When a client wants to connect to RaspberryJuice, all traffic seems available on the network in plain text. Furthermore, the data sent by the client can be manipulated and resend back to the server while still appearing to be coming from the client:
This bug seems affecting the current and all previous versions of RaspberryJuice and spigot
Reproduce the issue with a server running spigot/RaspberryJuice listening on 4711 and client on the same network with python3 and mcpi lib, here is a test script:
On attacker box, use ettercap to run ARP poisoning, now the data is visible uncrypted, with tcpdump:
To manipulate the data, load to ettercap the following filter compiled with "etterfilter fil.ecf -o fil.ef":
Resend the message by the client, and the message now will be altered:
Suggestions to prevent this:
I haven't tested on the other plugins to confirm but the options to protect this with encrypted/authenticated channel is possible from spigot and/or the plugin level, by using TLS for authentication, and a cipher like RSA, DH, ECDH for keys exchanges.