Skip to content

Instantly share code, notes, and snippets.

@ajvpot
Created July 15, 2012 05:35
Show Gist options
  • Save ajvpot/3115176 to your computer and use it in GitHub Desktop.
Save ajvpot/3115176 to your computer and use it in GitHub Desktop.
Minecraft Migrated Account Session Vulnerability
                  ████▓               
               ▓█▓▓▓▓▓██▒              
             ▒██▒▒▒▒▒▒▒▓█▓             
            ▓█▓▒▒▒▒▒▒▒▒▒▒██            
           ██▒▒▒▒▓███▓▒▒▒▒▓█▒          
         ▒█▓▒▓▓▓██▓░▓█▓▓▓▓▓▓█▓         
        ▓█▓▓▓▓▓██▓   ▒██▓▓▓▓▓██▒       
      ▒██▓▓▓▓███       ███▓▓▓▓██▓      
     ▓██▓█████▒         ▒█████████     
   ▒█████████  ▒▓▓▓▓▓▓▓▓▒▓█████████▒   
  ▓████████▓  ▓█████████████████████▓  
 ████████░ ▓█████████████████████████▓ 

######Team Avolition

##Minecraft Migrated Account Session Vulnerability Security Advisory Alex "ajvpot" Vanderpot

Keegan "Sirenfal" Novik

[email protected]

Details

Severity: High

Exploit Date: June 26, 2012

Public: July 14, 2012

Advisory: July 14, 2012

Vulnerability Scope

This vulnerability affects all “migrated” Minecraft accounts. Accounts that have not been migrated are not affected by this vulnerability.

We have created a page on our website to allow you to check whether your account is vulnerable. It can be found here:

http://www.teamavolition.com/sessionchecker

Description

A malicious attacker can log on using any migrated account to any Minecraft server relying on Mojang Specifications’ official authentication servers to verify user authenticity. This can allow an attacker to gain access to players’ accounts causing losses within the game, or allow an attacker to gain access to a privileged account on the server. Depending on common server modifications, privileged accounts could be used to acquire access to the operating system, or cause serious damage to data on the machine, which includes but is not limited to common software and data found in unison with a Minecraft server such as:

  • Server map files
  • Operating system files
  • Player data
  • Database and webserver data
  • Proprietary server modifications and source code

Reproduction

This vulnerability seems to be caused by a failure to authenticate usernames with session IDs for migrated accounts. joinServer.jsp will accept any valid session key from a migrated account for another migrated account.

To reproduce this issue an attacker needs to follow the following steps.

  1. Log in to Minecraft with a migrated account.
  2. Store the session key
  3. Connect to a Minecraft server with a different migrated account’s username and the stored session key.

Resolution

This vulnerability needs to be fixed on the authentication level by Mojang Specifications, it cannot be resolved on a server locally.

Mitigation

Until this exploit is resolved, we would advise server administrators to use a second layer authentication mechanism that allows users to validate their identity with a secret password once connected to the server. This must be done for users with escalated privileges, but is not critical for other users. A common second layer authentication mechanism is a plugin for the Minecraft modification Bukkit called X-Auth. It can be found at:

http://forums.bukkit.org/threads/sec-xauth-v2-0-10-offline-mode-authentication-1-2-5-r1-3.8712/

More protection solutions can be found at:

Contact Us

Any requests for information, questions, or comments regarding this advisory should be forwarded to [email protected]

@SuperHarmony910
Copy link

i'm here from the beluga video

@imvickykumar999
Copy link

i'm here from the beluga video

same here... that's quite interesting video

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment