OP-exploit

One of my players on my server who i know well, wanted me to try this "force op" hack he's got.
Here's what he did:

1) Get me to join his server
2) I login to the server and get kicked with "end of stream"
3) Player on my server then OP's himself

I'm using the recommended bukkit build and am a bit worried, is this known exploit? In order for it to "work" an op on the target server must login to a server owned by the "hacker".
he has full-op as well and could do whatever he wanted to, and by the way i'm NOT using NoCheat+!

I also found a similar issue for Bukkit 1.2.5:

https://bukkit.atlassian.net/login.jsp?permissionViolation=true&os_destination=/browse/BUKKIT-1578

I heard this "hack" is called a "session stealer" i found this on hackforums for those of you registered:

http://www.hackforums.net/showthread.php?tid=2443240&page=2

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

Old news.

 

Yeah.. don't do that.

 

This is impossible to do. EvilSeph has noted that there is NO possible way to gain OP, unless you are running an offline server. Don't worry about it.

 

Incorrect.

 

Please explain how it can be done then. And perhaps you should let EvilSeph know as well.

 

It is a kind of "man in the middle" attack, and Evenprime wrote about it back in the beginning of April. In a nutshell, the remote server creates a tunnel back to your server, where you've got Op rights. When you log in to the remote server, you are providing credentials for your own server (via the tunnel). Then the 'man in the middle' takes over the (now authenticated) session. et voila.

 

Greylocke
I see how this could happen, but you would still have to be a complete dumb dumb to allow this type of tunnel to be created wouldn't you?

 

Well, OP was lured into a trap and these attacks are quite uncommon/unknown so it is understandable that he diden't know what could happen.

 

Whisk You won't notice anything different when you log in to the 'rogue' server. So it really just depends upon the plausibility of the person that convinced you to log in.

 

Actually you can't even connect to it, it'll usually give an end of stream error since it's not a real server.

 

But it's not hard to modify it to work with vanilla or Bukkit.

Anyways, this is OLD news for those of us with HF accounts.

 

wow, i remember someone asking to test if his server worked, i said it works, but whitelisted

now i was wondering how a player got OP, well i think i remember it was this player

never gonna try servers on command anymore, god im happy he didnt screw up the server

 

I am a good boy, so I don't have a HF account.

 

I'm one of those crazy people who change 90% of their passwords every week.. And I don't play SMP except my own server. I'm safe.

 

This is called Session Stealing. I'll put a video up on youtube in just a minute, for you. ((Give me 30 minutes.))

There is PLENTY of good people on HF. Thanks.

((EDIT)): There's the video for ya. Yeeeep. I was usin' Nodus for that.

 

Solution: have two accounts - use one to login to "unfamiliar" servers.

 

Yeah, just disable the /op command from players using it

and also don't allow the use of permission commands from ingame (ie /pex for PermissionsEx) and you shouldn't have a problem

just saying

 

Yes, I AM a wizard.

 

I got banned from MCF for DDoSing someone's server. I'm quite horrible, or at least I used to be, since I got bored of that crap (and citricsquid was nice enough to remove the ban after three months).

 

I got nailed with one of these 'session stealers' recently. Some guy asked me to help him with his server by seeing if I could connect to it. Once I'd connected, my account connected back to my server, gave him GM and op, and left, all in the time it took me to hit 'cancel on the failed login screen, and get back onto my server. We caught this quick and undid all of it, but I won't be offering any help for other people's servers because of that. Pretty sad that people have sunk this low.

TLDR - Session stealers are a real thing, and unless the server is a real known server, probably best to avoid it. It really sucks for those operating small servers without domain names, since you can't trust them anymore.

 

If you want to avoid the session stealers:
1) Have a second account that isn't OP
2) Change your client to not accept servers with the 0 id
3) Ban yourself on your server until you relog

 

Or 4) Wait for 1.3
Early 1.3 snapshot fixed this issue.