our own beloved PMC Server. The issue affects CraftBukkit (and any implementations of it thereof) and vanilla servers - so no matter what server you are running, I recommend you read this post.

The exploit allowed them to log in as any user on the server, causing havoc and doing as they please. Luckily, due to the efforts of md_5, Dinnerbone and others, a patch was quickly devised and rolled out to many affected implementations.

PMC urges you to update your version of CraftBukkit/Spigot/etc to their latest safest development build.

For CraftBukkit, go here:http://dl.bukkit.org/downloads/craftbukkit/(#2865 or later)
For Spigot, upgrade to at least version #1090

For information on how this all "started", the original Reddit thread is here:http://www.reddit.com/r/admincraft/comments/1llt2h/craftbukkit_fix_for_authentication_exploit/

Please note though that while this will close this hole, there may still be others, and I don't really want owners to think they are completely 100% safe from something like this ever happening again. Please take precautionary measures in protecting your moderator/administrator accounts on your own servers. Plugins such as SecuritySystem by Lord_Ralex of MinecraftForums (http://ae97.net/projects/securitysystem/) will lock users by their IP and deny entry until another administrator can approve their IP change. There are many other similar systems on BukkitDev, but this is the one we're using on the PMC Server as of now.

Thanks,
-P
Tags

Comments : 529

star Login or register to post a comment.

Show Comments

1 - 50 of 529

what is the server ip to your server pmc?
  • your end
  • Level 1
  • New Miner
  • October 3, 2013, 4:55 pm
Just wondering KingArthur, was there a XvSpitFirevX on that server at that time?
  • Blackjack
  • Level 2
  • Apprentice Explorer
  • October 4, 2013, 3:02 am
No. That little skiddie had nothing to do with it I'm afraid.
  • KIngArthur
  • Level 1
  • New Explorer
  • September 29, 2013, 8:16 pm
This happened to me yesterday, someone logging into my account and then they messed up ym server progress. I was an admin on a server and then someone logged into my account and then they spammed, got me perma-banned and i got demoted (my friend is also an admin on the server, he told me). I HATE THIS THING!!!
  • Lildirt
  • Level 1
  • New Modder
  • September 17, 2013, 10:52 am
I've created my own alternatives to these issues, but I can say that using WorldGuard's hostkey features are fair if you have a domain. Otherwise, a staff-only version of AuthMe works just as well.
I was using build from September 8th, 2013 (A few days after this post) and I had a massive scare on my server. A few players (I_AM_WILDCAT, lisadaly, azura_hades) were forced op on the server. They made some pretty massive world edits and created multiple "dickfart" worlds. I was able to restore the server using a backup from a few hours before and have it back online within a few hours but it was quite a scare. I have updated to the build released last night (September 15th, 2013) and have seen no sign of them returning.
  • sinfulgodofwar
  • Level 14
  • Journeyman Architect
  • September 15, 2013, 7:46 pm
#1091 of Spigot does not fix the problem, I repeat updating to this build does not fix the problem. Had someone on my server today performing this exploit. In the process of applying AuthMe to fix this issue until a more suitable fix comes. I do not know if the exploit works past on builds after 1091. Just a PSA.
  • BetaSpark
  • Level 1
  • New Explorer
  • September 14, 2013, 9:48 am
Thank you so much, always used AuthMe.
  • octyenoch
  • Level 1
  • New Cake
  • September 14, 2013, 6:21 am
while it doesnt stop this from happening, another good plugin is core protect, to clean up the mess. just a few seconds to undo all of the replace with lava world edits that they did. So just a couple minutes to get my bearings, ban the ips, unban my admins, and roll back only the changes that they did...only thing hurt was my faith in humanity
  • oInward
  • Level 7
  • Apprentice Mage
  • September 13, 2013, 9:47 am
Well this explains the "admins" griefing and promoting people :/
  • Aethier
  • Level 33
  • Artisan Dragonborn
  • September 13, 2013, 3:55 am
I got suspicoius when an admin who was onholiday logged in from romania when they live and are in the US (Thanks Essentials GeoIP), randomly whitelisted two accounts and tp'd everyone to spawn then started banning everyone who was also an admin.

I force killed the server and updated again. My fault for accidentally backdating to the beta craftbukkit release from spigot.

Banned the IP and both those accounts, reupdated the server. Fixed xD
  • amahlaka
  • Level 1
  • New Engineer
  • September 12, 2013, 5:58 am
There is new recomended build[color=rgb(20,20,20)][bgcolor=rgb(252,252,252)]CB 1.6.2-R1.0 that fixes that exploit[/bgcolor][/color]
  • Paril
  • Developer
  • Level 82
  • Elite Scapegoat
  • September 13, 2013, 4:25 pm
It was fixed a few before, but the recommended release is out now indeed.
  • benefold1981
  • Level 30
  • Artisan Miner
  • September 11, 2013, 12:49 pm
this post is wrong the exploit is still in 1090 spigot version!
  • Paril
  • Developer
  • Level 82
  • Elite Scapegoat
  • September 13, 2013, 4:26 pm
The creator of spigot said to use 1090+, I just went with his word.
  • gorgonoff
  • Level 8
  • Apprentice Turtle
  • September 10, 2013, 2:41 pm
Use the plugin "AuthMe" It works perfect!

dev.bukkit.org/bukkit-plugins/authme-reloaded/

The hackers join, fail on password and get kicked :)
  • Lithia
  • Level 51
  • Grandmaster Network
  • September 11, 2013, 1:40 am
Authme is good Because people can still use the Exploit to ruin other peoples Loot and Items

Sadly This bug will Effect all builds under Spigot[color=rgb(40,40,40)][bgcolor=rgb(242,246,249)]older than 1090

So that blacks out Tekkit, Feed the beast ect ect :/

[/bgcolor][/color]
  • Makkatack
  • Level 26
  • Expert Archer
  • September 10, 2013, 9:36 am
I updated my Bucket to the one above, it does NOT fix the problem. However the plugins do work. The guy who destroyed my spawn and all my warps has tried 100's of different names to destroy it all week.

Download the Plugins! They work great!
  • Paril
  • Developer
  • Level 82
  • Elite Scapegoat
  • September 10, 2013, 9:14 pm
Did you clear any OP'd usernames, etc? Make sure you got the latest development build - not beta.
  • amin6636
  • Level 16
  • Journeyman Warrior
  • September 10, 2013, 5:21 am
Is this fixed now?
  • Reynard
  • Level 9
  • Apprentice Ranger
  • September 10, 2013, 12:26 am
This wouldn't happen if every client was locked to an IP address, though it may screw over those with dynamic IP's.

Just curious though, i made a bet with a freind that this problem would occur because of the new client , is this the case?

As i recall the previous problem with this was caused by a faliure in the auth server, by people skipping an auth step, eg not sending the handshake.

Now that its fixed, could an explanation be provided?
  • Textra
  • Level 3
  • Apprentice Miner
  • September 12, 2013, 11:55 pm
"This wouldn't happen if every client was locked to an IP address, though it may screw over those with dynamic IP's."

Which is about half the people on the planet.

All you need to use is a password plugin of some description (LoginSecurity is good). If you're using vanilla, then switch to bukkit and just don't use nay other plugins to keep your server's flavour.
  • Reynard
  • Level 9
  • Apprentice Ranger
  • September 13, 2013, 12:47 am
Still important to keep things as secure as possible in the time being, when theres a nuclear strike, you close the bunker, you dont care that half the planet may be screwed over, you need to keep it safe or the other half dies too.
  • Textra
  • Level 3
  • Apprentice Miner
  • September 15, 2013, 10:37 pm
Don't be absurd. You don't screw over half your customers because some kids found a exploit. You close the exploit and move on.

You're being silly. A simple security plugin can resolve the exploit, and if you're using the vanilla server you're at risk anyway, exploit or no.
  • Reynard
  • Level 9
  • Apprentice Ranger
  • September 16, 2013, 12:07 am
If you understood the severity of the exploit, which thankfully by now is fixed, you would likely have chosen your words better.

This event before the patch had caused a worldwide attack on many different servers, and not by just "some kids". If there had been no explanation to the attacks provided, nor any way to prevent it at the time, the sensible thing is to keep the server shut, or to lock the server to IPs.

[size=10pt]Now if you took your time to read the preceeding comments instead of spewing your verbal diarrhea over me, you would realise the same solution, of using an auth program, is what i suggested. Locking server accounts to an IP.[/size]
[size=10pt]
The analogy was used in place as the previous commentor had claimed that doing that would "screw over half the planet".[/size]

[size=10pt]In the following moments before you try to be smart and reply to me again. Have a look and analyze the situation. If theres nothing left in your favor to say, don't bother replying to me.[/size]

[size=10pt]PS: Before you even bother, yes i know there are in game password programs, a lot of servers use this. But in the case of keylogging, that pass would be compromised as well, safe to say that using an IP lock would be best.[/size]
  • Textra
  • Level 3
  • Apprentice Miner
  • September 17, 2013, 11:20 pm
"Now if you took your time to read the preceeding[sic] comments instead of spewing your verbal diarrhea over me, you would realise the same solution, of using an auth program, is what i suggested. Locking server accounts to an IP."

Righto princess. You're changing what you originally said. You said "This wouldn't happen if every client was locked to an IP address, though it may screw over those with dynamic IP's."

Locking clients to an IP address would alienate about half of Mojong's customers. It's a stupid idea and you should just admit it.

"PS: Before you even bother, yes i know there are in game password programs, a lot of servers use this. But in the case of keylogging, that pass would be compromised as well, safe to say that using an IP lock would be best."

Keyloggers? Really? Hey, locking IPs to client might not be safe either. What about IP spoofing? How about we use biometric scanners to verify user authenticity? Oh wait, what about identity thieves? They might steal your bio-data by stealing a tissue or snipping some of your hair. Maybe IP locking coupled with biometric scanning, coupled with quantum encryption? Oh but wait that's no good either. What if hackers have obtained Q like powers and can crack quantum encryption in a few seconds by re-routing the giga-watts to a reverse polarity negative gravity generator?! Maybe it's better if we just shut the entire internet down while the exploit is closed. Yeah that will do it. Your servers are safe now. Rejoice everyone. Everyone? Anyone? Hey guys? Guuys...?

Ass.
  • Blackjack
  • Level 2
  • Apprentice Explorer
  • September 13, 2013, 7:28 pm
This is an exploit in a game, not a nuclear war.
  • Reynard
  • Level 9
  • Apprentice Ranger
  • September 13, 2013, 10:42 pm
This an analogy, not a direct reference.
  • Textra
  • Level 3
  • Apprentice Miner
  • September 15, 2013, 10:39 pm
Yes, a really silly analogy.
  • Reynard
  • Level 9
  • Apprentice Ranger
  • September 16, 2013, 12:01 am
Who are you to talk? I don't see you doing anything about it, im simply trying to discuss a topic. Nay, its not a silly analogy, its just fine. Till you provide due proof that my analogy is "really silly" I shall have no reason to believe you.
  • Reynard
  • Level 9
  • Apprentice Ranger
  • September 18, 2013, 1:05 am
Why not apply your own logic to yourself, you have no ability to reason and be a decent person needing to behave like an ass, Whats with your huge ego, does it compensate for something else thats small? Your mind maybe? Or something down below? Look at what you've contributed to this conversation.

You come in hoity toity thinking youre so smart, and start acting like you know everything. Who are you to judge what i have to say? You can't exactly say that you've been all there.

It took you 2 days to come up with this pathetic insult, and your longer one up there. its not a response, its a dick waving competition.

So win your little internet victory, act superior, and get back to jacking off to your mom. i have no time for you. And expect no replies, i don't waste time on useless things.
  • Textra
  • Level 3
  • Apprentice Miner
  • September 17, 2013, 10:47 pm
Mojong aren't going to alienate half their customer base just because you're a little miss can't be wrong toolbag with no ability to admit he's wrong. You are correct though, you analogy isn't silly. It's retarded. Seriously Reynard, just shut up.
  • Ralex
  • Site Moderator
  • Level 8
  • Apprentice Network
  • September 10, 2013, 11:44 am
The patch is still only in dev builds, so it is not yet really circulated out. The new client is not the cause, rather a failure in the server code.
  • Reynard
  • Level 9
  • Apprentice Ranger
  • September 10, 2013, 7:47 pm
I see, i felt that the new clients connecting with the servers would be the problem, as i understand '&' is no longer read as 0 right? Thats the old hat one.

Anyways, good luck fully ironing out this bug.

I would help, but im bugger all at this nowadays.
  • Paril
  • Developer
  • Level 82
  • Elite Scapegoat
  • September 10, 2013, 9:15 pm
The problem has been around since 1.3.
  • Sikk92
  • Level 1
  • New Architect
  • September 9, 2013, 8:30 pm
this is happening to hundereds of servers now i belive, even my server i play on has already being affected right now
This just happened to my server. I didn't think this was as serious so I digressed. This is very serious as part of my spawn was deleted and players were messed with. Be aware of the player: Rawr~
  • Morpheus1101
  • Level 36
  • Artisan Network
  • September 9, 2013, 6:39 pm
What i dont see is how do we detect users trying to do this exploit? is there certain signs we should look out for that would indicate that this is what they are trying to do?

I watch my console and in game of my server very closely and want to basically know what im looking for so as to perhaps somewhat prevent this from happening.
  • Paril
  • Developer
  • Level 82
  • Elite Scapegoat
  • September 10, 2013, 9:15 pm
Not unless you update. When you update, you will see many "failed to validate username" messages - if you are not updated, you won't see any messages.
  • Morpheus1101
  • Level 36
  • Artisan Network
  • September 11, 2013, 12:44 am
My server is technically vanilla, i run the latest craftbukkit dev build, but with no plugins and basically use command blocks to handle everything, otherwise its still 1.6.2 but havent had any issue since
  • Destroyer97
  • Level 4
  • Apprentice Warrior
  • September 9, 2013, 5:50 pm
That happened to us be thank god we recently changed back to premium and still had a password plugin so no damage was done!
  • pvporigin
  • Level 1
  • New Dragon
  • September 9, 2013, 8:53 am
It seems that people are not reading the entire post. Sure updating your Bukkit/Spigot/whatever may help but I got the Security System plugin recommended in the post along with updating my CraftBukkit and it has prevented like 8 session steal attempts in the last three days. Get Security System. It IP locks your ops and it's a beauty. I always get rid of around three groups of session stealers per PMC bump.
  • Blackjack
  • Level 2
  • Apprentice Explorer
  • September 13, 2013, 7:30 pm
This isn't "session stealing." This is simply exploiting a race condition in the server login sequence.
  • dunem666
  • Level 43
  • Master Network
  • September 9, 2013, 7:10 am
yeah like previously stated,,,,,

this is NOT fixed, and the Github link you gave me is mearly a recall method.

If a "SUPER MODERATOR" want to message me back again, check your facts before doing so!

-.-
  • Ralex
  • Site Moderator
  • Level 8
  • Apprentice Network
  • September 9, 2013, 10:07 am
It is not a recall method. Read it. It *adds* it.
Check your facts next time. This is fixed, tested, confirmed. Your facts are wrong.

If you want to argue this, prove it. Otherwise you are incorrect.
  • Paril
  • Developer
  • Level 82
  • Elite Scapegoat
  • September 9, 2013, 9:57 am
We have pen-tested our own server after applying the update, and have no longer been affected/attacked by the exploit despite being a very public server. I am fairly certain that the update closes the exploit. The commit was the one referenced by md_5 & Dinnerbone as being the cause of the exploit. There's no need to go to insulting me or throwing around fake programming terms like "recall method" - this is about the community and making sure people are safe, not about proving you are right about something silly.

Now, I'm not saying that there aren't any more holes in the authentication system - there probably is - but this specific hole is closed.

Read the comments too - many users get proper authentication failures now that they update. Most of the people who are getting "logged on with fake accounts" after updating have simply not cleared the users they OP from their op list (or permission list, if the attackers use your permission system), which is clear because if the exploit was still open, they would log on as the owner, not with fake/throwaway accounts. It's also possible they have simply updated to latest beta and not development build, which would leave them open as well.
HEY MAN!
WHAT IS UP BROTHER.
  • Ludicrous
  • Site Moderator
  • Level 64
  • High Grandmaster Senpai
  • September 9, 2013, 3:15 am
Hai PMC :3
as soon as i updated my server and did the bump submission thing, i got people trying to join with my owner account but it failed! Thanks!!!
  • joehot200
  • Level 25
  • Expert Pirate
  • September 9, 2013, 4:36 am
:)
@SleepingPotato

I have a group of members personally attacking my ops. I banned them yesterday, They hacked my admins, Unbanned themselves and went to town yet again on the spawn and around it.

Is there a plugin that allows the server to recognize the real staff ips and if any other ip joins in that account it locks them out? Bascially de opping/baning them?
  • AFlame101
  • Level 46
  • Master Egyptian
  • September 8, 2013, 11:09 pm
Oh my goodness. Thank you!
  • Paril
  • Developer
  • Level 82
  • Elite Scapegoat
  • September 9, 2013, 9:59 am
Read the end of this post.
Was hit 2 different times. Even with this post an the update. What do i do? D:
  • Paril
  • Developer
  • Level 82
  • Elite Scapegoat
  • September 9, 2013, 10:01 am
You have to take proactive steps to prevent them from being able to return. They always OP some random accounts that they have so that they can return later if they need to. Check your permission system as well just to be sure. Updating to CraftBukkit 2865 or later will close the hole but it may not mean your server is safe.
  • nickmett
  • Level 1
  • New Network
  • September 8, 2013, 4:03 pm
I do want to ask, even though this is a really stupid question. This can't happen if the people don't have the IP adress to the server, correct? I have a private server and it would be REALLY bad if they got on and whitelisted tons of people.
  • Ralex
  • Site Moderator
  • Level 8
  • Apprentice Network
  • September 9, 2013, 10:08 am
This can happen, although they would have to find your server. If you don't give the IP out, then you are just safe by being hidden. You should still update.
  • Larrypickle
  • Level 34
  • Artisan Ninja
  • September 8, 2013, 3:32 pm
Haha this happened to me while i was checking on the console. Was lucky and banned the ip and of the hacker. Still, update before you get griefed!
  • masggzz
  • Level 28
  • Expert Pirate
  • September 8, 2013, 12:10 pm
Backups are cool :)

1 - 50 of 529

Show Comments

Search

Browse

Site

© 2010 - 2018
planetminecraft.com

Welcome