GMS-2022-25: Impersonation of other users (passing XBOX Live authentication) by theft of logins in PocketMine-MP
(updated )
Impact
Minecraft Bedrock authentication and its protocol encryption are inseparably linked. One is not complete without the other.
This vulnerability affects servers which are able to be directly connected to via the internet (i.e. not behind a proxy).
If you are using a proxy, please check that it supports protocol encryption and that it is enabled.
Technical details
Basics
- The client generates a private ECC key
clientPriv
which it uses to complete ECDH for encryption. - A JWT containing the public key
clientPub
corresponding to this key is signed by Microsoft servers with the Mojang root public keymojangPub
. - The server verifies that the token was issued by Microsoft servers by verifying the JWT signature with
mojangPub
.
Why this is a problem
However, this only ensures that the token was issued by Microsoft. It does not ensure that the client actually possesses the private key corresponding to the public key in the token.
In a login replay attack, the attacker sends a login captured from another session. This login is valid because it is verifiable by mojangPub
; however, without encryption, the server doesn’t know that the client actually possesses clientPriv
, and the authenticity of the client cannot be verified.
How encryption prevents the attack
- The server calculates a shared secret for encryption using ECDH of
serverPriv
andclientPub
. - It then signs a return token using
serverPriv
and sends this to the client, along withserverPub
. - The client then verifies the JWT using
serverPub
, and calculates the same shared secret as the server usingclientPriv
andserverPub
.
If the client does not possess clientPriv
(i.e. because it replayed a stolen login), then the session cannot proceed once encryption is enabled, since the client cannot calculate the shared secret needed to decrypt the server packets and encrypt its own packets.
Since PM3 does not implement protocol encryption, this means that ALL versions of PM3 are affected by this login stealing attack.
How does the attacker capture a login in the first place?
The typical way to do this would be to trick a player into joining a server controlled by the attacker. This would allow the attacker to grab the login from the connection and store it for future use.
Are the logins valid forever?
No. All the JWTs have expiry dates after which they cannot be used. These expiry dates are typically 2-3 days after the token was issued by XBOX servers. PocketMine-MP 3.x does verify these expiry dates, so the use-by dates of these attacks are limited.
Patches
This problem has been fixed in all 4.x versions by implementing Minecraft protocol encryption.
This has not yet been addressed on 3.x, but since this vulnerability is already public knowledge, the advisory has been released early to make sure people are aware of it and the mitigation steps they can take.
Update 2022-01-22: This has been fixed on 3.x by d28be4eaf24a890f7ef110a51181a3d806a6acca.
Workarounds
- Use a proxy that supports encryption such as gophertunnel between your server and players. Make sure that the server only accepts connections from the proxy. If the proxy is on the same machine as the server, you can use
server-ip=127.0.0.1
to ensure that only the proxy can create connections for you.
The following things may help mitigate the problem:
- Verify that the
LoginPacket
serverAddress
field is the same as the server’s exposed domain name. For example: https://github.com/JustTalDevelops/AntiLoginForger WARNING: THIS DOES NOT SOLVE THE ROOT ISSUE. YOU WILL REMAIN VULNERABLE UNLESS YOU UPGRADE.
For more information
If you have any questions or comments about this advisory:
- Email us at team@pmmp.io
References
Detect and mitigate GMS-2022-25 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →