[Security Bulletin] Do not test/run op gain exploit programs!

Discussion in 'Community News and Announcements' started by EvilSeph, Mar 15, 2012.

Thread Status:
Not open for further replies.
  1. Offline

    EvilSeph Retired Staff

    There is no way for anyone to illegitimately gain op on your server unless you are running your server in offline mode. Any program in existence that claims otherwise is trying to lure you into running it (in an effort to see if your server is at risk) to steal your information.

    You'll notice that in every video you either have to have the program running before you login or need to login, run the program and restart Minecraft. This is because these programs are designed to take the IP you enter into the ForceOP hack for testing, your username and password and send it to the creator. Even if this is not the case, it is fairly simple to put together a fake, convincing video by simply modifying the client to respond to "/op" and print local messages to make it seem like the user has gotten op.

    Regardless, any programs offered for download accompanying these videos or public reports of op force hacking or the like are usually sending the creator an email that says something like:
    "New server to grief: <IP you entered - usually your server, since you want to be sure your server is safe>
    Username: <you username>
    Password: <your password>"

    Every single time someone reports this issue, it turns out to be the same thing. A malicious program designed to fool server admins into thinking their server is at risk, running to try it out and make sure they aren't. Then later finding their server has been attacked by someone with op because they know your username and password, and thus can op anyone they want on your server.

    Until someone brings a real exploit that allows you to gain op to my attention, we'll have to continue stopping the discussion of and advising against the discussion of this 'hack' to slow down it spreading. We take every exploit report we get seriously and investigate each and every one. To this day, we have been unable to find a legitimate exploit to gain op in any server and every reported exploit has turned out to be a malicious program that collects your information in an effort to exploit you and your server.

    If you're looking to report an exploit, we advise people to stop posting exploit discussions publicly and, instead, contact one of my Admins, myself or create a private ticket on http://leaky.bukkit.org.
     
  2. Offline

    mindless728

    I have found that my player base will make fun of them for me when they ask for OP and get denied. My favorite is someone who asked for OP so i tp'ed him 100,000 blocks above spawn
     
  3. Offline

    Delocaz

    I just use MinecartRevolution and the fly block to make a machine that sends a minecart "flying" around 2 billion (more like 2.147 billion, 32-bit signed rollover) blocks in the air, so high that it glitches and the cart gets stuck up there and i label it as "HeavenPorter" :)

    When i want to do stuff like that i just tp them to the machine and then quickly fly over and press the button :D

    Got that one once :) Even took a screeny.
    http://i.imgur.com/49Y5I.png

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 24, 2016
  4. Offline

    mindless728

    I don't mind manually tping them out there as most of them have no idea what happened, all they know is they are in the middle of no where

    lol, nice. I don't have visible ranks on my server so no one knows what rank people are. Doesn't stop people from asking, just makes it funnier when i lead them on looking like a player
     
  5. Offline

    Evenprime

    Add this warning:

    Do not login to any MC servers that you don't fully trust, as it is currently possible for the owner of that server to steal your session and use it to log into another server. E.g. if you are admin on one server, and somone you don't know invites you onto their server (and you actually log into that server), they may be able to log into your server with your username without you noticing. This is possible without them knowing your password (and they don't need it anyway for that). And it works even if the server uses "online-mode=true".

    To be sure, add a second line of defense to "online-mode=true" by adding an additional auth-plugin.
     
  6. Offline

    Kainzo

    Wow... that's terrible
     
  7. It's because of the weird way minecraft.net handles authentication.
     
  8. Offline

    Orcem12

    It's really sad to hear about crooked developers wanted to just cause harm. Nothing sickens me more to be honest. Sure I don't display my source code, never have. However the player can contact me at any given time to receive a complete source evaluation. Thing is, I could just shop it. Make it look nice when the plugin is actually bad. We never will know who's telling the truth and who isn't. We can test and approve many plugins for flaws, tricks, hacks, etc but sadly they can move around this. Why not after the plugin is approved change it? Say "new updatez for mai motd plugin" then have the player/server owner innocently download this plugin. We are all on honor code and we need to do everything in our power to keep Bukkit safe. We have Auth plugins, anti -grief, etc. We'll always have these people, we can't stop it. But we can do our best to prevent it.
     
  9. Offline

    Boomer

    java decompiler + jar = source code
     
  10. That's what the BukkitDev team claims to do anyway.
     
  11. Offline

    a11111

    I've heard about this. Can they continue to use your account whenever they want, or just while you're signed on to their server?

    Also, can you expand on "add an additional auth-plugin"? (noob here)
     
  12. Offline

    TnT Retired Staff

    As far as I know, it only works for a short period of time after you log into their server. In order for this to work and be effective, someone has to know who you are and what server you run. So if someone jumps on your server asking you to join theirs, you *might* have a concern. However, I'd likely just ban that person for advertising on my server anyway. :p
     
  13. Offline

    Evenprime

    As TnT said, they can only use your account as long as they stay connected to the server. Once they get disconnected, they'd have to repeat the whole procedure.

    With "additional auth-plugin" I meant any of the plugins that force players to enter a password after connecting to your server before they are allowed to do anything e.g. the plugin "xAuth". In that case the attacker is still able to login to the server as someone else, but won't be able to do anything without knowing that persons xAuth-password.
     
  14. Offline

    Boomer

    Wowsers indeed - I never managed to alert my entire staff to the dangers of this or take the effort to set up a secondary system recently yet, but part of me figured 'wouldn't happen, my staff is too sceptical of new users, out-of-blue users, we dont have a big server, but we have a loyal, problem-free (really, 2 banned users in my lists for 3 months, out of 400+ visitors and 80 super-regulars who made it their home) server. Yet this evening, my second-in-command managed to do a nice thing and help one of our users who's been in and out for 3 months, and known to all of use for 2-3 beyond that, and see if he could 'instruct him how to use worldedit to do a particular task on his spawn properly, a walkthrough', because good guys from Sydney do that. He logged out, a second later logged in from Philadelphia, tried to op (sorry, no ops on my server) a player, failed, so promoted him to Mod, then logged out, logged in a second later from Sydney, reported that the server said it was full, was instructed to try again, logged out, came back a few seconds later (from Philly again, tried some gamemode commands - oh yeah, no, not given to the staff either sorry) then out again, logged in from Sydney reported no success logging in, okay one more time, sorry to be a bother to you... Log out, log in from philly, try every version of gamemode command on the one player again, no success, log out, log in from Sydney. Say he's giving up, user says publically "Thats okay thanks for trying" and server erupts in chaos "Why is X a mod???"

    C0uld have been much, much worse , fortunately response from my shocked staff was very prompt with tempbans until I investigated and watched the process unfold an hour beforehand, and the only real harm here was to my self-esteem feeling I had a tight ship, but I had dropped the ball. This guy being a longterm periodic member, not troublesome before, tells me that the methodology is probably becoming popularized somewhere and spreading in particular publicish circles, becuase it wasn't a 'professional idiot' that will turn 'plz plz see if you can login' into the replacement for 'im from planetminecraft, i needz ops'
     
  15. Offline

    iMint

    Um, i don't really get what happened...? xD
     
  16. Offline

    Boomer

    My second in command suffered from being taken in and having his identity stolen -- while he was trying to get in and/or was logged into the baited server, someone was able to login AS HIM and had access to his account, started issuing commands as fast as they could.
    Since my staff doesn't have access to /op command, are not ops, and do not have access to gamemode changing commands either, the flurry of times he tried to issue thos commands to modify a particular player status would alone have been attention getting, but the repeated logging out then logging in events that broke up the timeline into clusters of real comments/behaviors + odd behaviors exaggerated it.
    The fact that the server logs the IP of the players logging in, and showed that when my staffer was his normal usual self, he was logging in from an IP in Sydney, Australia and then logging out to go and look at/try getting into the guys server to help me; within seconds of logging out, his account would then log in again but it logged in from an IP in Philidelphia, USA - a geographically significant difference not explained by his ISP suddenly changing IPs on him, esp since while logged in from philidelphia the account tried to issue these non-successful (but otherwise likely normally found on Admin accounts worldwide) commands .

    AKA --- the guy managed to bait him to a personal server on his computer where he was able to pull off the identity-theft using the sessional authentication trick that Evenprime described, allowing the jerk to login to my server AS my staffer, and to the others playing on the server, they just thought my guy was having a bad time with his internet logging in and out repeatedly. But was really Real-Guy, Bad-guy, Real-guy, Bad-guy, Real-guy logging in in control of the account. While he puttered about and surveyed things around and whatnot on this guys server, the guy was able to walk around as him on mine.

    He just fortunately didn't get to do anything significant while wearing the staffer's identity other than promote his player account to mod status, which had he just remained silent and logged out would have gone unnoticed, as he had been private-messages to the real staffer during the whole on/off series but as soon as he spoke in chat with the newly applied modrank that he didn't have 2 mins earlier, he exposed the whole process immediately as something wrong, allowing my staff to secure things down for me to investigate.

    Had my staffer been an Op, that player would have now been an op and it would have required all of 3 seconds to do that and go totally unnoticed; had my staffer be able to add permissions manually to user accounts, the player could have held a low rank but hold "*" permission personally and be more powerful than my own account is configured :)

    Had he been successful with the first attempt to op when my staffer came back on saying he couldn't connect, the player could have simply responded 'okay, thanks for trying, dont worry about it" and the whole thing shaken off as not thought about at all. Thats all the time they need - enough time to act as soon as the account logs into their bait server to immediately login on your server, type /op someplayername then immediately logout.

    No need to brute-force an account password, no need to apply social engineering methods to persuade the staffer to execute the commands in poor judgement -- but social engineering applied to lure the staffer off to have his identity stolen for that precise moment in time ...

    Its real, and I bet full out that almost all of you are seeing an increase in players asking ranked players to 'just come take a quick look at my server/ see if you can login" -- Stuff you're always supersceptical of doing for strangers anyways, in my case, it was from a longstanding largely 'solid' nontroublesome member that was part of the entrenched community enough to make extending that 'sure, i could help you' event be something that is not uncommon to do.
     
  17. Offline

    jwnordquist

    i think there is a MUCH bigger issue than this... i must post this as it was only released about a week ago.


    i have tryed it on my own admins, and it dose infact work, using a alt account i had, i signed into the server, tricked a OP to get onto my bait server, and boom, i got op.

    it basically works as a MITM attack.
     
  18. Offline

    [qwerty]

    It just amazes me sometimes, what Minecraft used to be, and what it has become :(
     
  19. Offline

    Jacek

    Don't be sad. the good guys are winning !
     
    [qwerty] likes this.
  20. Offline

    Boomer

    It is all valuable life experience that can only benefit people later, even if most wont realize that until much later.
     
  21. Offline

    taatuu25

    true, i think some day all hack clients are obsolete because none of the hacks work
     
  22. That will be the day no one is playing Minecraft any longer. If a program exists, it can be hacked.
     
  23. Offline

    taatuu25

    i mean, you never can get rid of hackers, but at some point nobody can just install a grief client and fly around with it.
     
  24. Skiddies are unfortunately not going anywhere either.
     
  25. Offline

    [qwerty]

    Yeah well with the new Minecraft API coming out, hackers wouldn't be able to do much because the server calls all the shots :)
     
  26. Not even close. It just means that mods won't be 100% hacks now.
     
  27. Offline

    [qwerty]

    True, but it will be harder to mod/hack or what ever you want to call it is all I'm saying.
     
  28. You are clearly overestimating Mojang. Until the client becomes a dumb renderer, the server will contain vulnerabilities.
     
  29. Offline

    Jess_FB

    Just about everything is "Hack" or 'editable' in some way, that's how we get mods. But its how people today are using them. I mean luring people to steal their info, and then use it against them? I don't see how you get joy or don't feel bad about that, the bad area of the minecraft community really IS bad.
     
  30. It's not just Minecraft. Phishing (that's the real name for it) exists everywhere. It's like domain names like faceboook.com being registered that pretend to be Facebook so you accidentally log in to it and they have your account. It happens a lot actually.
     
  31. Offline

    Jess_FB

    I know, and its sorta sad that people even attempt these things, it reminds me of people being rick-rolled on youtube. Looking for a video by tehnipp1n and see a video similar by tehnippin and get tricked. I dont see why people enjoy doing these things
     
Thread Status:
Not open for further replies.

Share This Page