OP-exploit

Discussion in 'Bukkit Discussion' started by matthew99144, Apr 30, 2012.

Thread Status:
Not open for further replies.
  1. Offline

    matthew99144

    One of my players on my server who i know well, wanted me to try this "force op" hack he's got.
    Here's what he did:

    1) Get me to join his server
    2) I login to the server and get kicked with "end of stream"
    3) Player on my server then OP's himself

    I'm using the recommended bukkit build and am a bit worried, is this known exploit? In order for it to "work" an op on the target server must login to a server owned by the "hacker".
    he has full-op as well and could do whatever he wanted to, and by the way i'm NOT using NoCheat+!

    I also found a similar issue for Bukkit 1.2.5:

    https://bukkit.atlassian.net/login.jsp?permissionViolation=true&os_destination=/browse/BUKKIT-1578

    I heard this "hack" is called a "session stealer" i found this on hackforums for those of you registered:

    http://www.hackforums.net/showthread.php?tid=2443240&page=2

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 25, 2016
  2. Offline

    chaseoes

    Old news.
     
  3. Offline

    Vhab

    Yeah.. don't do that.
     
  4. Offline

    Whisk

    This is impossible to do. EvilSeph has noted that there is NO possible way to gain OP, unless you are running an offline server. Don't worry about it.
     
  5. Offline

    chaseoes

    Incorrect.
     
  6. Offline

    Whisk

    Please explain how it can be done then. And perhaps you should let EvilSeph know as well.
     
  7. Offline

    Greylocke

    It is a kind of "man in the middle" attack, and Evenprime wrote about it back in the beginning of April. In a nutshell, the remote server creates a tunnel back to your server, where you've got Op rights. When you log in to the remote server, you are providing credentials for your own server (via the tunnel). Then the 'man in the middle' takes over the (now authenticated) session. et voila.
     
    Deleted user likes this.
  8. Offline

    Whisk

    Greylocke
    I see how this could happen, but you would still have to be a complete dumb dumb to allow this type of tunnel to be created wouldn't you?
     
  9. Offline

    Ranzdo

    Well, OP was lured into a trap and these attacks are quite uncommon/unknown so it is understandable that he diden't know what could happen.
     
  10. Offline

    Greylocke

    Whisk You won't notice anything different when you log in to the 'rogue' server. So it really just depends upon the plausibility of the person that convinced you to log in.
     
  11. Offline

    chaseoes

    Actually you can't even connect to it, it'll usually give an end of stream error since it's not a real server.
     
  12. Offline

    JohnTheRipper

    But it's not hard to modify it to work with vanilla or Bukkit.

    Anyways, this is OLD news for those of us with HF accounts.
     
    Darky1126 likes this.
  13. Offline

    strontkever

    wow, i remember someone asking to test if his server worked, i said it works, but whitelisted

    now i was wondering how a player got OP, well i think i remember it was this player :)

    never gonna try servers on command anymore, god im happy he didnt screw up the server
     
  14. Offline

    M1sT3rM4n

    I am a good boy, so I don't have a HF account.
     
  15. Offline

    Sayshal

    I'm one of those crazy people who change 90% of their passwords every week.. And I don't play SMP except my own server. I'm safe. :)
     
  16. Offline

    Jade

    This is called Session Stealing. I'll put a video up on youtube in just a minute, for you. ((Give me 30 minutes.))
    There is PLENTY of good people on HF. Thanks. :)

    ((EDIT)): There's the video for ya. Yeeeep. I was usin' Nodus for that.
     
  17. Offline

    codename_B

    Solution: have two accounts - use one to login to "unfamiliar" servers.
     
    Deleted user likes this.
  18. Offline

    mindless728

    Yeah, just disable the /op command from players using it

    and also don't allow the use of permission commands from ingame (ie /pex for PermissionsEx) and you shouldn't have a problem

    just saying
     
  19. Offline

    M1sT3rM4n

    [​IMG]
     
    JOPHESTUS, Tom Swift and Cirno like this.
  20. Offline

    Jade

    Yes, I AM a wizard. :p
     
  21. Offline

    JohnTheRipper

    I got banned from MCF for DDoSing someone's server. I'm quite horrible, or at least I used to be, since I got bored of that crap (and citricsquid was nice enough to remove the ban after three months).
     
  22. Offline

    2006charger

    I got nailed with one of these 'session stealers' recently. Some guy asked me to help him with his server by seeing if I could connect to it. Once I'd connected, my account connected back to my server, gave him GM and op, and left, all in the time it took me to hit 'cancel on the failed login screen, and get back onto my server. We caught this quick and undid all of it, but I won't be offering any help for other people's servers because of that. Pretty sad that people have sunk this low.

    TLDR - Session stealers are a real thing, and unless the server is a real known server, probably best to avoid it. It really sucks for those operating small servers without domain names, since you can't trust them anymore.
     
  23. Offline

    mindless728

    If you want to avoid the session stealers:
    1) Have a second account that isn't OP
    2) Change your client to not accept servers with the 0 id
    3) Ban yourself on your server until you relog
     
  24. Offline

    Anavrins

    Or 4) Wait for 1.3
    Early 1.3 snapshot fixed this issue.
     
Thread Status:
Not open for further replies.

Share This Page