Minecraft / Blogs

PSA : Minecraft Server Exploit Discovered, Update Immediately!

  • 530
  • 62
  • comment529
  • playlist_add
  • share
  • more_horiz
avatar PMC
Support
Level 73 : Legendary Cake
6,116
Hi there, everybody.

This is just a quick PSA to let everybody know that a recent exploit in servers has caused a bit of a storm on many servers - including our own beloved PMC Server. The issue affects CraftBukkit (and any implementations of it thereof) and vanilla servers - so no matter what server you are running, I recommend you read this post.

The exploit allowed them to log in as any user on the server, causing havoc and doing as they please. Luckily, due to the efforts of md_5, Dinnerbone and others, a patch was quickly devised and rolled out to many affected implementations.

PMC urges you to update your version of CraftBukkit/Spigot/etc to their latest safest development build.

For CraftBukkit, go here:http://dl.bukkit.org/downloads/craftbukkit/(#2865 or later)
For Spigot, upgrade to at least version #1090

For information on how this all "started", the original Reddit thread is here:http://www.reddit.com/r/admincraft/comments/1llt2h/craftbukkit_fix_for_authentication_exploit/

Please note though that while this will close this hole, there may still be others, and I don't really want owners to think they are completely 100% safe from something like this ever happening again. Please take precautionary measures in protecting your moderator/administrator accounts on your own servers. Plugins such as SecuritySystem by Lord_Ralex of MinecraftForums (http://ae97.net/projects/securitysystem/) will lock users by their IP and deny entry until another administrator can approve their IP change. There are many other similar systems on BukkitDev, but this is the one we're using on the PMC Server as of now.

Thanks,
-P
Tags

529 replies

1
09/03/2014 10:28 pm
Level 12 : Journeyman Mage
aidanushka-13
what is the server ip to your server pmc?
1
10/03/2013 8:55 pm
Level 1 : New Miner
your end
Just wondering KingArthur, was there a XvSpitFirevX on that server at that time?
1
10/04/2013 7:02 am
Level 3 : Apprentice Explorer
Blackjack
No. That little skiddie had nothing to do with it I'm afraid.
1
09/30/2013 12:16 am
Level 1 : New Explorer
KIngArthur
This happened to me yesterday, someone logging into my account and then they messed up ym server progress. I was an admin on a server and then someone logged into my account and then they spammed, got me perma-banned and i got demoted (my friend is also an admin on the server, he told me). I HATE THIS THING!!!
1
09/17/2013 2:52 pm
Level 1 : New Modder
Lildirt
I've created my own alternatives to these issues, but I can say that using WorldGuard's hostkey features are fair if you have a domain. Otherwise, a staff-only version of AuthMe works just as well.
1
09/16/2013 7:02 am
Level 41 : Master Batman
DamnCreeperEater
I was using build from September 8th, 2013 (A few days after this post) and I had a massive scare on my server. A few players (I_AM_WILDCAT, lisadaly, azura_hades) were forced op on the server. They made some pretty massive world edits and created multiple "dickfart" worlds. I was able to restore the server using a backup from a few hours before and have it back online within a few hours but it was quite a scare. I have updated to the build released last night (September 15th, 2013) and have seen no sign of them returning.
1
09/15/2013 11:46 pm
Level 14 : Journeyman Architect
sinfulgodofwar
#1091 of Spigot does not fix the problem, I repeat updating to this build does not fix the problem. Had someone on my server today performing this exploit. In the process of applying AuthMe to fix this issue until a more suitable fix comes. I do not know if the exploit works past on builds after 1091. Just a PSA.
1
09/14/2013 1:48 pm
Level 2 : Apprentice Explorer
BetaSpark
Thank you so much, always used AuthMe.
1
09/14/2013 10:21 am
Level 1 : New Cake
octyenoch
while it doesnt stop this from happening, another good plugin is core protect, to clean up the mess. just a few seconds to undo all of the replace with lava world edits that they did. So just a couple minutes to get my bearings, ban the ips, unban my admins, and roll back only the changes that they did...only thing hurt was my faith in humanity
1
09/13/2013 1:47 pm
Level 8 : Apprentice Mage
oInward
Well this explains the "admins" griefing and promoting people :/
1
09/13/2013 7:55 am
Level 34 : Artisan Dragonborn
Aethier
I got suspicoius when an admin who was onholiday logged in from romania when they live and are in the US (Thanks Essentials GeoIP), randomly whitelisted two accounts and tp'd everyone to spawn then started banning everyone who was also an admin.

I force killed the server and updated again. My fault for accidentally backdating to the beta craftbukkit release from spigot.

Banned the IP and both those accounts, reupdated the server. Fixed xD
1
09/12/2013 9:58 am
Level 1 : New Engineer
amahlaka
There is new recomended buildCB 1.6.2-R1.0 that fixes that exploit
1
09/13/2013 8:25 pm
Level 83 : Elite Scapegoat
Paril
It was fixed a few before, but the recommended release is out now indeed.
1
09/11/2013 4:49 pm
Level 31 : Artisan Miner
benefold1981
this post is wrong the exploit is still in 1090 spigot version!
1
09/13/2013 8:26 pm
Level 83 : Elite Scapegoat
Paril
The creator of spigot said to use 1090+, I just went with his word.
1
09/10/2013 6:41 pm
Level 11 : Journeyman Turtle
gorgonoff
Use the plugin "AuthMe" It works perfect!

dev.bukkit.org/bukkit-plugins/authme-reloaded/

The hackers join, fail on password and get kicked :)
1
09/11/2013 5:40 am
Level 52 : Grandmaster Network
Lithia
Authme is good Because people can still use the Exploit to ruin other peoples Loot and Items

Sadly This bug will Effect all builds under Spigotolder than 1090

So that blacks out Tekkit, Feed the beast ect ect :/

1
09/10/2013 1:36 pm
Level 26 : Expert Archer
Makkatack
I updated my Bucket to the one above, it does NOT fix the problem. However the plugins do work. The guy who destroyed my spawn and all my warps has tried 100's of different names to destroy it all week.

Download the Plugins! They work great!
1
09/11/2013 1:14 am
Level 83 : Elite Scapegoat
Paril
Did you clear any OP'd usernames, etc? Make sure you got the latest development build - not beta.
1
09/10/2013 9:21 am
Level 15 : Journeyman Warrior
amin6636
Is this fixed now?
1
09/10/2013 4:26 am
Level 9 : Apprentice Ranger
Reynard
This wouldn't happen if every client was locked to an IP address, though it may screw over those with dynamic IP's.

Just curious though, i made a bet with a freind that this problem would occur because of the new client , is this the case?

As i recall the previous problem with this was caused by a faliure in the auth server, by people skipping an auth step, eg not sending the handshake.

Now that its fixed, could an explanation be provided?
1
09/13/2013 3:55 am
Level 1 : New Miner
Textra
"This wouldn't happen if every client was locked to an IP address, though it may screw over those with dynamic IP's."

Which is about half the people on the planet.

All you need to use is a password plugin of some description (LoginSecurity is good). If you're using vanilla, then switch to bukkit and just don't use nay other plugins to keep your server's flavour.
1
09/13/2013 4:47 am
Level 9 : Apprentice Ranger
Reynard
Still important to keep things as secure as possible in the time being, when theres a nuclear strike, you close the bunker, you dont care that half the planet may be screwed over, you need to keep it safe or the other half dies too.
1
09/16/2013 2:37 am
Level 1 : New Miner
Textra
Don't be absurd. You don't screw over half your customers because some kids found a exploit. You close the exploit and move on.

You're being silly. A simple security plugin can resolve the exploit, and if you're using the vanilla server you're at risk anyway, exploit or no.
1
09/16/2013 4:07 am
Level 9 : Apprentice Ranger
Reynard
If you understood the severity of the exploit, which thankfully by now is fixed, you would likely have chosen your words better.

This event before the patch had caused a worldwide attack on many different servers, and not by just "some kids". If there had been no explanation to the attacks provided, nor any way to prevent it at the time, the sensible thing is to keep the server shut, or to lock the server to IPs.

Now if you took your time to read the preceeding comments instead of spewing your verbal diarrhea over me, you would realise the same solution, of using an auth program, is what i suggested. Locking server accounts to an IP.

The analogy was used in place as the previous commentor had claimed that doing that would "screw over half the planet".


In the following moments before you try to be smart and reply to me again. Have a look and analyze the situation. If theres nothing left in your favor to say, don't bother replying to me.

PS: Before you even bother, yes i know there are in game password programs, a lot of servers use this. But in the case of keylogging, that pass would be compromised as well, safe to say that using an IP lock would be best.
1
09/18/2013 3:20 am
Level 1 : New Miner
Textra
"Now if you took your time to read the preceeding[sic] comments instead of spewing your verbal diarrhea over me, you would realise the same solution, of using an auth program, is what i suggested. Locking server accounts to an IP."

Righto princess. You're changing what you originally said. You said "This wouldn't happen if every client was locked to an IP address, though it may screw over those with dynamic IP's."

Locking clients to an IP address would alienate about half of Mojong's customers. It's a stupid idea and you should just admit it.

"PS: Before you even bother, yes i know there are in game password programs, a lot of servers use this. But in the case of keylogging, that pass would be compromised as well, safe to say that using an IP lock would be best."

Keyloggers? Really? Hey, locking IPs to client might not be safe either. What about IP spoofing? How about we use biometric scanners to verify user authenticity? Oh wait, what about identity thieves? They might steal your bio-data by stealing a tissue or snipping some of your hair. Maybe IP locking coupled with biometric scanning, coupled with quantum encryption? Oh but wait that's no good either. What if hackers have obtained Q like powers and can crack quantum encryption in a few seconds by re-routing the giga-watts to a reverse polarity negative gravity generator?! Maybe it's better if we just shut the entire internet down while the exploit is closed. Yeah that will do it. Your servers are safe now. Rejoice everyone. Everyone? Anyone? Hey guys? Guuys...?

Ass.
1
09/13/2013 11:28 pm
Level 3 : Apprentice Explorer
Blackjack
This is an exploit in a game, not a nuclear war.
1
09/14/2013 2:42 am
Level 9 : Apprentice Ranger
Reynard
This an analogy, not a direct reference.
1
09/16/2013 2:39 am
Level 1 : New Miner
Textra
Yes, a really silly analogy.
1
09/10/2013 3:44 pm
Level 10 : Journeyman Network
Ralex
The patch is still only in dev builds, so it is not yet really circulated out. The new client is not the cause, rather a failure in the server code.
1
09/10/2013 11:47 pm
Level 9 : Apprentice Ranger
Reynard
I see, i felt that the new clients connecting with the servers would be the problem, as i understand '&' is no longer read as 0 right? Thats the old hat one.

Anyways, good luck fully ironing out this bug.

I would help, but im bugger all at this nowadays.
1
09/11/2013 1:15 am
Level 83 : Elite Scapegoat
Paril
The problem has been around since 1.3.
1
09/10/2013 12:30 am
Level 1 : New Architect
Sikk92
this is happening to hundereds of servers now i belive, even my server i play on has already being affected right now
1
09/09/2013 11:54 pm
Level 6 : Apprentice Narwhal
CrazyCloakedMSC
This just happened to my server. I didn't think this was as serious so I digressed. This is very serious as part of my spawn was deleted and players were messed with. Be aware of the player: Rawr~
1
09/09/2013 10:39 pm
Level 36 : Artisan Network
Morpheus1101
What i dont see is how do we detect users trying to do this exploit? is there certain signs we should look out for that would indicate that this is what they are trying to do?

I watch my console and in game of my server very closely and want to basically know what im looking for so as to perhaps somewhat prevent this from happening.
1
09/11/2013 1:15 am
Level 83 : Elite Scapegoat
Paril
Not unless you update. When you update, you will see many "failed to validate username" messages - if you are not updated, you won't see any messages.
1
09/11/2013 4:44 am
Level 36 : Artisan Network
Morpheus1101
My server is technically vanilla, i run the latest craftbukkit dev build, but with no plugins and basically use command blocks to handle everything, otherwise its still 1.6.2 but havent had any issue since
1
09/09/2013 9:50 pm
Level 4 : Apprentice Warrior
Destroyer97
That happened to us be thank god we recently changed back to premium and still had a password plugin so no damage was done!
1
09/09/2013 12:53 pm
Level 1 : New Dragon
pvporigin
It seems that people are not reading the entire post. Sure updating your Bukkit/Spigot/whatever may help but I got the Security System plugin recommended in the post along with updating my CraftBukkit and it has prevented like 8 session steal attempts in the last three days. Get Security System. It IP locks your ops and it's a beauty. I always get rid of around three groups of session stealers per PMC bump.
1
09/13/2013 11:30 pm
Level 3 : Apprentice Explorer
Blackjack
This isn't "session stealing." This is simply exploiting a race condition in the server login sequence.
1
09/09/2013 11:10 am
Level 43 : Master Network
dunem666
yeah like previously stated,,,,,

this is NOT fixed, and the Github link you gave me is mearly a recall method.

If a "SUPER MODERATOR" want to message me back again, check your facts before doing so!

-.-
1
09/09/2013 2:07 pm
Level 10 : Journeyman Network
Ralex
It is not a recall method. Read it. It *adds* it.
Check your facts next time. This is fixed, tested, confirmed. Your facts are wrong.

If you want to argue this, prove it. Otherwise you are incorrect.
1
09/09/2013 1:57 pm
Level 83 : Elite Scapegoat
Paril
We have pen-tested our own server after applying the update, and have no longer been affected/attacked by the exploit despite being a very public server. I am fairly certain that the update closes the exploit. The commit was the one referenced by md_5 & Dinnerbone as being the cause of the exploit. There's no need to go to insulting me or throwing around fake programming terms like "recall method" - this is about the community and making sure people are safe, not about proving you are right about something silly.

Now, I'm not saying that there aren't any more holes in the authentication system - there probably is - but this specific hole is closed.

Read the comments too - many users get proper authentication failures now that they update. Most of the people who are getting "logged on with fake accounts" after updating have simply not cleared the users they OP from their op list (or permission list, if the attackers use your permission system), which is clear because if the exploit was still open, they would log on as the owner, not with fake/throwaway accounts. It's also possible they have simply updated to latest beta and not development build, which would leave them open as well.
1
09/09/2013 10:47 pm
Level 1 : New Explorer
TheRealXplosiveCows
HEY MAN!
1
10/27/2013 1:57 am
Level 51 : Grandmaster Cowboy
SnargleBlargle
WHAT IS UP BROTHER.
1
09/09/2013 7:15 am
Level 65 : High Grandmaster Senpai
Ludicrous
Hai PMC :3
1
09/09/2013 12:58 am
Level 11 : Journeyman Ranger
TheMinecraftfailzzz
as soon as i updated my server and did the bump submission thing, i got people trying to join with my owner account but it failed! Thanks!!!
1
09/09/2013 8:36 am
Level 26 : Expert Pirate
joehot200
:)
1
09/08/2013 11:25 pm
Level 4 : Apprentice Miner
BilboSwagginzz
@SleepingPotato

I have a group of members personally attacking my ops. I banned them yesterday, They hacked my admins, Unbanned themselves and went to town yet again on the spawn and around it.

Is there a plugin that allows the server to recognize the real staff ips and if any other ip joins in that account it locks them out? Bascially de opping/baning them?
1
09/09/2013 3:09 am
Level 46 : Master Egyptian
AFlame101
1
09/09/2013 3:47 am
Level 4 : Apprentice Miner
BilboSwagginzz
Oh my goodness. Thank you!

Planet Minecraft

Browse

Site

© 2010 - 2019
planetminecraft.com

Welcome