Server security issue (identified, steps to reproduce outlined)

[Varquynne]

EDIT: Please see my most recent post below. I've identified the cause of server authentication being disconnected from particular players' names, thereby leaving a security hole for hijacking user log in names.

Recently had a run in with an... unscrupulous individual.

My server has been set to use StarMade authentication. It also employs a whitelist. The config option for these hasn't changed. As I was reviewing server logs, however, I saw these messages:

[Sep 24, 2013 7:24:47 PM] STDERR: [AUTH] User Dawn is not protected
[Sep 24, 2013 7:24:47 PM] STDERR: PROTECTING USER Dawn under uplink id Danzarlo
[Sep 24, 2013 7:24:47 PM] STDERR: [SERVER] checking ip ban: 62.255.234.27
[Sep 24, 2013 7:24:47 PM] STDERR: [SERVER] checking ip whitelist: 62.255.234.27

[Sep 24, 2013 7:27:59 PM] STDERR: [AUTH] User Prae is not protected
[Sep 24, 2013 7:28:00 PM] STDERR: PROTECTING USER Prae under uplink id Danzarlo
[Sep 24, 2013 7:28:00 PM] STDERR: [SERVER] checking ip ban: 62.255.234.27
[Sep 24, 2013 7:28:00 PM] STDERR: [SERVER] checking ip whitelist: 62.255.234.27

[Sep 24, 2013 7:32:50 PM] STDERR: [AUTH] User Sevra_Faalur is not protected
[Sep 24, 2013 7:32:50 PM] STDERR: PROTECTING USER Sevra_Faalur under uplink id Danzarlo
[Sep 24, 2013 7:32:50 PM] STDERR: [SERVER] checking ip ban: 62.255.234.27
[Sep 24, 2013 7:32:50 PM] STDERR: [SERVER] checking ip whitelist: 62.255.234.27

There were more messages of this nature. These users did not attempt to log in themselves and have logged in before to have their login names protected to their StarMade account. All the server login requests in these instances originated from the same IP address (Danzarlo's). Somehow, the StarMade authentication was able to be circumvented and this person was able to log in as these individual's characters.

 

[Varquynne]

This person (or perhaps another) was able to bypass StarMade authentication again and gain access to my server. They masqueraded as me for the past day, throwing around admin privileges, credits, items, what not.

This may be related to the issue Jest brought up before regarding \"StarMade authentication ignoring listen ip setting\".

 

[MichaelSeph]

Did you turn \"USE_STARMADE_AUTHENTICATION = true\"

on true, like that ?

 

[Varquynne]

The server config file is set to \"USE_STARMADE_AUTHENTICATION = true\", yes. By some method, people are able to bypass this, somehow trick the server into not reading the protected.txt file, or forcing some type of overwrite of the protected.txt file.

Server logs from that same day:

[Sep 24, 2013 8:14:20 PM] STDERR: Connection made. starting new processor 61888, /[ip redacted, based out of United Kingdom]; local: 4242, /192.210.148.242, keepalive false
[Sep 24, 2013 8:14:20 PM] STDOUT: [SERVER] connection registered
[Sep 24, 2013 8:14:20 PM] STDOUT: [SERVER][PROCESSOR] client setup completed. listening for input
[Sep 24, 2013 8:14:20 PM] STDERR: Client null and not first try
[Sep 24, 2013 8:14:20 PM] STDERR: [SERVER][LOGIN] new client connected. given id: 138: description: Varquynne
[Sep 24, 2013 8:14:20 PM] STDERR: [SERVER][LOGIN] return code 0
[Sep 24, 2013 8:14:21 PM] STDERR: [AUTH] Protection status of Varquynne is Varquynne -> protected = false
[Sep 24, 2013 8:14:21 PM] STDERR: [SERVER][LOGIN] login failed (ERROR_AUTHENTICATION_FAILED): SET CLIENT TO NULL
[Sep 24, 2013 8:14:21 PM] STDERR: [SERVER] Executing scheduled disconnect!
[Sep 24, 2013 8:14:21 PM] STDERR: [SERVER] Client \'null\' HAS BEEN DISCONNECTED . PROBE: true
[Sep 24, 2013 8:14:21 PM] STDERR: [SERVER] COULD NOT UNREGISTER CLIENT null
[Sep 24, 2013 8:14:21 PM] STDERR: [SERVER] PROBE SUCCESSFULLY EXECUTED. STOPPING PROCESSOR. (Ping of a Starter to start server)

Somebody with an IP address based out of the United Kingdom attempted to log in as me. Server authentication worked as it should, and denied their login, as demonstrated below. Doesn\'t match the protected.txt file, FALSE return.

[Sep 24, 2013 8:14:21 PM] STDERR: [AUTH] Protection status of Varquynne is Varquynne -> protected = false

From that same day, I actually logged in and the server returns this:

[Sep 24, 2013 9:40:12 PM] STDERR: Connection made. starting new processor 63938, /[ip redacted, mine]; local: 4242, /192.210.148.242, keepalive false
[Sep 24, 2013 9:40:12 PM] STDOUT: [SERVER] connection registered
[Sep 24, 2013 9:40:12 PM] STDOUT: [SERVER][PROCESSOR] client setup completed. listening for input
[Sep 24, 2013 9:40:12 PM] STDERR: Client null and not first try
[Sep 24, 2013 9:40:12 PM] STDERR: [SERVER][LOGIN] new client connected. given id: 146: description: Varquynne
[Sep 24, 2013 9:40:12 PM] STDERR: [SERVER][LOGIN] return code 0
[Sep 24, 2013 9:40:12 PM] STDERR: [AUTH] Protection status of Varquynne is Varquynne -> protected = true
[Sep 24, 2013 9:40:13 PM] STDERR: PROTECTING USER Varquynne under uplink id Varquynne

Server logs show that protection status matches protected.txt file. Return, TRUE.

Other users also have valid protection flags, so server authentication is working:

[Sep 24, 2013 8:52:26 PM] STDERR: [AUTH] Protection status of Ixalite is Ixalite -> protected = true
[Sep 24, 2013 8:52:26 PM] STDERR: PROTECTING USER Ixalite under uplink id Ixalite

So far, everything is working as it should. On the 29th, another hacker/griefer (the one that ultimately was able to log in under my name), attempts to log on. Whitelist works, so they\'re denied.

[Sep 29, 2013 10:56:24 PM] STDERR: Connection made. starting new processor 2631, /58.107.13.23; local: 4242, /192.210.148.242, keepalive false
[Sep 29, 2013 10:56:24 PM] STDOUT: [SERVER] connection registered
[Sep 29, 2013 10:56:24 PM] STDOUT: [SERVER][PROCESSOR] client setup completed. listening for input
[Sep 29, 2013 10:56:24 PM] STDERR: Client null and not first try
[Sep 29, 2013 10:56:24 PM] STDERR: [SERVER][LOGIN] new client connected. given id: 183: description: bradster2214
[Sep 29, 2013 10:56:24 PM] STDERR: [SERVER][LOGIN] return code 0
[Sep 29, 2013 10:56:24 PM] STDERR: [AUTH] User bradster2214 is not protected
[Sep 29, 2013 10:56:24 PM] STDERR: [SERVER] checking ip ban: 58.107.13.23
[Sep 29, 2013 10:56:24 PM] STDERR: [SERVER] checking ip whitelist: 58.107.13.23
[Sep 29, 2013 10:56:24 PM] STDERR: [SERVER][LOGIN] Denying not white listed user: RegisteredClient: bradster2214 (183) connected: true
[Sep 29, 2013 10:56:24 PM] STDERR: [SERVER][LOGIN] login failed (ERROR_NOT_ON_WHITELIST): SET CLIENT TO NULL
[Sep 29, 2013 10:56:24 PM] STDERR: [SERVER] Executing scheduled disconnect!
[Sep 29, 2013 10:56:24 PM] STDERR: [SERVER] Client \'null\' HAS BEEN DISCONNECTED . PROBE: true

Ok, now they attempt to log in under my name - Varquynne. Server logs return this:

[Sep 29, 2013 10:58:09 PM] STDERR: Connection made. starting new processor 2632, /58.107.13.23; local: 4242, /192.210.148.242, keepalive false
[Sep 29, 2013 10:58:09 PM] STDOUT: [SERVER] connection registered
[Sep 29, 2013 10:58:09 PM] STDERR: Client null and not first try
[Sep 29, 2013 10:58:09 PM] STDOUT: [SERVER][PROCESSOR] client setup completed. listening for input
[Sep 29, 2013 10:58:10 PM] STDERR: [SERVER][LOGIN] new client connected. given id: 184: description: Varquynne
[Sep 29, 2013 10:58:10 PM] STDERR: [SERVER][LOGIN] return code 0
[Sep 29, 2013 10:58:10 PM] STDERR: [AUTH] User Varquynne is not protected

Now, suddenly, my log in name is no longer protected. They are able to access the server as me, masquerade around pretending to be me, and abuse admin powers. Between the 24th and the 29th, no updates were applied. No config files were changed - I\'m the server owner and the only one with access. I check the protected.txt file, it lists my name as being linked to my StarMade account.

Therefore, my question is... how\'d they do it?

 

[Varquynne]

I\'m relatively certain that I\'ve figured out what the issue has been. My server, being role-play focused, has several people who like to play different characters (me included). Thus, they use different names to connect to the server.

Whenever a player connects to the server with a second new name, the second new name becomes protected under their StarMade user authentication uplink. Once this occurs, the server no longer recognizes the previous name as being protected.

Here are excerpts from the server logs to show what is happening:

I log in under my name Varquynne, and it is protected to my StarMade account Varquynne.

[Oct 3, 2013 4:06:18 PM] STDERR: [SERVER][LOGIN] new client connected. given id: 2: description: Varquynne
[Oct 3, 2013 4:06:18 PM] STDERR: [SERVER][LOGIN] return code 0
[Oct 3, 2013 4:06:18 PM] STDERR: [AUTH] Protection status of Varquynne is Varquynne -> protected = true
[Oct 3, 2013 4:06:19 PM] STDERR: PROTECTING USER Varquynne under uplink id Varquynne

One minute later, I log in under a different name, Garren. The name is not protected, the server assigns protection under my StarMade account Varquynne.

[Oct 3, 2013 4:07:14 PM] STDERR: [SERVER][LOGIN] new client connected. given id: 3: description: Garren
[Oct 3, 2013 4:07:14 PM] STDERR: [SERVER][LOGIN] return code 0
[Oct 3, 2013 4:07:14 PM] STDERR: [AUTH] User Garren is not protected
[Oct 3, 2013 4:07:14 PM] STDERR: PROTECTING USER Garren under uplink id Varquynne

I log out, then log back in under the same name: Garren. Server shows protection status enabled for Garren under StarMade account Varquynne.

[Oct 3, 2013 4:08:09 PM] STDERR: [SERVER][LOGIN] new client connected. given id: 4: description: Garren
[Oct 3, 2013 4:08:09 PM] STDERR: [SERVER][LOGIN] return code 0
[Oct 3, 2013 4:08:10 PM] STDERR: [AUTH] Protection status of Garren is Varquynne -> protected = true
[Oct 3, 2013 4:08:10 PM] STDERR: PROTECTING USER Garren under uplink id Varquynne

Now, I attempt to log in again with the name Varquynne. The name is no longer protected. Anyone attempting to log in with my name at this time will have it protected under THEIR StarMade account authentication.

[Oct 3, 2013 4:09:05 PM] STDERR: [SERVER][LOGIN] new client connected. given id: 5: description: Varquynne
[Oct 3, 2013 4:09:05 PM] STDERR: [SERVER][LOGIN] return code 0
[Oct 3, 2013 4:09:05 PM] STDERR: [AUTH] User Varquynne is not protected
[Oct 3, 2013 4:09:05 PM] STDERR: PROTECTING USER Varquynne under uplink id Varquynne

Now, from here, the opportunity for a griefer to log in and cause havok is set up. They simply attempt to log in under an admin name and the server does not register the name as being protected anymore, and they\'re free to cause trouble.

This situation of multiple names on a single server being linked to one StarMade account probably pertains to more than just role-play focused servers. This may occur on other servers if a particular person is using multiple names in order to create different factions (to use the characters as placeholders, while they faction protect certain entities such as universe scenery). Another situation may be that an admin would like a small break from their usual duties, so use a different name to log onto the server incognito. In these events, their player name becomes vulnerable to hijacking and potential griefing.

 

[bradster2214]

varquynne it was me that logged in as you....im really sorry but i just wanted to play. i should have put in an application like everyone else. as i said before i am really sorry