Skip to content

Denial-of-service exploit using null terminators

oldmud0 published GHSA-7fpc-9xpq-pxq7 Jul 23, 2019
@oldmud0

oldmud0 published Jul 23, 2019

high severity
Affected versions: <=2.6.1
Patched versions: 2.6.2

Synopsis

Null bytes in packets are interpreted as null terminators by the client, marking a premature end of the packet. This causes the next message to be merged with the previous one, since the previous message did not finish (as it did not end with a percent sign).

If a client is undergoing a handshake, and the next message was critical to continuing the handshake process, then the client will not understand the message (as it will read the header of the first message and not of the second one), effectively stopping the handshake and preventing the client from joining.

This is a high-severity security issue because some messages are relayed nearly verbatim to clients. An example of how this can be leveraged to cause a denial-of-service attack is explained below.

Example

A malicious client submits an evidence list that contains the null terminator before the evidence list is finished. When sent to the default area, it hangs incoming desktop clients attempting to receive evidence during the handshake, rendering it impossible for desktop clients to join the server.

If WebSocket connections are disabled (that is, webAO is disabled), then this prevents any players from joining the server, effectively requiring a server restart if no admins were present.

Impact

Only the desktop client is impacted - this does not apply to webAO.

Patches

A patch has been issued for tsuserver3, which correctly removes null characters from incoming evidence messages.
A patch will be issued for the desktop client to allow players to continue playing on vulnerable servers.

Workarounds

Server owners should update to the latest version of tsuserver3. Alternatively, server owners can set the default area's evidence_mod flag to Mods.

For more information

If you have any questions or comments about this advisory, please contact us over Discord, or make a thread in the forums.

You can’t perform that action at this time.