Attention to all server owners using 3d armor

micheal65536
Member
 
Posts: 47
Joined: Mon May 22, 2017 20:27

Attention to all server owners using 3d armor

by micheal65536 » Sun Feb 11, 2018 12:59

It has come to my attention that there is an item duplication vulnerability in this mod. I consider this a serious vulnerability as this mod is used on a large number of servers, and I urge server owners to update immediately. I have submitted a pull request to the original developers but in the meantime you can get the fixed version from my fork. The pull request has now been merged into the main repository and is included in the latest release of the mod.

More details regarding the vulnerability can be requested via private message. Details regarding the vulnerability cannot be supplied via private message as my account is too new to use the private message feature.
Last edited by micheal65536 on Sun Feb 11, 2018 18:52, edited 1 time in total.
 

User avatar
Linuxdirk
Member
 
Posts: 1551
Joined: Wed Sep 17, 2014 11:21
Location: Germany
In-game: Linuxdirk

Re: Attention to all server owners using 3d armor

by Linuxdirk » Sun Feb 11, 2018 15:53

micheal65536 wrote:More details regarding the vulnerability can be requested via private message.

Or in the commit named “Fix item duplication vulnerability” :)

https://github.com/micheal65536/minetes ... 5f0f3327f7
 

micheal65536
Member
 
Posts: 47
Joined: Mon May 22, 2017 20:27

Re: Attention to all server owners using 3d armor

by micheal65536 » Sun Feb 11, 2018 15:57

Linuxdirk wrote:
micheal65536 wrote:More details regarding the vulnerability can be requested via private message.

Or in the commit named “Fix item duplication vulnerability” :)

https://github.com/micheal65536/minetes ... 5f0f3327f7
Via PM I will explain the details of exactly how the vulnerability worked. I feel that from the code it will still take some effort to figure out the vulnerability, as I had read through this code many times and even used similar code in my own mods before I discovered this.
 

micheal65536
Member
 
Posts: 47
Joined: Mon May 22, 2017 20:27

Re: Attention to all server owners using 3d armor

by micheal65536 » Sun Feb 11, 2018 18:49

The pull request has now been merged to the main repository and version 0.4.11 has been released including the fix. I strongly advise that server owners update to this release immediately. I will be releasing the full explanation of the vulnerability in a few weeks' time, to give server owners a chance to update while allowing future developers to learn to avoid similar vulnerabilities in the future.
 

User avatar
Enrikoo
Member
 
Posts: 379
Joined: Thu Nov 16, 2017 18:18
Location: Germany
GitHub: Enrikoo
IRC: Enrico - Enricoo - Enrlco
In-game: Enrico - Enriko

Re: Attention to all server owners using 3d armor

by Enrikoo » Sun Feb 11, 2018 18:56

If the server host thinks he found the older 3d_armor armor better than the new one, he should not update it immediately. But you can always have the new one. Where is the problem. I do not understand why such people are thinking why all servers have stupid 3d_armor mods.

The new version of this mod:
If you wear iron or bronze armor, you do not run fast and do not jump higher.

Just leave the servers and do not offer them to update 3d_armor if it finds it better than the older versions of this mod.

If it's not very cool for you to use this mod, try creating your own armor mod (if you know about lua).
 

micheal65536
Member
 
Posts: 47
Joined: Mon May 22, 2017 20:27

Re: Attention to all server owners using 3d armor

by micheal65536 » Sun Feb 11, 2018 22:27

Enrikoo wrote:If the server host thinks he found the older 3d_armor armor better than the new one, he should not update it immediately. But you can always have the new one. Where is the problem. I do not understand why such people are thinking why all servers have stupid 3d_armor mods.

The new version of this mod:
If you wear iron or bronze armor, you do not run fast and do not jump higher.

Just leave the servers and do not offer them to update 3d_armor if it finds it better than the older versions of this mod.

If it's not very cool for you to use this mod, try creating your own armor mod (if you know about lua).

I don't know if you're just ranting about the 3d_armor mod in general or what your problem is but a lot of servers use it (whether you agree with it or not) and they should absolutely update unless they want their server to be vulnerable. There are no functional changes between the previous version and this one, only bugfixes.

If a server owner is insistent on continuing to use an even older version then I highly suggest that they examine the relevant commit and apply it over whatever version they're using unless they want players to be able to obtain unlimited items fairly easily (I have evidence to suggest that this vulnerability is being exploited "in the wild" on at least one server). This should be considered on the same level as the creative vulnerability from July 2017 (and possibly also the locked chest vulnerability from September 2017) due to the popularity of this mod.
 

Chem871
Member
 
Posts: 778
Joined: Sat Aug 19, 2017 21:49
Location: Ankh-Morpork, Sometimes the Nether
GitHub: Chemguy99
In-game: Chem Nyx
 

micheal65536
Member
 
Posts: 47
Joined: Mon May 22, 2017 20:27

Re: Attention to all server owners using 3d armor

by micheal65536 » Mon Feb 19, 2018 07:35

Bump. Please be advised that a full explanation of the vulnerability will be released on the 12th of March so to keep your server secure you should update before then (if you haven't already). The latest version can be obtained from the official repository.
 

micheal65536
Member
 
Posts: 47
Joined: Mon May 22, 2017 20:27

Re: Attention to all server owners using 3d armor

by micheal65536 » Fri Mar 02, 2018 09:44

Bump. I've noticed that a significant number of popular servers have still not updated.
 

User avatar
rubenwardy
Moderator
 
Posts: 5422
Joined: Tue Jun 12, 2012 18:11
Location: United Kingdom
GitHub: rubenwardy
IRC: rubenwardy
In-game: rubenwardy

Re: Attention to all server owners using 3d armor

by rubenwardy » Sat Mar 03, 2018 00:30

Please note that the forum rules state that any exploits or cheats are not permitted, so please do not post any working exploits.
Technical information on the issue is fine however.

Violations of the rules may result in the removal of posts or bans being issued
Core Developer | Donate | My Twitter | Mods | Mods 4 Android | Node Box Editor | Minetest Modding Book

Hello profile reader

LgiOxMFYXOqtqVqMPhbw1Bn3oNRvEC7j
 

User avatar
Linuxdirk
Member
 
Posts: 1551
Joined: Wed Sep 17, 2014 11:21
Location: Germany
In-game: Linuxdirk

Re: Attention to all server owners using 3d armor

by Linuxdirk » Sat Mar 03, 2018 00:43

rubenwardy wrote:Please note that the forum rules state […]

Where exactly? They’re just about hacking tools and alike.

Full disclosure after providing a fix and keeping the exploit undisclosed for a month after providing the fix and constant warnings is in no way a “hacking tool” or anything that falls into that category.

Since the fix was merged into upstream an official source of a fixed version is available. If server owners do not update for a month it is entirely their fault.
 

micheal65536
Member
 
Posts: 47
Joined: Mon May 22, 2017 20:27

Re: Attention to all server owners using 3d armor

by micheal65536 » Sat Mar 03, 2018 09:45

rubenwardy wrote:Please note that the forum rules state that any exploits or cheats are not permitted, so please do not post any working exploits.
Technical information on the issue is fine however.
I do not intend to post a "how to" guide on how to exploit the vulnerability. However I feel that I should explain how the vulnerability works as it is an easy mistake for mod developers to make and it is important that people are aware of how it (and similar) vulnerabilities can creep in.
Linuxdirk wrote:Full disclosure after providing a fix and keeping the exploit undisclosed for a month after providing the fix and constant warnings is in no way a “hacking tool” or anything that falls into that category.

Since the fix was merged into upstream an official source of a fixed version is available. If server owners do not update for a month it is entirely their fault.
Seconded.
 


Return to Servers



Who is online

Users browsing this forum: No registered users and 4 guests