by

Hey look, I’m you with your privileges

Update: The man-in-the-middle attack described in this post is now ineffective as it was fixed in Minecraft 1.3, but the solution still works if you desire extra security.

A “session stealer” exploit in Minecraft is now being used increasingly widely to gain operator privileges on a target server. Anyone with the ability (or the freely available tools) can impersonate another user, which comes in handy to gain elevated privileges on a given server. The underlying exploit is actually extremely old, and while a small number of people have long been aware of it, news broke to the greater community recently and now it is a real relevant concern. On the flip side, the bug will finally be fixed (after three years) with the release of Minecraft 1.3. Hooray public disclosure.

exploit_logic

But I don’t want to wait for a fix

If you run a server, it’s understandable that you would want a fix now. You can ensure that you don’t expose your own account, but you also have to ensure that your own moderators do not either. That can be harder than it sounds, especially depending on who you are working with, and so some — even minor — protection to use would be nice. Unfortunately, it is not possible to fix the problem from just the server’s side, and so people have attempted to work around the problem by using a mix of some rather inconvenient solutions (mostly involving a /login command). Instead, I decided on a different novel way to protect the accounts of my moderators, described below.

  1. It doesn’t require any client-side changes;
  2. It is a one-time setup for everyone;
  3. It completely fixes the exploit for your server;
  4. And it is grossly simple to setup.

All it requires is that everyone that you want to protect to switch to connecting with a secret server address instead. This solution exploits the fact that, when you connect to a Minecraft server, the address used is sent to that server. If your friend has a special address to use, and someone foreign tries to login to the server without that special address, the server has a clear indication that your friend is not really your friend. Some examples of address that you can use include:

  • noHeY.example.com
  • zqTPa.example.com
  • 5v9h0.example.com
  • nmJka.example.com

working_example

When an attacker tries the exploit:

working_example2

So, how do I actually use this?

Before you setup the Minecraft server, you have to first set up the secret domains. There are, fortunately or unfortunately, a dozen different ways to do this, all depending on your particular setup. While I can’t delve deep into this in this post, I can recommend that you setup a wildcard DNS entry if possible, so all subdomains (*.example.com) get sent to your server. That way, an attacker can’t so easily guess domains and test their guesses. Another option, however, is to use your computer’s “hosts file” (search this up) in order to manually map any domain, even one that you do not own, to point to a certain IP address. This latter option is the safest, but it is also does require a bit more work from everyone involved.

On the Minecraft server side of this fix, I have added a check feature into WorldGuard (Bukkit required) that lets you check the connecting address of certain players, which you can apply to the accounts of your moderators. Download the latest version, and then setup your plugins/WorldGuard/config.yml to look like:

Be aware that this is, however, not a proper fix. It will protect a server, but it will not protect an account. If a session gets stolen, the attacker would not be able to use it on your server, but the account can be used on any other server. There is nothing much a server owner can really do (besides more drastic measures) and we are all waiting on Mojang to properly fix this problem.

  • http://twitter.com/Zewlzor Tom Harris

    Awesome, thanks man! I was recently hit by this and I can’t put into words how thankful I am for this fix, so it doesn’t happen again.

  • http://twitter.com/pigrocket Joey Sandmeyer

    You’re a wizard, Harry.

  • http://twitter.com/Tallcraft Tallcraft

    Mojang is planning to fix this bug: http://www.reddit.com/r/edstonehelper/comments/p6lol/planned_for_the_next_update/
    “Fixed Man-in-the-middle attack allowing hackers to log in as you when you visit their server/”

  • abcedea

    Yay, everything bad about Minecraft servers are getting fixed :D first session stealing, now WorldEdit is able to be logged and rolled back! What next?

  • snipes

    this still happens to me and cos its a hamachi server i had to ban all my ops untill i knew it was them logging in

  • Monty Pyther

    is there a fix for if your account is being accessed on different servers?
    my friend and i have been hosts to someone kicking us from servers and playing around as us for the last 3 months and we can’t do anything :/ any suggestions would be nice

  • Bramdv

    My hero <3

  • alely

    So i just, do into domain settings and put a secret url point to my mc server?

    • http://www.christmc.com Jesus Lion

      Yes, but if you use a wildcard you have less job of adding other people.

  • Pingoo

    Big thank. You’re my god :)

  • z2s8

    Very cool, i use it insted of xauth (the server runs in offline mode so need something auth sys) , every player get a private hostname. Much easier than type every time when join /login password. Thanks!

  • z2s8

    Anyway is there an option to configurate the message that user gets when connects from incorrect hostname? thx

  • Miner Modder

    What file do I edit

    • http://www.christmc.com Jesus Lion

      config.yml

  • http://www.christmc.com Jesus Lion

    I got a problem I use 1.7.9 and bungee cord and it works perfect on two of the servers but on the other two I get this error:
    [Server thread/WARN]: [WorldGuard] WorldGuard host key check: JesusLion joined with ‘xxxxxxx.christmc.com 172.179.2.1 6d3ed25850ac62d2af374803b6237d05 [{“name”‘ but ‘xxxxxxx.christmc.com’ was expected. Kicked!

    • http://www.sk89q.com sk89q

      Hmm… no idea, sorry.

      • http://www.christmc.com Jesus Lion

        I found the solution:
        In spigot.yml you have to to to settings and set
        bungeecord: true
        and then host keys works fine.