This exploit can be done to any server, whether or not you have SSH access, OP, etc. I did this on my own server to limit collateral damage, but it will always work.
It crashes every client on the server. It's very trivial to automate this exploit so that any time a client joined it is crashed, leaving the exploiter free to do what he wants outside the realm of OPs, etc. within that time.
This YouTube video I made provides a small taste of this. I'm also not sure if it's already been discovered, but a precursory search turns up nothing.
The YouTube video is here:
The logs of an affected server look like this: (everybody on the server will reconnect in short time, as they stay connected even while the client is crashed and don't reconnect until they restart their browser). Please note that one line has been excluded for obvious reasons, as well as IPs to protect the innocent.
If this is in the wrong place a mod can move it.
I will take the liberty of e-mailing a copy of this forum post to Notch.
Edit - This was on a vanilla server, it works on any server. The glitch is not what's new, the method of delivery is.
Edit2 - If you run a custom server, this is very very easy to protect against. E-mail me and I'll let you know how.
One could write a script to join every server on the server list and disconnect every client on join. Then, all public servers would be rendered unplayable over night. This needs attention.
Edit2 - If you run a custom server, this is very very easy to protect against. E-mail me and I'll let you know how.
Wait a minute. You take some of your time to make a video about this and a post on this forum, so everybody pays you some attention - but you got no time to post the 'easy way' to 'protect' a server against this 'exploit'?
Woot :biggrin.gif:
Yeah, that comes off as a sane, well-thought out response.
If I published the way to fix the exploit, I'd be publishing the exploit by extension. Also, I've accepted that this is the only way to get things done in Minecraft.
For example, in June, I told Notch about a bug that breaks the server on Linux and requires box restarts every server restart. He acknowledged the issue, and on every subsequent inquiry, pointed to the new netcode as a solution. Did that netcode ever even get implemented? It's been almost a year. This bug is far more pressing.
Just to confirm, would having the server not pass on unicode characters solve the problem. Or does this exploit somehow magically bypass this.
Not my intended fix, but another easy fix is just having the server check if all of the input is in Minecraft's approved pallet, which is alphanumeric with a limited number of symbols. Tapping on a keyboard in the client will get you all the allowed symbols, and checking that the message contains only those before relaying it to the clients would indeed fix this issue.
For myne and all myne variants (most likely) I can give you an update that will protect against this.
If you release a fix I'd be happy to test it.
Sorry if you misread it, I use a pretty heavily customized version of myne, and to just give the files would make it that much harder on the people. I'm offering to manually update their servers.
Anyone using MCSharp and reading this don't worry, we've had the chat filtered for ages so we don't expect this to be a problem.
We fixed it ages ago due to IRC chat, though it was accidental back then when it was fixed.
Very impressive. Before I even got to try the exploit :wink.gif:.
Invulnerable
MC# is confirmed immune.
fCraft is immune for the same reason.
As was D3
MinerCPP seems immune, further testing may be required.
Vulnerable
HyveBuild is confirmed vulnerable. Although good job on ampersand sanitizing there Hyve.
myCraft confirmed vulnerable.
Vanilla +/- any server scripts are vulnerable.
WoM is vulnerable.
I already replied to this a few hours ago but someone must have deleted my post or some ****. But once again, back when Unison was going around under the name Herrode and hacking/crashing servers, spamming unicode characters was one of the methods he used.
The script my server runs is protected against illegal characters (anyone who uses one gets ipbanned instantly), and it's not hard for anyone else who is making a script or a server to add protection for it. But we shouldn't have to protect ourselves from something like that. It's ridiculous that illegal characters crash clients and Notch should have fixed this long ago.
Also, - some - unicode characters work. Only the characters 0001-0255 work, and even some of those are illegal.
I already replied to this a few hours ago but someone must have deleted my post or some ****. But once again, back when Unison was going around under the name Herrode and hacking/crashing servers, spamming unicode characters was one of the methods he used.
The script my server runs is protected against illegal characters (anyone who uses one gets ipbanned instantly), and it's not hard for anyone else who is making a script or a server to add protection for it. But we shouldn't have to protect ourselves from something like that. It's ridiculous that illegal characters crash clients and Notch should have fixed this long ago.
Also, - some - unicode characters work. Only the characters 0001-0255 work, and even some of those are illegal.
Want to hook me up with a URL for testing?
Edit - His script works on [redacted], not sure about unicode. If their whitelist claim is true it works :wink.gif:.
I first noticed this while programming my custom server. I'm surprised it's gotten past Notch, especially for this long, seems extremely simple to fix.
The best solution would be a fix in the client, not the server, obviously.
Sadly this is the only way to get most developers to fix problems. Most of the serious exploits in the various Windows operating systems were known by Microsoft, but they never bothered to fix them. They only finally fixed them after security outfits publish the exploit details.
In fact, there's one serious flaw that has been/is in every single Microsoft OS since the very first Windows and Microsoft still hasn't fixed it.
The script my server runs is protected against illegal characters (anyone who uses one gets ipbanned instantly), and it's not hard for anyone else who is making a script or a server to add protection for it.
It crashes every client on the server. It's very trivial to automate this exploit so that any time a client joined it is crashed, leaving the exploiter free to do what he wants outside the realm of OPs, etc. within that time.
This YouTube video I made provides a small taste of this. I'm also not sure if it's already been discovered, but a precursory search turns up nothing.
The YouTube video is here:
The logs of an affected server look like this: (everybody on the server will reconnect in short time, as they stay connected even while the client is crashed and don't reconnect until they restart their browser). Please note that one line has been excluded for obvious reasons, as well as IPs to protect the innocent.
If this is in the wrong place a mod can move it.
I will take the liberty of e-mailing a copy of this forum post to Notch.
Edit - This was on a vanilla server, it works on any server. The glitch is not what's new, the method of delivery is.
Edit2 - If you run a custom server, this is very very easy to protect against. E-mail me and I'll let you know how.
One could write a script to join every server on the server list and disconnect every client on join. Then, all public servers would be rendered unplayable over night. This needs attention.
Also, dammit Notch, I thought you bloomin' fixed this by getting the server to ignore Unicode or something.
I've e-mailed Notch.
Also, I've made sure there's nothing in this post that wasn't already common knowledge.
And apparently no, he didn't...
Yeah, that comes off as a sane, well-thought out response.
If I published the way to fix the exploit, I'd be publishing the exploit by extension. Also, I've accepted that this is the only way to get things done in Minecraft.
For example, in June, I told Notch about a bug that breaks the server on Linux and requires box restarts every server restart. He acknowledged the issue, and on every subsequent inquiry, pointed to the new netcode as a solution. Did that netcode ever even get implemented? It's been almost a year. This bug is far more pressing.
Not my intended fix, but another easy fix is just having the server check if all of the input is in Minecraft's approved pallet, which is alphanumeric with a limited number of symbols. Tapping on a keyboard in the client will get you all the allowed symbols, and checking that the message contains only those before relaying it to the clients would indeed fix this issue.
Yep.
If you release a fix I'd be happy to test it.
We fixed it ages ago due to IRC chat, though it was accidental back then when it was fixed.
Sorry if you misread it, I use a pretty heavily customized version of myne, and to just give the files would make it that much harder on the people. I'm offering to manually update their servers.
Very impressive. Before I even got to try the exploit :wink.gif:.
Invulnerable
MC# is confirmed immune.
fCraft is immune for the same reason.
As was D3
MinerCPP seems immune, further testing may be required.
Vulnerable
HyveBuild is confirmed vulnerable. Although good job on ampersand sanitizing there Hyve.
myCraft confirmed vulnerable.
Vanilla +/- any server scripts are vulnerable.
WoM is vulnerable.
Anyone else want me to check?
The script my server runs is protected against illegal characters (anyone who uses one gets ipbanned instantly), and it's not hard for anyone else who is making a script or a server to add protection for it. But we shouldn't have to protect ourselves from something like that. It's ridiculous that illegal characters crash clients and Notch should have fixed this long ago.
Also, - some - unicode characters work. Only the characters 0001-0255 work, and even some of those are illegal.
Want to hook me up with a URL for testing?
Edit - His script works on [redacted], not sure about unicode. If their whitelist claim is true it works :wink.gif:.
The best solution would be a fix in the client, not the server, obviously.
In fact, there's one serious flaw that has been/is in every single Microsoft OS since the very first Windows and Microsoft still hasn't fixed it.
What's the script?
(Sorry about the double post)