Описание
TShock Security Escalation Exploit
Impact
An issue with the way OTAPI manages client connections results in stale UUIDs remaining on RemoteClient instances after a player disconnects.
Because of this, if the following conditions are met a player may assume the login state of a previously connected player:
- The server has UUID login enabled
- An authenticated player disconnects
- A subsequent player connects with a modified client that does not send the
ClientUUID#68packet during connection - The server assigns the same
RemoteClientobject that belonged to the originally authenticated player to the newly connected player
Patches
TShock 5.2.1 hotfixes this issue. A more robust fix will be made to OTAPI itself.
Workarounds
Implement a RemoteClient reset event handler in a plugin like so:
public override void Initialize()
{
On.Terraria.RemoteClient.Reset += RemoteClient_Reset;
}
private static void RemoteClient_Reset(On.Terraria.RemoteClient.orig_Reset orig, RemoteClient client)
{
client.ClientUUID = null;
orig(client);
}
Пакеты
Наименование
TShock
nuget
Затронутые версииВерсия исправления
>= 4.3.21, < 5.2.1
5.2.1
8.9 High
CVSS4
Дефекты
CWE-305
CWE-613
CWE-863
8.9 High
CVSS4
Дефекты
CWE-305
CWE-613
CWE-863