public
Created

Minecraft Migrated Account Session Vulnerability

  • Download Gist
gistfile1.md
Markdown
                  ████▓               
               ▓█▓▓▓▓▓██▒              
             ▒██▒▒▒▒▒▒▒▓█▓             
            ▓█▓▒▒▒▒▒▒▒▒▒▒██            
           ██▒▒▒▒▓███▓▒▒▒▒▓█▒          
         ▒█▓▒▓▓▓██▓░▓█▓▓▓▓▓▓█▓         
        ▓█▓▓▓▓▓██▓   ▒██▓▓▓▓▓██▒       
      ▒██▓▓▓▓███       ███▓▓▓▓██▓      
     ▓██▓█████▒         ▒█████████     
   ▒█████████  ▒▓▓▓▓▓▓▓▓▒▓█████████▒   
  ▓████████▓  ▓█████████████████████▓  
 ████████░ ▓█████████████████████████▓ 
Team Avolition

Minecraft Migrated Account Session Vulnerability Security Advisory

Alex "ajvpot" Vanderpot

Keegan "Sirenfal" Novik

security@teamavolition.com

Details

Severity: High

Exploit Date: June 26, 2012

Public: July 14, 2012

Advisory: July 14, 2012

Vulnerability Scope

This vulnerability affects all “migrated” Minecraft accounts. Accounts that have not been migrated are not affected by this vulnerability.

We have created a page on our website to allow you to check whether your account is vulnerable. It can be found here:

http://www.teamavolition.com/sessionchecker

Description

A malicious attacker can log on using any migrated account to any Minecraft server relying on Mojang Specifications’ official authentication servers to verify user authenticity. This can allow an attacker to gain access to players’ accounts causing losses within the game, or allow an attacker to gain access to a privileged account on the server. Depending on common server modifications, privileged accounts could be used to acquire access to the operating system, or cause serious damage to data on the machine, which includes but is not limited to common software and data found in unison with a Minecraft server such as:

  • Server map files
  • Operating system files
  • Player data
  • Database and webserver data
  • Proprietary server modifications and source code

Reproduction

This vulnerability seems to be caused by a failure to authenticate usernames with session IDs for migrated accounts. joinServer.jsp will accept any valid session key from a migrated account for another migrated account.

To reproduce this issue an attacker needs to follow the following steps.

  1. Log in to Minecraft with a migrated account.
  2. Store the session key
  3. Connect to a Minecraft server with a different migrated account’s username and the stored session key.

Resolution

This vulnerability needs to be fixed on the authentication level by Mojang Specifications, it cannot be resolved on a server locally.

Mitigation

Until this exploit is resolved, we would advise server administrators to use a second layer authentication mechanism that allows users to validate their identity with a secret password once connected to the server. This must be done for users with escalated privileges, but is not critical for other users. A common second layer authentication mechanism is a plugin for the Minecraft modification Bukkit called X-Auth. It can be found at:

http://forums.bukkit.org/threads/sec-xauth-v2-0-10-offline-mode-authentication-1-2-5-r1-3.8712/

More protection solutions can be found at:

Contact Us

Any requests for information, questions, or comments regarding this advisory should be forwarded to security@teamavolition.com

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.