Closed Server exploit disclosure (2 vunerabilities, workarounds and fixes available)

A vulnerability has been discovered in the Starbound server executable that allows writing non-arbitrary data to an arbitrary file that the user running the starbound_server executable has permissions to write to.

The mechanics of this vulnerability involves incorrectly validating sector names from the client.

This vulnerability affects versions Enraged Koala and lower. It is fixed in the current unstable and the current nightly. To workaround this issue run the server under a heavily restricted user account. Unfortunately, it is still possible to denial of service attack a server using the workaround. Thanks goes to members of the ##starbound-modding IRC channel for bringing this issue to our attention.

A vulnerability has been discovered in the Starbound server executable that allows players to gain admin privileges if they have been in the same area as an admin user. Just to stress, because there seems to be a bit of confusion on the matter: this is Starbound admin, not systemwide admin. You gain the ability to kick and ban players and spawn items and such, not the ability to change system files run programs.

The mechanics of this vulnerability involves cloning the uuid of the admin player.

This vulnerability affects all current versions; however, has been fixed in our repository and any nightly version dated after Jan 9 should be immune. To workaround, un /admin yourself before logging out. If you have logged out as /admin the last time you logged out, simply log in and un /admin yourself and log out. This exploit only functions if were an admin the last time you logged out or you were an /admin the last time an automatic store was running and haven't logged out yet.

To find out if you are currently an admin you may type: "/whoami"

More specific technical details will be forthcoming after the next stable update.

UPDATE: 30 Jan 2015

Now that the new stable is out, this thread is no longer up to date. Please do not use the linked executables unless you are running a legacy server!

UPDATE: 12 Jan 2015

A patch is available for the first vulnerability and can be found here:

http://playstarbound.com/images/server-patch.zip

We recommend that you download the zip file and use this executable when running a server.

md5sum: b021d43193b6183ea57e3c0ed8616845
sha1sum: 088b654045a5ee419d0c807df38ca59b9fcb4fc8
sha256sum: 2e8eeb1dbde873158fd5d715d89780eb780f17a81d846c7b1a3d0e5828145d81

This patch only applies to Enraged Koala. This patch only addresses the first vulnerability. Do not use these executables with unstable or nightly. This is only a stop gap until the next stable is released. Your clients are not vulnerable.

 

Ok.

 

Thanks for these fixes, I tried to contact several times the developers don't on techie side didn't really knew how they were able to attack the machine running the server, only that, they did.
One very restricted user account works for avoid any damage side of corrupt the /universe folders files (that must remain writeable).

I hope you work! So you make sure some exploits this kind of hack/griefers/trolls would love to have on the future stable update, will no longer work.
From what we tested, players can no longer crash each other, neither the server, with modded weapons/npcs/effects. However things like, mod vanilla assets of tiles for example to new ids and place the block on a server, will crash the players clients that try to load that tile. Not sure is, if they can use that to also corrupt player's ships.

 

I will assume so, and since they aren't recognizable by the server, even if a fix is made for a client, they won't be able to be mined, and they will only be able to be seen and not crash the client with said fix.

Thanks for the fix, Omni!

 

Huzzah!
Glad to see these kinds of things being worked out.
I'll stress that it's these kinds of exploits (among other reasons) why you should never run your servers as root.

 

Yup, we manually ran it as root not aware (as we have a sb user for it) and sadly the hacker attacked that time, and boom, machine OS corrupted to a point of had to re-built the whole thing, as it did happen on several other servers. Right now this issue even more controlled, they can still cause damage to the universe folder files, still pretty random sometimes server will start back, other times will crash loop until we manually reset such files. Hopefully seems that hacker is gone and with this fixed, it can only improve the servers stability.

 

Bump, a patch is available for stable servers, please use the executables in the first post.

 

Interesting error trying to run the new patch. It's probably just me, but I figure I'd bring attention to it, regardless.
I'll keep working on it.



EDIT: Forgot to mention I was running Ubuntu. Solution is here.

 

This thread is only for the vunerabilities and their workarounds. Please follow the steps in the stickied thread(s) at the top of the forum and make a new thread if you're still having an issue.

 

I am a bit confused. When we are talking "sectors" is that an in game thing or are we talking about hard disk sectors?

I guess what I'm asking is do these exploits present risks for data outside of starbound and its assets?

 

Yes this exploits let the hacker who did use it, exploit the whole machine if the user who ran starbound server was administrator.