Null bytes in packets are interpreted as null terminators by the client, marking a premature end of the packet. This causes the next message to be merged with the previous one, since the previous message did not finish (as it did not end with a percent sign).
If a client is undergoing a handshake, and the next message was critical to continuing the handshake process, then the client will not understand the message (as it will read the header of the first message and not of the second one), effectively stopping the handshake and preventing the client from joining.
This is a high-severity security issue because some messages are relayed nearly verbatim to clients. An example of how this can be leveraged to cause a denial-of-service attack is explained below.
A malicious client submits an evidence list that contains the null terminator before the evidence list is finished. When sent to the default area, it hangs incoming desktop clients attempting to receive evidence during the handshake, rendering it impossible for desktop clients to join the server.
If WebSocket connections are disabled (that is, webAO is disabled), then this prevents any players from joining the server, effectively requiring a server restart if no admins were present.
Only the desktop client is impacted - this does not apply to webAO.
A patch has been issued for tsuserver3, which correctly removes null characters from incoming evidence messages.
A patch will be issued for the desktop client to allow players to continue playing on vulnerable servers.
Server owners should update to the latest version of tsuserver3. Alternatively, server owners can set the default area's evidence_mod flag to Mods.
If you have any questions or comments about this advisory, please contact us over Discord, or make a thread in the forums.