GHSA-hvm9-wc8j-mgrc

Suggest an improvement
Source
https://github.com/advisories/GHSA-hvm9-wc8j-mgrc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-hvm9-wc8j-mgrc/GHSA-hvm9-wc8j-mgrc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hvm9-wc8j-mgrc
Published
2024-12-18T18:19:12Z
Modified
2024-12-18T18:46:35.452868Z
Severity
  • 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:H/SA:H CVSS Calculator
Summary
TShock Security Escalation Exploit
Details

Impact

An issue with the way OTAPI manages client connections results in stale UUIDs remaining on RemoteClient instances after a player disconnects.

Because of this, if the following conditions are met a player may assume the login state of a previously connected player: 1. The server has UUID login enabled 2. An authenticated player disconnects 3. A subsequent player connects with a modified client that does not send the ClientUUID#68 packet during connection 4. The server assigns the same RemoteClient object that belonged to the originally authenticated player to the newly connected player

Patches

TShock 5.2.1 hotfixes this issue. A more robust fix will be made to OTAPI itself.

Workarounds

Implement a RemoteClient reset event handler in a plugin like so:

public override void Initialize()
{
        On.Terraria.RemoteClient.Reset += RemoteClient_Reset;
}

private static void RemoteClient_Reset(On.Terraria.RemoteClient.orig_Reset orig, RemoteClient client)
{
    client.ClientUUID = null;
        orig(client);
}
Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-305",
        "CWE-613",
        "CWE-863"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-18T18:19:12Z"
}
References

Affected packages

NuGet / TShock

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.3.21
Fixed
5.2.1

Affected versions

5.*

5.0.0-beta
5.0.0
5.1.0
5.1.1
5.1.2
5.1.3
5.2.0