████▓
▓█▓▓▓▓▓██▒
▒██▒▒▒▒▒▒▒▓█▓
▓█▓▒▒▒▒▒▒▒▒▒▒██
██▒▒▒▒▓███▓▒▒▒▒▓█▒
▒█▓▒▓▓▓██▓░▓█▓▓▓▓▓▓█▓
▓█▓▓▓▓▓██▓ ▒██▓▓▓▓▓██▒
▒██▓▓▓▓███ ███▓▓▓▓██▓
▓██▓█████▒ ▒█████████
▒█████████ ▒▓▓▓▓▓▓▓▓▒▓█████████▒
▓████████▓ ▓█████████████████████▓
████████░ ▓█████████████████████████▓
######Team Avolition
##Minecraft Migrated Account Session Vulnerability Security Advisory Alex "ajvpot" Vanderpot
Keegan "Sirenfal" Novik
Severity: High
Exploit Date: June 26, 2012
Public: July 14, 2012
Advisory: July 14, 2012
This vulnerability affects all “migrated” Minecraft accounts. Accounts that have not been migrated are not affected by this vulnerability.
We have created a page on our website to allow you to check whether your account is vulnerable. It can be found here:
http://www.teamavolition.com/sessionchecker
A malicious attacker can log on using any migrated account to any Minecraft server relying on Mojang Specifications’ official authentication servers to verify user authenticity. This can allow an attacker to gain access to players’ accounts causing losses within the game, or allow an attacker to gain access to a privileged account on the server. Depending on common server modifications, privileged accounts could be used to acquire access to the operating system, or cause serious damage to data on the machine, which includes but is not limited to common software and data found in unison with a Minecraft server such as:
- Server map files
- Operating system files
- Player data
- Database and webserver data
- Proprietary server modifications and source code
This vulnerability seems to be caused by a failure to authenticate usernames with session IDs for migrated accounts. joinServer.jsp will accept any valid session key from a migrated account for another migrated account.
To reproduce this issue an attacker needs to follow the following steps.
- Log in to Minecraft with a migrated account.
- Store the session key
- Connect to a Minecraft server with a different migrated account’s username and the stored session key.
This vulnerability needs to be fixed on the authentication level by Mojang Specifications, it cannot be resolved on a server locally.
Until this exploit is resolved, we would advise server administrators to use a second layer authentication mechanism that allows users to validate their identity with a secret password once connected to the server. This must be done for users with escalated privileges, but is not critical for other users. A common second layer authentication mechanism is a plugin for the Minecraft modification Bukkit called X-Auth. It can be found at:
http://forums.bukkit.org/threads/sec-xauth-v2-0-10-offline-mode-authentication-1-2-5-r1-3.8712/
More protection solutions can be found at:
- http://dev.bukkit.org/server-mods/authme-reloaded/
- http://dev.bukkit.org/server-mods/ipsecurity/
- http://www.sk89q.com/2012/07/fixing-the-minecraft-session-stealer-exploit/
Any requests for information, questions, or comments regarding this advisory should be forwarded to [email protected]