Attention to all server owners using 3d armor

Post Reply
micheal65536
Member
Posts: 167
Joined: Mon May 22, 2017 20:27

Attention to all server owners using 3d armor

by micheal65536 » Post

It has come to my attention that there is an item duplication vulnerability in this mod. I consider this a serious vulnerability as this mod is used on a large number of servers, and I urge server owners to update immediately. I have submitted a pull request to the original developers but in the meantime you can get the fixed version from my fork. The pull request has now been merged into the main repository and is included in the latest release of the mod.

More details regarding the vulnerability can be requested via private message. Details regarding the vulnerability cannot be supplied via private message as my account is too new to use the private message feature.
Last edited by micheal65536 on Sun Feb 11, 2018 18:52, edited 1 time in total.

User avatar
Linuxdirk
Member
Posts: 3217
Joined: Wed Sep 17, 2014 11:21
In-game: Linuxdirk
Location: Germany
Contact:

Re: Attention to all server owners using 3d armor

by Linuxdirk » Post

micheal65536 wrote:More details regarding the vulnerability can be requested via private message.
Or in the commit named “Fix item duplication vulnerability” :)

https://github.com/micheal65536/minetes ... 5f0f3327f7

micheal65536
Member
Posts: 167
Joined: Mon May 22, 2017 20:27

Re: Attention to all server owners using 3d armor

by micheal65536 » Post

Linuxdirk wrote:
micheal65536 wrote:More details regarding the vulnerability can be requested via private message.
Or in the commit named “Fix item duplication vulnerability” :)

https://github.com/micheal65536/minetes ... 5f0f3327f7
Via PM I will explain the details of exactly how the vulnerability worked. I feel that from the code it will still take some effort to figure out the vulnerability, as I had read through this code many times and even used similar code in my own mods before I discovered this.

micheal65536
Member
Posts: 167
Joined: Mon May 22, 2017 20:27

Re: Attention to all server owners using 3d armor

by micheal65536 » Post

The pull request has now been merged to the main repository and version 0.4.11 has been released including the fix. I strongly advise that server owners update to this release immediately. I will be releasing the full explanation of the vulnerability in a few weeks' time, to give server owners a chance to update while allowing future developers to learn to avoid similar vulnerabilities in the future.

Enrikoo
Member
Posts: 452
Joined: Thu Nov 16, 2017 18:18
GitHub: Enrikoo
IRC: Enrico - Enricoo - Enrlco
In-game: Enrico - Enriko
Location: Germany
Contact:

Re: Attention to all server owners using 3d armor

by Enrikoo » Post

If the server host thinks he found the older 3d_armor armor better than the new one, he should not update it immediately. But you can always have the new one. Where is the problem. I do not understand why such people are thinking why all servers have stupid 3d_armor mods.

The new version of this mod:
If you wear iron or bronze armor, you do not run fast and do not jump higher.

Just leave the servers and do not offer them to update 3d_armor if it finds it better than the older versions of this mod.

If it's not very cool for you to use this mod, try creating your own armor mod (if you know about lua).

micheal65536
Member
Posts: 167
Joined: Mon May 22, 2017 20:27

Re: Attention to all server owners using 3d armor

by micheal65536 » Post

Enrikoo wrote:If the server host thinks he found the older 3d_armor armor better than the new one, he should not update it immediately. But you can always have the new one. Where is the problem. I do not understand why such people are thinking why all servers have stupid 3d_armor mods.

The new version of this mod:
If you wear iron or bronze armor, you do not run fast and do not jump higher.

Just leave the servers and do not offer them to update 3d_armor if it finds it better than the older versions of this mod.

If it's not very cool for you to use this mod, try creating your own armor mod (if you know about lua).
I don't know if you're just ranting about the 3d_armor mod in general or what your problem is but a lot of servers use it (whether you agree with it or not) and they should absolutely update unless they want their server to be vulnerable. There are no functional changes between the previous version and this one, only bugfixes.

If a server owner is insistent on continuing to use an even older version then I highly suggest that they examine the relevant commit and apply it over whatever version they're using unless they want players to be able to obtain unlimited items fairly easily (I have evidence to suggest that this vulnerability is being exploited "in the wild" on at least one server). This should be considered on the same level as the creative vulnerability from July 2017 (and possibly also the locked chest vulnerability from September 2017) due to the popularity of this mod.

Chem871
Member
Posts: 999
Joined: Sat Aug 19, 2017 21:49
GitHub: Chemguy99
In-game: Chem Nyx
Location: My Basement's Attic

Re: Attention to all server owners using 3d armor

by Chem871 » Post

I've literally never seen this bug before.
What is SCP-055?

micheal65536
Member
Posts: 167
Joined: Mon May 22, 2017 20:27

Re: Attention to all server owners using 3d armor

by micheal65536 » Post

Bump. Please be advised that a full explanation of the vulnerability will be released on the 12th of March so to keep your server secure you should update before then (if you haven't already). The latest version can be obtained from the official repository.

micheal65536
Member
Posts: 167
Joined: Mon May 22, 2017 20:27

Re: Attention to all server owners using 3d armor

by micheal65536 » Post

Bump. I've noticed that a significant number of popular servers have still not updated.

User avatar
rubenwardy
Moderator
Posts: 6972
Joined: Tue Jun 12, 2012 18:11
GitHub: rubenwardy
IRC: rubenwardy
In-game: rubenwardy
Location: Bristol, United Kingdom
Contact:

Re: Attention to all server owners using 3d armor

by rubenwardy » Post

Please note that the forum rules state that any exploits or cheats are not permitted, so please do not post any working exploits.
Technical information on the issue is fine however.

Violations of the rules may result in the removal of posts or bans being issued
Renewed Tab (my browser add-on) | Donate | Mods | Minetest Modding Book

Hello profile reader

User avatar
Linuxdirk
Member
Posts: 3217
Joined: Wed Sep 17, 2014 11:21
In-game: Linuxdirk
Location: Germany
Contact:

Re: Attention to all server owners using 3d armor

by Linuxdirk » Post

rubenwardy wrote:Please note that the forum rules state […]
Where exactly? They’re just about hacking tools and alike.

Full disclosure after providing a fix and keeping the exploit undisclosed for a month after providing the fix and constant warnings is in no way a “hacking tool” or anything that falls into that category.

Since the fix was merged into upstream an official source of a fixed version is available. If server owners do not update for a month it is entirely their fault.

micheal65536
Member
Posts: 167
Joined: Mon May 22, 2017 20:27

Re: Attention to all server owners using 3d armor

by micheal65536 » Post

rubenwardy wrote:Please note that the forum rules state that any exploits or cheats are not permitted, so please do not post any working exploits.
Technical information on the issue is fine however.
I do not intend to post a "how to" guide on how to exploit the vulnerability. However I feel that I should explain how the vulnerability works as it is an easy mistake for mod developers to make and it is important that people are aware of how it (and similar) vulnerabilities can creep in.
Linuxdirk wrote:Full disclosure after providing a fix and keeping the exploit undisclosed for a month after providing the fix and constant warnings is in no way a “hacking tool” or anything that falls into that category.

Since the fix was merged into upstream an official source of a fixed version is available. If server owners do not update for a month it is entirely their fault.
Seconded.

Post Reply

Who is online

Users browsing this forum: No registered users and 19 guests