Attention to all server owners using 3d armor
-
- Member
- Posts: 167
- Joined: Mon May 22, 2017 20:27
Attention to all server owners using 3d armor
It has come to my attention that there is an item duplication vulnerability in this mod. I consider this a serious vulnerability as this mod is used on a large number of servers, and I urge server owners to update immediately. I have submitted a pull request to the original developers but in the meantime you can get the fixed version from my fork. The pull request has now been merged into the main repository and is included in the latest release of the mod.
More details regarding the vulnerability can be requested via private message. Details regarding the vulnerability cannot be supplied via private message as my account is too new to use the private message feature.
More details regarding the vulnerability can be requested via private message. Details regarding the vulnerability cannot be supplied via private message as my account is too new to use the private message feature.
Last edited by micheal65536 on Sun Feb 11, 2018 18:52, edited 1 time in total.
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: Attention to all server owners using 3d armor
Or in the commit named “Fix item duplication vulnerability” :)micheal65536 wrote:More details regarding the vulnerability can be requested via private message.
https://github.com/micheal65536/minetes ... 5f0f3327f7
-
- Member
- Posts: 167
- Joined: Mon May 22, 2017 20:27
Re: Attention to all server owners using 3d armor
Via PM I will explain the details of exactly how the vulnerability worked. I feel that from the code it will still take some effort to figure out the vulnerability, as I had read through this code many times and even used similar code in my own mods before I discovered this.Linuxdirk wrote:Or in the commit named “Fix item duplication vulnerability” :)micheal65536 wrote:More details regarding the vulnerability can be requested via private message.
https://github.com/micheal65536/minetes ... 5f0f3327f7
-
- Member
- Posts: 167
- Joined: Mon May 22, 2017 20:27
Re: Attention to all server owners using 3d armor
The pull request has now been merged to the main repository and version 0.4.11 has been released including the fix. I strongly advise that server owners update to this release immediately. I will be releasing the full explanation of the vulnerability in a few weeks' time, to give server owners a chance to update while allowing future developers to learn to avoid similar vulnerabilities in the future.
-
- Member
- Posts: 452
- Joined: Thu Nov 16, 2017 18:18
- GitHub: Enrikoo
- IRC: Enrico - Enricoo - Enrlco
- In-game: Enrico - Enriko
- Location: Germany
- Contact:
Re: Attention to all server owners using 3d armor
If the server host thinks he found the older 3d_armor armor better than the new one, he should not update it immediately. But you can always have the new one. Where is the problem. I do not understand why such people are thinking why all servers have stupid 3d_armor mods.
The new version of this mod:
If you wear iron or bronze armor, you do not run fast and do not jump higher.
Just leave the servers and do not offer them to update 3d_armor if it finds it better than the older versions of this mod.
If it's not very cool for you to use this mod, try creating your own armor mod (if you know about lua).
The new version of this mod:
If you wear iron or bronze armor, you do not run fast and do not jump higher.
Just leave the servers and do not offer them to update 3d_armor if it finds it better than the older versions of this mod.
If it's not very cool for you to use this mod, try creating your own armor mod (if you know about lua).
-
- Member
- Posts: 167
- Joined: Mon May 22, 2017 20:27
Re: Attention to all server owners using 3d armor
I don't know if you're just ranting about the 3d_armor mod in general or what your problem is but a lot of servers use it (whether you agree with it or not) and they should absolutely update unless they want their server to be vulnerable. There are no functional changes between the previous version and this one, only bugfixes.Enrikoo wrote:If the server host thinks he found the older 3d_armor armor better than the new one, he should not update it immediately. But you can always have the new one. Where is the problem. I do not understand why such people are thinking why all servers have stupid 3d_armor mods.
The new version of this mod:
If you wear iron or bronze armor, you do not run fast and do not jump higher.
Just leave the servers and do not offer them to update 3d_armor if it finds it better than the older versions of this mod.
If it's not very cool for you to use this mod, try creating your own armor mod (if you know about lua).
If a server owner is insistent on continuing to use an even older version then I highly suggest that they examine the relevant commit and apply it over whatever version they're using unless they want players to be able to obtain unlimited items fairly easily (I have evidence to suggest that this vulnerability is being exploited "in the wild" on at least one server). This should be considered on the same level as the creative vulnerability from July 2017 (and possibly also the locked chest vulnerability from September 2017) due to the popularity of this mod.
-
- Member
- Posts: 999
- Joined: Sat Aug 19, 2017 21:49
- GitHub: Chemguy99
- In-game: Chem Nyx
- Location: My Basement's Attic
Re: Attention to all server owners using 3d armor
I've literally never seen this bug before.
What is SCP-055?
-
- Member
- Posts: 167
- Joined: Mon May 22, 2017 20:27
Re: Attention to all server owners using 3d armor
Bump. Please be advised that a full explanation of the vulnerability will be released on the 12th of March so to keep your server secure you should update before then (if you haven't already). The latest version can be obtained from the official repository.
-
- Member
- Posts: 167
- Joined: Mon May 22, 2017 20:27
Re: Attention to all server owners using 3d armor
Bump. I've noticed that a significant number of popular servers have still not updated.
- rubenwardy
- Moderator
- Posts: 6978
- Joined: Tue Jun 12, 2012 18:11
- GitHub: rubenwardy
- IRC: rubenwardy
- In-game: rubenwardy
- Location: Bristol, United Kingdom
- Contact:
Re: Attention to all server owners using 3d armor
Please note that the forum rules state that any exploits or cheats are not permitted, so please do not post any working exploits.
Technical information on the issue is fine however.
Violations of the rules may result in the removal of posts or bans being issued
Technical information on the issue is fine however.
Violations of the rules may result in the removal of posts or bans being issued
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: Attention to all server owners using 3d armor
Where exactly? They’re just about hacking tools and alike.rubenwardy wrote:Please note that the forum rules state […]
Full disclosure after providing a fix and keeping the exploit undisclosed for a month after providing the fix and constant warnings is in no way a “hacking tool” or anything that falls into that category.
Since the fix was merged into upstream an official source of a fixed version is available. If server owners do not update for a month it is entirely their fault.
-
- Member
- Posts: 167
- Joined: Mon May 22, 2017 20:27
Re: Attention to all server owners using 3d armor
I do not intend to post a "how to" guide on how to exploit the vulnerability. However I feel that I should explain how the vulnerability works as it is an easy mistake for mod developers to make and it is important that people are aware of how it (and similar) vulnerabilities can creep in.rubenwardy wrote:Please note that the forum rules state that any exploits or cheats are not permitted, so please do not post any working exploits.
Technical information on the issue is fine however.
Seconded.Linuxdirk wrote:Full disclosure after providing a fix and keeping the exploit undisclosed for a month after providing the fix and constant warnings is in no way a “hacking tool” or anything that falls into that category.
Since the fix was merged into upstream an official source of a fixed version is available. If server owners do not update for a month it is entirely their fault.
Who is online
Users browsing this forum: No registered users and 41 guests