redacted
-
TruePikachu
- Filter Inserter
- Posts: 978
- Joined: Sat Apr 09, 2016 8:39 pm
- Contact:
Re: [0.15.21] User verification vulnerability
If servers need to generate their own IDs for some reason, I'd change the implementation slightly:
Servers would issue a no-parameter request to an API endpoint, which provides a seed value and secret key. Theoretically, a normal RNG is good enough for the seed value, as long as there are enough bits of entropy to reduce the risk of duplicated seeds. The secret key should be able to be determined from the seed value on the auth server; this can be accomplished either by databasing the seeds and keys, or by making the key's value entirely deterministic on the seed's value in a secure manner.
When a client authenticates with a server, the server provides its seed value, which the client would have to pass to the API (along with token) to receive the HMAC; the auth server would obtain the secret key either from the database or by running the algorithm on the seed value (if that method is used).
Servers would issue a no-parameter request to an API endpoint, which provides a seed value and secret key. Theoretically, a normal RNG is good enough for the seed value, as long as there are enough bits of entropy to reduce the risk of duplicated seeds. The secret key should be able to be determined from the seed value on the auth server; this can be accomplished either by databasing the seeds and keys, or by making the key's value entirely deterministic on the seed's value in a secure manner.
When a client authenticates with a server, the server provides its seed value, which the client would have to pass to the API (along with token) to receive the HMAC; the auth server would obtain the secret key either from the database or by running the algorithm on the seed value (if that method is used).
-
ayahuasca23
- Burner Inserter
- Posts: 5
- Joined: Fri May 26, 2017 11:19 am
- Contact:
Re: [0.15.21] User verification vulnerability
Funny thing... I also found this vulnerability, and worked on it this weekend.
I have a fully working PoC exploit, if anyone is interested. I can join any server with verify-user on, with any username I want, with vanilla 0.15.21 Factorio.
It can be exploited by adding an entry to the hosts file for auth.factorio.com
(edit: wies, are you my evil clone? or am I the evil clone of you?)
Here's my encrypted PoC cgi script, hmac.pl (RewriteRule "^/+generate-user-server-key" "/cgi-bin/hmac.pl" [PT])
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1
jA0EBwMCb8F58C4QBu1g0uoB0980W9/R8Cr1ga+4rsm99mKMFOICXjACYdsxCA13
B7U7JPmwXTRc0yW/rxnX/6QD+f1twTo23AXKm0ifTV9sT29g0g/NAFOf+QiOMyYO
ahBx13h+essuljVkIETG+hOdmROkcCq2lB0ImcwpLexPaezvGtw5A3aTKR2YlLUj
9W20wKATGSSdP3nGUjoNlWuv5wkj5qRar/CQdPZfVLp/a1tlz8DwS0Kxqo1nsUFo
nMnjT7DvpHuc8Oa8lb+MsHfSAjNBAb+VQ8Rc21eY0dp8JFazDj3pLiqBAdPEJHPO
s3u7pFQNsE2ltZLu1gDMjWb3BIYZ6xhE4zWxioCqa9Yy0c/eEPlFYrE5vF3F9pvg
NBvBUMhHPZHcFGrK4qm94s8EVfSw4XJDOL0GYJchtqeKnWhw+HBOez3cEwlXR+cm
DjNOUv4gOB7MpFHka5v/hX/hDVDiAz1qgG0QS56DvOYX9K1kzZAidI6bG8PWwBZK
tsuvNMbFGo2c4834gWksR6JzyM9VUl/FXU86MofkPqQFmO04IFbwnj0kwYWANuKx
4D9/bT8eYjRqkFgmLO2iUFLV8P4WH+6GR9y6i3OrRFfCQqgHznEMeSvm7yBNuyaL
2lUO57HCEo74A12ZXzb9udvVjfpiFCHYQhtHEAHiVk8IAUU1LBnv1rHnxfLP6h7O
Z6+h5iNF8rEJcZrqfGKw2tsqhb0LcnNlVjh9l0isRRMQW46EdbQ9s0KYYICM4Dnr
mGA607jcMX8Ptfp4J0+wF4JjKT8HflC3FZKFYpHE4m9sBEhJBN+vDb0hDLWkefsV
+4NrgFX57hWbCK8LDDDzZOT0gD5CqBNisZ/ThsyTTvbQICPPyKwiEZESWRoaAQLo
CqetCsMAsPE5Om0A4Vq4KcpwntF0qIi/pXyVagc0rCZgOT1mtlqFa1iYkuREp0yC
5ZBhQ6R1i1TxXKhzholBh1X65qores6xxKjNoPIf5pCWgHdqtuAwiaZfUtJPD2uQ
LOki8KhHrLeGrWSL00g7q43q5M5d6iWZ9H5rbmoN3eUeheJeew5/ljkPDRtBui4N
xGJoF9TovRVVJ0KoN3iOVbruoMLjVZa0dZB6+2weYrD9TUAlLkfVbISrZrGS+Pji
ejPHv2q7W3cJSplsvrzPcCrahBhnqk0ZHB1/EHQzMIcnT5M/Q+9Lyf3RhgMFErWo
Waer6NRRSsoFMZDWUIHRRUAhzA6bSb0xs+z0s/v11tIoxtDVxsFawebV+617TRtg
wMPvDCiJgBJAMjTbBBpZuotPejmiHeCyb/ABnFNeLaj+jHuyGixfoRuvCl2iwDIV
CHDlsQPFRFqDmMc2Y0niSswq/JoAMo0jaqgMVoQj+zDL6bGWfeK3et/kW4cub64b
pOlOquC8rme7uVsTwpL2A64xh8VF5qDC+E6VjKUXPMGrppeEsimav+sHrQGReCZ4
CRxybKGNYc7fuwdv137EMJTmjc5TB8I5hdGKPF+Ut+/rL68sjelUZ4aAT9IPyaRS
Pc7Jqd2F4qoHd/DVtUkSoHtMTLeYvjq2T/2Wo/N8I7MTGSGEU9dkIGou4aMMB+Lr
oye8VcrKMWZr9f3tI9woILLhu8dqEEmMqHZs3xULAzgTaHSlK0Egaw174ZqPr58V
SUoTd+qhBZDCYXOgzHSs09aQBKzDT0Csi25tNhn59jCfFkzuc1ILaN/sq6pou56A
23cq+K2q2Z1e1q9eR8ZLNjIzVJoQORN5S4J0VaamlcMLNw1y3HcMkjhmBqTw5lxT
q6EqJ0c/65THB2n79spQezOFwAdjN/wsBEAJsdBR6xcRaxyc9S7JbLLR1d8G+3E5
UXz+CBUJZFFGlwdfNkL599Q/P7nvWDGwlkh0JjrGqHg2V7eXPtMX6ePQPeSZfrXD
D5gfwC+mQjVPLyHJfHuRNnci/QPbEWVasBmh+CiRva5vxprlc8cw/Q5Q4fxduWUt
6KHd/KBRWcGCHb86BAUDvsZK3u/sGEJ5NLqK2poWftISx1XhIhhcvqkc02NJ8kzq
E+5SfNQ4yc5LRBL0fNaPRyOsPs5Pvzi1K6XE3eSuejcrgAaoB4gk5GMX8A85WFQe
ppGU0PW8/hoNYXKbACT3LA5k8XTLraIn0ZQlKQ3vyOp7
=FEpj
-----END PGP MESSAGE-----
I have a fully working PoC exploit, if anyone is interested. I can join any server with verify-user on, with any username I want, with vanilla 0.15.21 Factorio.
It can be exploited by adding an entry to the hosts file for auth.factorio.com
(edit: wies, are you my evil clone? or am I the evil clone of you?)
Here's my encrypted PoC cgi script, hmac.pl (RewriteRule "^/+generate-user-server-key" "/cgi-bin/hmac.pl" [PT])
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1
jA0EBwMCb8F58C4QBu1g0uoB0980W9/R8Cr1ga+4rsm99mKMFOICXjACYdsxCA13
B7U7JPmwXTRc0yW/rxnX/6QD+f1twTo23AXKm0ifTV9sT29g0g/NAFOf+QiOMyYO
ahBx13h+essuljVkIETG+hOdmROkcCq2lB0ImcwpLexPaezvGtw5A3aTKR2YlLUj
9W20wKATGSSdP3nGUjoNlWuv5wkj5qRar/CQdPZfVLp/a1tlz8DwS0Kxqo1nsUFo
nMnjT7DvpHuc8Oa8lb+MsHfSAjNBAb+VQ8Rc21eY0dp8JFazDj3pLiqBAdPEJHPO
s3u7pFQNsE2ltZLu1gDMjWb3BIYZ6xhE4zWxioCqa9Yy0c/eEPlFYrE5vF3F9pvg
NBvBUMhHPZHcFGrK4qm94s8EVfSw4XJDOL0GYJchtqeKnWhw+HBOez3cEwlXR+cm
DjNOUv4gOB7MpFHka5v/hX/hDVDiAz1qgG0QS56DvOYX9K1kzZAidI6bG8PWwBZK
tsuvNMbFGo2c4834gWksR6JzyM9VUl/FXU86MofkPqQFmO04IFbwnj0kwYWANuKx
4D9/bT8eYjRqkFgmLO2iUFLV8P4WH+6GR9y6i3OrRFfCQqgHznEMeSvm7yBNuyaL
2lUO57HCEo74A12ZXzb9udvVjfpiFCHYQhtHEAHiVk8IAUU1LBnv1rHnxfLP6h7O
Z6+h5iNF8rEJcZrqfGKw2tsqhb0LcnNlVjh9l0isRRMQW46EdbQ9s0KYYICM4Dnr
mGA607jcMX8Ptfp4J0+wF4JjKT8HflC3FZKFYpHE4m9sBEhJBN+vDb0hDLWkefsV
+4NrgFX57hWbCK8LDDDzZOT0gD5CqBNisZ/ThsyTTvbQICPPyKwiEZESWRoaAQLo
CqetCsMAsPE5Om0A4Vq4KcpwntF0qIi/pXyVagc0rCZgOT1mtlqFa1iYkuREp0yC
5ZBhQ6R1i1TxXKhzholBh1X65qores6xxKjNoPIf5pCWgHdqtuAwiaZfUtJPD2uQ
LOki8KhHrLeGrWSL00g7q43q5M5d6iWZ9H5rbmoN3eUeheJeew5/ljkPDRtBui4N
xGJoF9TovRVVJ0KoN3iOVbruoMLjVZa0dZB6+2weYrD9TUAlLkfVbISrZrGS+Pji
ejPHv2q7W3cJSplsvrzPcCrahBhnqk0ZHB1/EHQzMIcnT5M/Q+9Lyf3RhgMFErWo
Waer6NRRSsoFMZDWUIHRRUAhzA6bSb0xs+z0s/v11tIoxtDVxsFawebV+617TRtg
wMPvDCiJgBJAMjTbBBpZuotPejmiHeCyb/ABnFNeLaj+jHuyGixfoRuvCl2iwDIV
CHDlsQPFRFqDmMc2Y0niSswq/JoAMo0jaqgMVoQj+zDL6bGWfeK3et/kW4cub64b
pOlOquC8rme7uVsTwpL2A64xh8VF5qDC+E6VjKUXPMGrppeEsimav+sHrQGReCZ4
CRxybKGNYc7fuwdv137EMJTmjc5TB8I5hdGKPF+Ut+/rL68sjelUZ4aAT9IPyaRS
Pc7Jqd2F4qoHd/DVtUkSoHtMTLeYvjq2T/2Wo/N8I7MTGSGEU9dkIGou4aMMB+Lr
oye8VcrKMWZr9f3tI9woILLhu8dqEEmMqHZs3xULAzgTaHSlK0Egaw174ZqPr58V
SUoTd+qhBZDCYXOgzHSs09aQBKzDT0Csi25tNhn59jCfFkzuc1ILaN/sq6pou56A
23cq+K2q2Z1e1q9eR8ZLNjIzVJoQORN5S4J0VaamlcMLNw1y3HcMkjhmBqTw5lxT
q6EqJ0c/65THB2n79spQezOFwAdjN/wsBEAJsdBR6xcRaxyc9S7JbLLR1d8G+3E5
UXz+CBUJZFFGlwdfNkL599Q/P7nvWDGwlkh0JjrGqHg2V7eXPtMX6ePQPeSZfrXD
D5gfwC+mQjVPLyHJfHuRNnci/QPbEWVasBmh+CiRva5vxprlc8cw/Q5Q4fxduWUt
6KHd/KBRWcGCHb86BAUDvsZK3u/sGEJ5NLqK2poWftISx1XhIhhcvqkc02NJ8kzq
E+5SfNQ4yc5LRBL0fNaPRyOsPs5Pvzi1K6XE3eSuejcrgAaoB4gk5GMX8A85WFQe
ppGU0PW8/hoNYXKbACT3LA5k8XTLraIn0ZQlKQ3vyOp7
=FEpj
-----END PGP MESSAGE-----
Find me playing Factorio on Explosive Gaming - S1 PUBLIC and chatting on discord at https://discord.gg/RPCxzgt
-
ayahuasca23
- Burner Inserter
- Posts: 5
- Joined: Fri May 26, 2017 11:19 am
- Contact:
Re: [0.15.21] User verification vulnerability
And here's the additional login.sh, with my token removed.
Apache config:
RewriteRule "^/+api-login" "/cgi-bin/login.sh" [PT]
this allows you to still use the multiplayer browser
Hosts file content is as simple as
192.168.0.24 auth.factorio.com
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1
jA0EBwMCxNZGck1aI8Ng0sBTAV8IzlX/+qvIoSUL/wFhVsetYd4UE7SpsvMW1p5G
MJbdujq/B7O5A22SF/C8gFLT9SxH35npnRjv0LfJfV5+EKBq8bb0s1mAJtESiJJf
2t9HTTJheGgVlOKkyVhdM5JI5yUng4UW49BvH/z6lFDTMLIO4RHK2spudi1B8fBe
SwfaibhqE+aV7b1neXLl/NkTWmcWiEaGi8flNzs7Wei7WA5LGu6HHu5WovSCB0lD
xd1zdFS3Di+f94FMqUP6Ih2CabZ4K+jOIFz/Jex6LMnO/gIBEFX4LUOAEeFQ6phZ
OxeLTbhIvjKuElvy8Pug4+m35SrkOzKuh3GL9q2JRxManzrihtKeEJ+6GITL9217
VeVwnUw=
=CtQw
-----END PGP MESSAGE-----
Apache config:
RewriteRule "^/+api-login" "/cgi-bin/login.sh" [PT]
this allows you to still use the multiplayer browser
Hosts file content is as simple as
192.168.0.24 auth.factorio.com
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1
jA0EBwMCxNZGck1aI8Ng0sBTAV8IzlX/+qvIoSUL/wFhVsetYd4UE7SpsvMW1p5G
MJbdujq/B7O5A22SF/C8gFLT9SxH35npnRjv0LfJfV5+EKBq8bb0s1mAJtESiJJf
2t9HTTJheGgVlOKkyVhdM5JI5yUng4UW49BvH/z6lFDTMLIO4RHK2spudi1B8fBe
SwfaibhqE+aV7b1neXLl/NkTWmcWiEaGi8flNzs7Wei7WA5LGu6HHu5WovSCB0lD
xd1zdFS3Di+f94FMqUP6Ih2CabZ4K+jOIFz/Jex6LMnO/gIBEFX4LUOAEeFQ6phZ
OxeLTbhIvjKuElvy8Pug4+m35SrkOzKuh3GL9q2JRxManzrihtKeEJ+6GITL9217
VeVwnUw=
=CtQw
-----END PGP MESSAGE-----
Find me playing Factorio on Explosive Gaming - S1 PUBLIC and chatting on discord at https://discord.gg/RPCxzgt
-
ayahuasca23
- Burner Inserter
- Posts: 5
- Joined: Fri May 26, 2017 11:19 am
- Contact:
Re: [0.15.21] User verification vulnerability
Some other notes:
* You can see the flaw, documented by the devs themselves, if you read https://www.factorio.com/blog/post/fff-139 carefully.
* I planned on submitting it privately, so that the devs would have time to fix it, and only then post about it. Two things: 1. now it's out, anyway 2. there's no information on the forum/website about how to contact you for security-related things. Which email to use, do you have a bug bounty program for responsible disclosure etc.
* Some additional infos about the scope: you can use this to 1. play on multiplayer server without owning factorio 2. you can impersonate admins and devs. and yeah devs, can we talk privately about that? PM me please.
* You can see the flaw, documented by the devs themselves, if you read https://www.factorio.com/blog/post/fff-139 carefully.
* I planned on submitting it privately, so that the devs would have time to fix it, and only then post about it. Two things: 1. now it's out, anyway 2. there's no information on the forum/website about how to contact you for security-related things. Which email to use, do you have a bug bounty program for responsible disclosure etc.
* Some additional infos about the scope: you can use this to 1. play on multiplayer server without owning factorio 2. you can impersonate admins and devs. and yeah devs, can we talk privately about that? PM me please.
Find me playing Factorio on Explosive Gaming - S1 PUBLIC and chatting on discord at https://discord.gg/RPCxzgt
-
ayahuasca23
- Burner Inserter
- Posts: 5
- Joined: Fri May 26, 2017 11:19 am
- Contact:
Re: [0.15.21] User verification vulnerability
Dude... *I* was reverse engineering the network protocol last weekwies wrote:@ayahuasca23 We must be quantum entangled then.
No but in all seriousness, I was trying to reverse engineer the networking protocol this weekend and stumbled upon it. Changing the hostfile for your PoC exploit is actually pretty clever. I tried to make a PoC by injecting code in the factorio binary... didn't go well.
I posted it on the forums because the bug report contains no details so possible abuse is limited.
And yeah... it's not extremely obvious how to exploit. After figuring out the basic workings of the exploit (urls, values, etc...), I spent another 10-20h to actually being able to login to my own unpatched factorio server with an unpatched client.
Find me playing Factorio on Explosive Gaming - S1 PUBLIC and chatting on discord at https://discord.gg/RPCxzgt
Re: [0.15.21] User verification vulnerability
Fixed for the next release, thanks for the report.
-
ayahuasca23
- Burner Inserter
- Posts: 5
- Joined: Fri May 26, 2017 11:19 am
- Contact:
Re: [0.15.21] User verification vulnerability
There are still unanswered questions, though.HanziQ wrote:Fixed for the next release, thanks for the report.
Where to report security-related stuff in the future, also here in the forum?
Should I just post publicly here in this forum?ayahuasca23 wrote:and yeah devs, can we talk privately about that? PM me please.
Find me playing Factorio on Explosive Gaming - S1 PUBLIC and chatting on discord at https://discord.gg/RPCxzgt