1

Topic: Server registration vulnerability

A vulnerability in the current server-masterserver protocol was found that can cause servers to not show up in the server list anymore. Use one of the following methods to protect your server(s):

1) Apply this patch to your source code.
2) Use this script to patch your binaries.
3) Use this iptables rules by m!nus on your server (NOTE: Adjust the port if you're not running on 8303!):

iptables -I INPUT -p udp --dport 8303 -m u32 --u32 '0>>22&0x3C@18=0x66776572' -j DROP

NOTE: If you're using method 2 or 3, you won't be able to detect NAT issues anymore, they'll show up as "WARNING: Master server is not responding, switching master".

2

Re: Server registration vulnerability

For reference, here are the scripts:

Patch:

diff --git a/src/engine/server/register.cpp b/src/engine/server/register.cpp
index 0b7eb94..b287068 100644
--- a/src/engine/server/register.cpp
+++ b/src/engine/server/register.cpp
@@ -275,7 +275,7 @@ int CRegister::RegisterProcessPacket(CNetChunk *pPacket)
                char aBuf[256];
                str_format(aBuf, sizeof(aBuf), "ERROR: configure your firewall/nat to let through udp on port %d.", g_Config.m_SvPort);
                m_pConsole->Print(IConsole::OUTPUT_LEVEL_STANDARD, "register", aBuf);
-               RegisterNewState(REGISTERSTATE_ERROR);
+               //RegisterNewState(REGISTERSTATE_ERROR);
                return 1;
        }
        else if(pPacket->m_DataSize == sizeof(SERVERBROWSE_COUNT)+2 &&

Binary patcher:

import argparse
import os

SERVERBROWSE_FWERROR = b'\xff\xff\xff\xfffwer'

def make_executable(path):
    """
    Taken from http://stackoverflow.com/a/30463972.

    Has obvious race conditions, but whatever...
    """
    old_mode = os.stat(path).st_mode

    new_mode = old_mode | ((old_mode & 0o444) >> 2)    # copy R bits to X

    if new_mode != old_mode:
        os.chmod(path, new_mode)


def main():
    parser = argparse.ArgumentParser(description="Patch a Teeworlds server executable to work around a bug in the registering code.")
    parser.add_argument('file', metavar="FILE", help="Filename of the executable to patch")

    filename = parser.parse_args().file
    file = open(filename, 'rb')

    contents = file.read()
    fixed = contents.replace(SERVERBROWSE_FWERROR, os.urandom(len(SERVERBROWSE_FWERROR)))

    fixed_filename = filename + "_fixed.exe"
    open(fixed_filename, 'wb').write(fixed)
    make_executable(fixed_filename)


if __name__ == '__main__':
    main()

3

Re: Server registration vulnerability

one line commented out? is this everything?

Having troubles finding servers in the serverlist? Go to Pastebin (its a referer cause there is daily a new pastebin) and add the lines to your settings.cfg (in %APPDATA%\teeworlds). Then open teeworlds and go to the favorites tab. (Note however, standard teeworlds client can only show 256 favorites, use ddnet instead)

4

Re: Server registration vulnerability

Schwertspize wrote:

one line commented out? is this everything?

The last bug could be fixed by changing the type of a variable from `int` to `unsigned int`.

5

Re: Server registration vulnerability

if you are hosting @ovh, just remove all masterservers except for server 3.

6

Re: Server registration vulnerability

sl wrote:

if you are hosting @ovh, just remove all masterservers except for server 3.

This doesn't help against this exploit.

7 (edited by sl 2015-11-02 20:23:17)

Re: Server registration vulnerability

it does.
master3 is also hosted at ovh
and ovh does filter out spoofed messages with OVH-IPs from INET -> OVH

Edit: also see https://forum.ovh.nl/showthread.php?972 … ing-attack

8

Re: Server registration vulnerability

sl wrote:

it does.
master3 is also hosted at ovh
and ovh does filter out spoofed messages with OVH-IPs from INET -> OVH

Edit: also see https://forum.ovh.nl/showthread.php?972 … ing-attack

Ah ok, wasn't aware of this. Thank you!

9

Re: Server registration vulnerability

heinrich5991 wrote:

For reference, here are the scripts:

Patch:

diff --git a/src/engine/server/register.cpp b/src/engine/server/register.cpp
index 0b7eb94..b287068 100644
--- a/src/engine/server/register.cpp
+++ b/src/engine/server/register.cpp
@@ -275,7 +275,7 @@ int CRegister::RegisterProcessPacket(CNetChunk *pPacket)
                char aBuf[256];
                str_format(aBuf, sizeof(aBuf), "ERROR: configure your firewall/nat to let through udp on port %d.", g_Config.m_SvPort);
                m_pConsole->Print(IConsole::OUTPUT_LEVEL_STANDARD, "register", aBuf);
-               RegisterNewState(REGISTERSTATE_ERROR);
+               //RegisterNewState(REGISTERSTATE_ERROR);
                return 1;
        }
        else if(pPacket->m_DataSize == sizeof(SERVERBROWSE_COUNT)+2 &&

Binary patcher:

import argparse
import os

SERVERBROWSE_FWERROR = b'\xff\xff\xff\xfffwer'

def make_executable(path):
    """
    Taken from http://stackoverflow.com/a/30463972.

    Has obvious race conditions, but whatever...
    """
    old_mode = os.stat(path).st_mode

    new_mode = old_mode | ((old_mode & 0o444) >> 2)    # copy R bits to X

    if new_mode != old_mode:
        os.chmod(path, new_mode)


def main():
    parser = argparse.ArgumentParser(description="Patch a Teeworlds server executable to work around a bug in the registering code.")
    parser.add_argument('file', metavar="FILE", help="Filename of the executable to patch")

    filename = parser.parse_args().file
    file = open(filename, 'rb')

    contents = file.read()
    fixed = contents.replace(SERVERBROWSE_FWERROR, os.urandom(len(SERVERBROWSE_FWERROR)))

    fixed_filename = filename + "_fixed.exe"
    open(fixed_filename, 'wb').write(fixed)
    make_executable(fixed_filename)


if __name__ == '__main__':
    main()

I dont understand were do i copy and paste this

10

Re: Server registration vulnerability

The first one is a patch file, just copy the text into a file, and do a "git apply <file>" from within your repo.
The second one is a python script big_smile Copy the text into a file named "fix.py" (or smth) and then run it.

11

Re: Server registration vulnerability

smile

12

Re: Server registration vulnerability

Again, there are very few servers online. Is this because of the same / a similar vulnerability? Or is it just an issue with the master servers?

masked tee / florin.teeworlds@gmail.com

13

Re: Server registration vulnerability

florin wrote:

Again, there are very few servers online. Is this because of the same / a similar vulnerability? Or is it just an issue with the master servers?

It's an issue with the master servers. The DDNet servers aren't visible, but they've definitely fixed this vulnerability.