Discussion in 'Bukkit Discussion' started by matthew99144, Apr 30, 2012.

Thread Status:
Not open for further replies.
  1. Offline


    One of my players on my server who i know well, wanted me to try this "force op" hack he's got.
    Here's what he did:

    1) Get me to join his server
    2) I login to the server and get kicked with "end of stream"
    3) Player on my server then OP's himself

    I'm using the recommended bukkit build and am a bit worried, is this known exploit? In order for it to "work" an op on the target server must login to a server owned by the "hacker".
    he has full-op as well and could do whatever he wanted to, and by the way i'm NOT using NoCheat+!

    I also found a similar issue for Bukkit 1.2.5:


    I heard this "hack" is called a "session stealer" i found this on hackforums for those of you registered:


    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: May 25, 2016
  2. Offline


    Old news.
  3. Offline


    Yeah.. don't do that.
  4. Offline


    This is impossible to do. EvilSeph has noted that there is NO possible way to gain OP, unless you are running an offline server. Don't worry about it.
  5. Offline


  6. Offline


    Please explain how it can be done then. And perhaps you should let EvilSeph know as well.
  7. Offline


    It is a kind of "man in the middle" attack, and Evenprime wrote about it back in the beginning of April. In a nutshell, the remote server creates a tunnel back to your server, where you've got Op rights. When you log in to the remote server, you are providing credentials for your own server (via the tunnel). Then the 'man in the middle' takes over the (now authenticated) session. et voila.
    Deleted user likes this.
  8. Offline


    I see how this could happen, but you would still have to be a complete dumb dumb to allow this type of tunnel to be created wouldn't you?
  9. Offline


    Well, OP was lured into a trap and these attacks are quite uncommon/unknown so it is understandable that he diden't know what could happen.
  10. Offline


    Whisk You won't notice anything different when you log in to the 'rogue' server. So it really just depends upon the plausibility of the person that convinced you to log in.
  11. Offline


    Actually you can't even connect to it, it'll usually give an end of stream error since it's not a real server.
  12. Offline


    But it's not hard to modify it to work with vanilla or Bukkit.

    Anyways, this is OLD news for those of us with HF accounts.
    Darky1126 likes this.
  13. Offline


    wow, i remember someone asking to test if his server worked, i said it works, but whitelisted

    now i was wondering how a player got OP, well i think i remember it was this player :)

    never gonna try servers on command anymore, god im happy he didnt screw up the server
  14. Offline


    I am a good boy, so I don't have a HF account.
  15. Offline


    I'm one of those crazy people who change 90% of their passwords every week.. And I don't play SMP except my own server. I'm safe. :)
  16. Offline


    This is called Session Stealing. I'll put a video up on youtube in just a minute, for you. ((Give me 30 minutes.))
    There is PLENTY of good people on HF. Thanks. :)

    ((EDIT)): There's the video for ya. Yeeeep. I was usin' Nodus for that.
  17. Offline


    Solution: have two accounts - use one to login to "unfamiliar" servers.
    Deleted user likes this.
  18. Offline


    Yeah, just disable the /op command from players using it

    and also don't allow the use of permission commands from ingame (ie /pex for PermissionsEx) and you shouldn't have a problem

    just saying
  19. Offline


    JOPHESTUS, Tom Swift and Cirno like this.
  20. Offline


    Yes, I AM a wizard. :p
  21. Offline


    I got banned from MCF for DDoSing someone's server. I'm quite horrible, or at least I used to be, since I got bored of that crap (and citricsquid was nice enough to remove the ban after three months).
  22. Offline


    I got nailed with one of these 'session stealers' recently. Some guy asked me to help him with his server by seeing if I could connect to it. Once I'd connected, my account connected back to my server, gave him GM and op, and left, all in the time it took me to hit 'cancel on the failed login screen, and get back onto my server. We caught this quick and undid all of it, but I won't be offering any help for other people's servers because of that. Pretty sad that people have sunk this low.

    TLDR - Session stealers are a real thing, and unless the server is a real known server, probably best to avoid it. It really sucks for those operating small servers without domain names, since you can't trust them anymore.
  23. Offline


    If you want to avoid the session stealers:
    1) Have a second account that isn't OP
    2) Change your client to not accept servers with the 0 id
    3) Ban yourself on your server until you relog
  24. Offline


    Or 4) Wait for 1.3
    Early 1.3 snapshot fixed this issue.
Thread Status:
Not open for further replies.

Share This Page