I'm "runtime" in-game. U-runtime if you need my user id. zkxs#1039 on Discord. Feel free to reach out to me if you've got questions.
An exploit allowing a malicious actor to join sessions while impersonating another user via the use of a MITM (man-in-the-middle) attack.
I am specifically searching for exploits with large security impacts due to the new issue bounty policy.
I believe this to be at least a medium severity issue. It has the following impact:
- A malicious actor can join sessions while impersonating another user, but only if the target user is in a session hosted by the malicious actor. This can pivot into the following attacks:
- Forced entry into Contacts/Contacts+ sessions if the malicious actor knows the session ID
- Forced entry into Private sessions if the impersonated user has a valid invite and the malicious user knows the session ID
- SimpleAvatarProtection bypass as an attacker can become whoever's asset they're trying to steal. This allows equipping/saving/spawning protected avatars as the impersonated user
A PoC (proof-of-concept) implementation has been created and verified to be working in Neos version 2021.9.3.1281. This PoC is a Neos plugin that causes the malicious actor's client to perform the MITM when joining sessions.
This timeline will include:
- Important research milestones
- Disclosure to various parties
- Conversation with the Neos team
- Reward payouts
Exploit is conceptualized and appears promising. PoC development begins.
I believe the PoC to be nearly ready. seif1 and Khosumi are informed that I have an impersonation exploit I need help to test, but are not given specifics on how the exploit works. We begin testing the PoC to see if it works in practice.
The PoC has been fully debugged and is now working. I begin writing my moderation report, and Khosumi records a video to attach.
The moderation report is submitted as ticket #687383.
I am informed that the ticket is being looked into by the moderation team.
A fix is announced in the #neos-updates Discord channel, and is live in Neos version 2021.9.20.1334.
The moderation ticket is marked as resolved.
This writeup is made public.
A staff member informs me via Discord that a reward is being considered.
I receive an email receipt for a 10,000 CDFT reward, the maximum amount.
The logs from both the host the attacker joins and the impersonated user show nothing out of the ordinary. The logs of the attacker are somewhat unusual, as expected, due to the use of a plugin.
- When you first log into Neos, your client generates a random public/private keypair. The public key is sent to the Neos cloud, and is viewable at the https://api.neos.com/api/users/<userid>/status endpoint.
- When a user connects to a session the session host issues a join challenge. This join challenge is a nonce that must be signed by the connecting user's private key. The host then validates this signature using the public key from the Neos cloud. If the signature is invalid, the connecting user is disconnected.
- "Sally" is hosting a session named "SallyWorld"
- "Eve" is a malicious actor who wants to gain access to SallyWorld
- "John" is a user in a session hosted by Eve.
- John has access to join SallyWorld, but Eve does not.
- John is in a session hosted by Eve
- Eve connects to SallyWorld using John's username and userid
- Sally issues a JoinChallenge to Eve
- Eve forwards this JoinChallenge on to John
- John signs the JoinChallenge with his private key, and sends the JoinAuthenticate response back to Eve
- Eve forwards this JoinAuthenticate response to Sally
- Sally accepts Eve into the world as John
Shows that there are two Khosumi's in the world. One is the real Khosumi, and one is runtime impersonating him:
A video filmed by Khosumi demonstrating runtime joining Khosumi's private session while impersonating seif1. Seif1 was invited, runtime was not.
https://youtu.be/GFH5zpU11OE?t=177