1

Topic: Security: current and past issues, a word on 0.6.5

Hello tees,

It has been two weeks since 0.6.5 and 0.7.0 were successively released, hastily. This was triggered by the exploit of some vulnerabilities in the Teeworlds servers.

The 0.6 connection protocol has a weakness that allows to occupy slots on any server from a spoofed IP, as well as to use them for a reflection attack. This vulnerability was assigned CVE-2018-18541.

If you are looking to patch modified 0.6 servers, you should apply a263185, aababc6, and f5fa1a9.
In simple terms, this will namely shield them against those "(connecting client)" that fill most 0.6 servers to this date.

In addition to that fix, the 0.7 connection protocol partially fixes the server browser reflection attack, albeit 1:1 reflection is still possible in 0.7.0 with token request packets. Special thanks to heinrich5991 and Oy for all of those quick fixes.


Adding to that, the master servers have been under DDoS attacks, making it sometimes difficult to get any server at all.

In a first time, a temporary workaround to this is to add many servers to your favorite list (to a max of 256), as the servers are still there, only the masterserver fails to broadcast the list.

In order to permanently improve the robustness of the servers, heinrich5991 has been working on an HTTP protection layer for the masterservers. This requires some sizeable code modifications, namely adding a couple of libraries (curl...), but we're expecting the fix to be deployed shortly.

Cheers!

Not Luck, Just Magic.

2

Re: Security: current and past issues, a word on 0.6.5

DDoS protection should have been added a long time ago but finally glad to see it coming. Thanks to heinrich5991 for this one.

3

Re: Security: current and past issues, a word on 0.6.5

For future reference, heinrich5991 summarized how the anti-spoofing new protocol works on a technical level in this pull request: Added tokens to the network and refactored master server code - #986

Not Luck, Just Magic.

4

Re: Security: current and past issues, a word on 0.6.5

Assigning a CVE number for every teeworlds security issue, hope you don't run out of cve space. If you didn't realize it yet, the whole protocol is broken. Not just this one packet. Just my two cents.

Besides, http does not mean ddos protection. Looking forward to exploiting this "new" protocol.

Having troubles finding servers in the serverlist? Go to Pastebin (its a referer cause there is daily a new pastebin) and add the lines to your settings.cfg (in %APPDATA%\teeworlds). Then open teeworlds and go to the favorites tab. (Note however, standard teeworlds client can only show 256 favorites, use ddnet instead)

5

Re: Security: current and past issues, a word on 0.6.5

For what I know, HTTP is a layer on top of which you can deploy DDoS protection.

If you identified additional flaws, feel free to report them in github or the Support section. If you didn't, your cynicism is inappropriate and not welcome.

Not Luck, Just Magic.

6

Re: Security: current and past issues, a word on 0.6.5

It's all in the old thread about moving to 0.7, but I guess you forgot to read it.

Having troubles finding servers in the serverlist? Go to Pastebin (its a referer cause there is daily a new pastebin) and add the lines to your settings.cfg (in %APPDATA%\teeworlds). Then open teeworlds and go to the favorites tab. (Note however, standard teeworlds client can only show 256 favorites, use ddnet instead)

7 (edited by rand() 2018-11-10 03:00:58)

Re: Security: current and past issues, a word on 0.6.5

Schwertspize wrote:

It's all in the old thread about moving to 0.7, but I guess you forgot to read it.

https://www.teeworlds.com/forum/viewtop … 76#p121676 ?

I don't know the protocol for registration and heartbeat but SERVERBROWSE_GETLIST and Cie are behind a token handshake right ?