Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@md-5

md-5/gist:3115299

Forked from ajvpot/gist:3115176
Created July 15, 2012 06:08
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save md-5/3115299 to your computer and use it in GitHub Desktop.
Save md-5/3115299 to your computer and use it in GitHub Desktop.
Download ZIP
Minecraft Migrated Account Session Vulnerability
Raw
gistfile1.md 
                  ████▓               
               ▓█▓▓▓▓▓██▒              
             ▒██▒▒▒▒▒▒▒▓█▓             
            ▓█▓▒▒▒▒▒▒▒▒▒▒██            
           ██▒▒▒▒▓███▓▒▒▒▒▓█▒          
         ▒█▓▒▓▓▓██▓░▓█▓▓▓▓▓▓█▓         
        ▓█▓▓▓▓▓██▓   ▒██▓▓▓▓▓██▒       
      ▒██▓▓▓▓███       ███▓▓▓▓██▓      
     ▓██▓█████▒         ▒█████████     
   ▒█████████  ▒▓▓▓▓▓▓▓▓▒▓█████████▒   
  ▓████████▓  ▓█████████████████████▓  
 ████████░ ▓█████████████████████████▓

######Team Avolition

##Minecraft Migrated Account Session Vulnerability Security Advisory security@teamavolition.com

Details

Severity: High

Exploit Date: June 26, 2012

Public: July 14, 2012

Advisory: July 14, 2012

Vulnerability Scope

This vulnerability affects all “migrated” Minecraft accounts. Accounts that have not been migrated are not affected by this vulnerability.

We have created a page on our website to allow you to check whether your account is vulnerable. It can be found here:

http://www.teamavolition.com/sessionchecker

Description

A malicious attacker can log on using any migrated account to any Minecraft server relying on Mojang Specifications’ official authentication servers to verify user authenticity. This can allow an attacker to gain access to players’ accounts causing losses within the game, or allow an attacker to gain access to a privileged account on the server. Depending on common server modifications, privileged accounts could be used to acquire access to the operating system, or cause serious damage to data on the machine, which includes but is not limited to common software and data found in unison with a Minecraft server such as:

  • Server map files
  • Operating system files
  • Player data
  • Database and webserver data
  • Proprietary server modifications and source code

Reproduction

This vulnerability seems to be caused by a failure to authenticate usernames with session IDs for migrated accounts. joinServer.jsp will accept any valid session key from a migrated account for another migrated account.

To reproduce this issue an attacker needs to follow the following steps.

  1. Log in to Minecraft with a migrated account.
  2. Store the session key
  3. Connect to a Minecraft server with a different migrated account’s username and the stored session key.

Resolution

This vulnerability needs to be fixed on the authentication level by Mojang Specifications, it cannot be resolved on a server locally.

Mitigation

Until this exploit is resolved, we would advise server administrators to use a second layer authentication mechanism that allows users to validate their identity with a secret password once connected to the server. This must be done for users with escalated privileges, but is not critical for other users. A common second layer authentication mechanism is a plugin for the Minecraft modification Bukkit called X-Auth. It can be found at:

http://forums.bukkit.org/threads/sec-xauth-v2-0-10-offline-mode-authentication-1-2-5-r1-3.8712/

Another possible protection plugin can be found at:

http://dev.bukkit.org/server-mods/authme-reloaded/

Contact Us

Any requests for information, questions, or comments regarding this advisory should be forwarded to security@teamavolition.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment