The script my server runs is protected against illegal characters (anyone who uses one gets ipbanned instantly), and it's not hard for anyone else who is making a script or a server to add protection for it.
What's the script?
(Sorry about the double post)
It's not a public script that you've heard of, if that is what you were hoping. It was written by Lep, and my server is the only one running it currently.
I'll write a public version of the same thing tomorrow. Tonight I need to study.
I already replied to this a few hours ago but someone must have deleted my post or some ****. But once again, back when Unison was going around under the name Herrode and hacking/crashing servers, spamming unicode characters was one of the methods he used.
The script my server runs is protected against illegal characters (anyone who uses one gets ipbanned instantly), and it's not hard for anyone else who is making a script or a server to add protection for it. But we shouldn't have to protect ourselves from something like that. It's ridiculous that illegal characters crash clients and Notch should have fixed this long ago.
Also, - some - unicode characters work. Only the characters 0001-0255 work, and even some of those are illegal.
Want to hook me up with a URL for testing?
Edit - His script works on [redacted], not sure about unicode. If their whitelist claim is true it works :wink.gif:.
Anyone using MCSharp and reading this don't worry, we've had the chat filtered for ages so we don't expect this to be a problem.
We fixed it ages ago due to IRC chat, though it was accidental back then when it was fixed.
Very impressive. Before I even got to try the exploit :wink.gif:.
Invulnerable
MC# is confirmed immune.
fCraft is immune for the same reason.
As was D3
MinerCPP seems immune, further testing may be required.
Vulnerable
HyveBuild is confirmed vulnerable. Although good job on ampersand sanitizing there Hyve.
myCraft confirmed vulnerable.
Vanilla +/- any server scripts are vulnerable.
WoM is vulnerable.
Just to confirm, would having the server not pass on unicode characters solve the problem. Or does this exploit somehow magically bypass this.
Not my intended fix, but another easy fix is just having the server check if all of the input is in Minecraft's approved pallet, which is alphanumeric with a limited number of symbols. Tapping on a keyboard in the client will get you all the allowed symbols, and checking that the message contains only those before relaying it to the clients would indeed fix this issue.
Edit2 - If you run a custom server, this is very very easy to protect against. E-mail me and I'll let you know how.
Wait a minute. You take some of your time to make a video about this and a post on this forum, so everybody pays you some attention - but you got no time to post the 'easy way' to 'protect' a server against this 'exploit'?
Woot :biggrin.gif:
Yeah, that comes off as a sane, well-thought out response.
If I published the way to fix the exploit, I'd be publishing the exploit by extension. Also, I've accepted that this is the only way to get things done in Minecraft.
For example, in June, I told Notch about a bug that breaks the server on Linux and requires box restarts every server restart. He acknowledged the issue, and on every subsequent inquiry, pointed to the new netcode as a solution. Did that netcode ever even get implemented? It's been almost a year. This bug is far more pressing.
One could write a script to join every server on the server list and disconnect every client on join. Then, all public servers would be rendered unplayable over night. This needs attention.
While thats a neat idea, please try to limit how fast you send heartbeats, so at a minimum of every 80 seconds, even if multiple players join within that 80s. Until fList completes its migration to a new server its running on a shared host and is getting pounded by heartbeats (2002216 heartbeats currently).
We're averaging a beat every 100+ seconds and the only time it multible beats quickly is when the server restarts, which is infrequent.
This exploit can be done to any server, whether or not you have SSH access, OP, etc. I did this on my own server to limit collateral damage, but it will always work.
It crashes every client on the server. It's very trivial to automate this exploit so that any time a client joined it is crashed, leaving the exploiter free to do what he wants outside the realm of OPs, etc. within that time.
This YouTube video I made provides a small taste of this. I'm also not sure if it's already been discovered, but a precursory search turns up nothing.
The YouTube video is here:
The logs of an affected server look like this: (everybody on the server will reconnect in short time, as they stay connected even while the client is crashed and don't reconnect until they restart their browser). Please note that one line has been excluded for obvious reasons, as well as IPs to protect the innocent.
If this is in the wrong place a mod can move it.
I will take the liberty of e-mailing a copy of this forum post to Notch.
Edit - This was on a vanilla server, it works on any server. The glitch is not what's new, the method of delivery is.
Edit2 - If you run a custom server, this is very very easy to protect against. E-mail me and I'll let you know how.
The flist bot takes resources, and this allows the server to decide when to update stuff, instead of once in a while.
Also good job, I've been meaning to do this for a while, but kept putting it off.
Also the except blocks are cryzed's, but the login regexp is taken from Adura's script, and the stdin plugin is mine.
Cool. Also, I used the conventional beat methods outlined in the fList FAQ, however on my reddit script I'm trying a new method. Rather than beat every 60-100 seconds I'm beating every 130 seconds, but also when a user connects or disconnects. My average time between beats in the last 12 hrs has been between 80 and 100 seconds, but this way fList updates in real time. If this trend sticks, I'll upgrade this to do that also.
This is a script to beat complete information to fragmer's fList for non-custom servers. It's low-overhead, and doesn't perform any additional functions. If you want a more advanced server/script, there are plenty to choose from.
The stdin, loginregexp, and except (Keyboardinterrupt) blocks are mail2345's (or whoever wrote them) from the premium only script on MCForums. Thanks mail!
How - To:
Windows:
Download here: http://nerd.nu/fList.zip
Drag all your Minecraft server files into the fList directory. Then, just run fList.exe. If you need help, post to minecraftforums.net
Linux / Mac:
Run the source as a Python script in your Minecraft server directory.
Make sure Java is in your path, or this won't work. All relevant info will be read from server.properties.
0
I'll write a public version of the same thing tomorrow. Tonight I need to study.
0
Want to hook me up with a URL for testing?
Edit - His script works on [redacted], not sure about unicode. If their whitelist claim is true it works :wink.gif:.
0
Very impressive. Before I even got to try the exploit :wink.gif:.
Invulnerable
MC# is confirmed immune.
fCraft is immune for the same reason.
As was D3
MinerCPP seems immune, further testing may be required.
Vulnerable
HyveBuild is confirmed vulnerable. Although good job on ampersand sanitizing there Hyve.
myCraft confirmed vulnerable.
Vanilla +/- any server scripts are vulnerable.
WoM is vulnerable.
Anyone else want me to check?
0
0
If you release a fix I'd be happy to test it.
0
Yep.
0
Not my intended fix, but another easy fix is just having the server check if all of the input is in Minecraft's approved pallet, which is alphanumeric with a limited number of symbols. Tapping on a keyboard in the client will get you all the allowed symbols, and checking that the message contains only those before relaying it to the clients would indeed fix this issue.
0
Yeah, that comes off as a sane, well-thought out response.
If I published the way to fix the exploit, I'd be publishing the exploit by extension. Also, I've accepted that this is the only way to get things done in Minecraft.
For example, in June, I told Notch about a bug that breaks the server on Linux and requires box restarts every server restart. He acknowledged the issue, and on every subsequent inquiry, pointed to the new netcode as a solution. Did that netcode ever even get implemented? It's been almost a year. This bug is far more pressing.
0
I've e-mailed Notch.
Also, I've made sure there's nothing in this post that wasn't already common knowledge.
And apparently no, he didn't...
0
One could write a script to join every server on the server list and disconnect every client on join. Then, all public servers would be rendered unplayable over night. This needs attention.
0
We're averaging a beat every 100+ seconds and the only time it multible beats quickly is when the server restarts, which is infrequent.
0
It crashes every client on the server. It's very trivial to automate this exploit so that any time a client joined it is crashed, leaving the exploiter free to do what he wants outside the realm of OPs, etc. within that time.
This YouTube video I made provides a small taste of this. I'm also not sure if it's already been discovered, but a precursory search turns up nothing.
The YouTube video is here:
The logs of an affected server look like this: (everybody on the server will reconnect in short time, as they stay connected even while the client is crashed and don't reconnect until they restart their browser). Please note that one line has been excluded for obvious reasons, as well as IPs to protect the innocent.
If this is in the wrong place a mod can move it.
I will take the liberty of e-mailing a copy of this forum post to Notch.
Edit - This was on a vanilla server, it works on any server. The glitch is not what's new, the method of delivery is.
Edit2 - If you run a custom server, this is very very easy to protect against. E-mail me and I'll let you know how.
0
Cool. Also, I used the conventional beat methods outlined in the fList FAQ, however on my reddit script I'm trying a new method. Rather than beat every 60-100 seconds I'm beating every 130 seconds, but also when a user connects or disconnects. My average time between beats in the last 12 hrs has been between 80 and 100 seconds, but this way fList updates in real time. If this trend sticks, I'll upgrade this to do that also.
0
Source is http://pastebin.ca/1866410 here. Released under GPL.
The stdin, loginregexp, and except (Keyboardinterrupt) blocks are mail2345's (or whoever wrote them) from the premium only script on MCForums. Thanks mail!
How - To:
Windows:
Download here: http://nerd.nu/fList.zip
Drag all your Minecraft server files into the fList directory. Then, just run fList.exe. If you need help, post to minecraftforums.net
Linux / Mac:
Run the source as a Python script in your Minecraft server directory.
Make sure Java is in your path, or this won't work. All relevant info will be read from server.properties.
All data will be logged to minecraft.log.
-AlLnAtuRalX