Cuberite ForumCuberiteDiscussion
How secure is MCServer?

Threaded Mode
How secure is MCServer?
tigerw Offline
Cuberite Developer
******
Posts: 952
Threads: 16
Joined: May 2013
Thanks: 21
Given 16 thank(s) in 89 post(s)
#1
Question  04-14-2014, 06:14 AM
With the recent OpenSSL vulnerability arising out of a failure to verify a length, I wonder, how secure is MCS?

Do we have any similar vulnerabilities that will allow someone to change their permissions? Modify webadmin settings? Explode the server? Explode the actual server? Explode the datacentre? Explode the country of the datacentre?

Has anyone ever used this emoticon? Angry
Find
Reply
Thanks given by:
xoft Offline
Cuberite Developer
******
Posts: 6,486
Threads: 176
Joined: Jan 2012
Thanks: 40
Given 156 thank(s) in 838 post(s)
#2
04-14-2014, 06:26 AM
I'm afraid we have way too many of such vulnerabilities, but I highly doubt any of them would do much more than crash the server. Most of the protocol stuff is really brittle, it just assumes that the client is sending the correct data with reasonably-limited sizes.
Find
Reply
Thanks given by:
qaisjp Offline
Junior Member
**
Posts: 11
Threads: 1
Joined: Jun 2014
Thanks: 0
Given 0 thank(s) in 0 post(s)
#3
06-13-2014, 04:42 AM
What about Heartbleed, MC edition?

[Image: Heartbleed_Nightmare.jpg]
Find
Reply
Thanks given by:
tigerw Offline
Cuberite Developer
******
Posts: 952
Threads: 16
Joined: May 2013
Thanks: 21
Given 16 thank(s) in 89 post(s)
#4
06-13-2014, 05:11 AM
[Image: f7877e57_faceWUT.jpeg]
Find
Reply
Thanks given by:
worktycho Offline
Cuberite Developer
******
Posts: 783
Threads: 12
Joined: Jan 2014
Thanks: 0
Given 4 thank(s) in 61 post(s)
#5
06-13-2014, 05:13 AM
If you concerned about heartbleed style bugs log into coverity. They have a developed a checker for heartbleed style bugs in the aftermath so other projects can check for them. We currently have 7 outstanding places where we do exactly what went wrong in heartbleed.

If you want to fix them Wink
Find
Reply
Thanks given by:
qaisjp Offline
Junior Member
**
Posts: 11
Threads: 1
Joined: Jun 2014
Thanks: 0
Given 0 thank(s) in 0 post(s)
#6
06-15-2014, 07:40 PM
(06-13-2014, 05:13 AM)worktycho Wrote: If you want to fix them Wink

feature not bug

In all seriousness, where is this checker?
Find
Reply
Thanks given by:
worktycho Offline
Cuberite Developer
******
Posts: 783
Threads: 12
Joined: Jan 2014
Thanks: 0
Given 4 thank(s) in 61 post(s)
#7
06-15-2014, 08:56 PM
The checker is called tainted scalar. The bug categories are untrusted value in loop bound and untrusted value as argument.
Find
Reply
Thanks given by:
LogicParrot Offline
Cuberite Developer
******
Posts: 721
Threads: 77
Joined: Apr 2014
Thanks: 0
Given 8 thank(s) in 89 post(s)
#8
06-22-2014, 12:03 AM (This post was last modified: 06-22-2014, 12:11 AM by LogicParrot.)
Useful information, thanks everyone.
Perhaps there should be a "known vulnerabilities" article somewhere.
Find
Reply
Thanks given by:
worktycho Offline
Cuberite Developer
******
Posts: 783
Threads: 12
Joined: Jan 2014
Thanks: 0
Given 4 thank(s) in 61 post(s)
#9
06-22-2014, 01:39 AM
These are not known vulnerabilities. There know potential vulnerabilities. They don't become known vulnerabilities until someone works out how to exploit them.
Find
Reply
Thanks given by:
LogicParrot Offline
Cuberite Developer
******
Posts: 721
Threads: 77
Joined: Apr 2014
Thanks: 0
Given 8 thank(s) in 89 post(s)
#10
06-22-2014, 01:44 AM (This post was last modified: 06-22-2014, 01:44 AM by LogicParrot.)
Call them what you want, "Potential vulnerabilities" is also fine to me.

"They don't become known vulnerabilities until someone works out how to exploit them. "

That's just plain terminology. Firefox lists your definition of "potential vulnerabilities" as "known vulnerabilities".
Check this out: https://www.mozilla.org/security/known-v...refox.html
Most -and maybe all- of these don't have a ready-to-use exploit, yet they're "known".

Like I said, I don't mind what you call them.
Find
Reply
Thanks given by:




Users browsing this thread: 1 Guest(s)