Faille chez Mojang.com

UPDATE: 8.41am BST: Mojang have pulled down the session server. This should stop the issue while a proper fix is being worked on!

Hi all. Over the past few days, numerous people have reported notch logging in to their servers. From the dialogue and IP, it was pretty obvious it wasn’t really notch.

Then today on the reddit servers, we had someone log in on the account of one of our head admins. The resulting griefing was quickly caught, the account password changed, and we waited to see if further attacks would follow. After a short period, the same account was used again. The admin, forty_two, confirmed that he hasn’t logged into any unknown servers lately, ruling out a MITM attack. The short time between changing the password and logging in ruled out a brute force attack on the account.

We took the servers down and began investigating. I made a post to /r/admincraft with the thought of cross-comparing plugin lists to find one with a back door. We decompiled and pulled PEX and NoCheatPlus apart, and found no back doors.

To eliminate the chance of it being a plugin bug/backdoor, we put a honeypot server up on c.nerd.nu with a minecraft protocol proxy attached, to record how they were triggering it. Within an hour, the hackers were back and connected to the (now whitelisted) c.nerd.nu server, again as forty_two. Here’s the relevant portion of the log:

[20:01:28] >>> 0x02: Handshake {'username_host': u'forty_two;c.nerd.nu:25565'} [20:01:28] <<< 0x02: Handshake {'connection_hash': u'xxx'} [20:01:29] >>> 0x01: Login request {'username': u'forty_two', 'not_used_6': 0, 'not_used_4': 0, 'not_used_5': 0, 'not_used_2': 0, 'not_used_3': 0, 'not_used_1': u'', 'protocol_version': 29} [20:01:29] <<< 0x01: Login request {'entity_id': 1172, 'world_height': 0, 'not_used_2': 0, 'not_used_1': u'', 'game_mode': 1, 'max_players': 60, 'level_type': u'default', 'dimension': 0} 

We also patched bukkit to print information about the authentication step:

[INFO] LoginPacketName forty_two; ServerID xxx; Request URL http://session.minecraft.net/game/checkserver.jsp?user=forty_two&serverId=xxx [INFO] Response is YES [INFO] forty_two [/xxx:54685] logged in with entity id 381 at ([world] 3.399717322546743, 64.0, 10.73634280242685) 

What’s striking here is that there’s nothing unusual. If it had been a bukkit plugin backdoor, we’d see some kind of communication with the plugin to tell it to skip the user auth. If it had been some kind of protocol/string packing exploit in minecraft server, again we’d see it in the packets. Nor is a minecraft session server error being triggered. The only explanation is that someone has found an exploit in the minecraft login server. It affects vanilla servers and bukkit servers equally.

After some sleuthing, we determined and confirmed that the exploit only affects accounts which have been migrated to a Mojang account. If you log into minecraft with your email address, you’re vulnerable.

A few hours ago we spoke to Dinnerbone, who got in contact with Grum and EvilSeph, and confirmed the exploit existed. We held off posting, hoping it would be fixed before the griefing community at large finds out about it. Information on how to use this exploit has now been made public, and as such we feel duty bound to advise that all server admins should do as we did and either take your servers offline or install a secondary authentication plugin.

A more detailed post to /r/mcpublic will follow.

TL;DR: hackers can log in as any migrated user! take your server down or use secondary authentication!