GHSA-F8MX-CWFH-7HR2

Vulnerability from github – Published: 2025-02-03 16:02 – Updated: 2025-02-03 16:02
VLAI
Summary
TShock allows chat while not fully connected, possible ban evasion
Details

This issue was reported to TShock by @ohayo, but was found by the Discord user by the name of sofurry.com. Please note that this user does not own this domain on the internet, just the discord handle.

TShock overrides certain Terraria vanilla systems, including chat, and the connection handling, for its own purposes, like enforcing bans. When clients connect but do not complete the connection handshake (e.g., send message number 6), they can "exist" on the server, occupy a player slot, chat, and receive data from the server despite not being fully connected. Individuals who exploit this will be able to effectively harass the server, observe the server, and utilize server resources even if banned from the server.

For servers that operate with a proxy that strictly enforces the connection handshake/sequence, this is not an issue, but for smaller servers or servers running vanilla TShock this is an issue worth patching for.

PR body supplied by @ohayo (patch writer):

Terraria's standard server by default checks for bans upon the client sending the ConnectRequest packet, however, TShock instead chooses to check if the client connecting is banned upon the Request World Data packet.

A malicious client can easily just not send this packet, and still join the server even while being banned. Also by not sending Request World Data, the malicious client is still able to receive all packets from the server & even chat.

Other clients will not be notified of their join/leave but will be able to see them on the player list. Leading to potential chat spam & "spying" on packets of players within the server.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.2.1"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "TShock"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-03T16:02:36Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "This issue was reported to TShock by @ohayo, but was found by the Discord user by the name of `sofurry.com`. Please note that this user **does not own this domain on the internet, just the discord handle**.\n\nTShock overrides certain Terraria vanilla systems, including chat, and the connection handling, for its own purposes, like enforcing bans. When clients connect but do not complete the connection handshake (e.g., send message number 6), they can \"exist\" on the server, occupy a player slot, chat, and receive data from the server despite not being fully connected. Individuals who exploit this will be able to effectively harass the server, observe the server, and utilize server resources even if banned from the server.\n\nFor servers that operate with a proxy that strictly enforces the connection handshake/sequence, this is not an issue, but for smaller servers or servers running vanilla TShock this is an issue worth patching for.\n\nPR body supplied by @ohayo (patch writer):\n\nTerraria\u0027s standard server by default checks for bans upon the client sending the ConnectRequest packet, however, TShock instead chooses to check if the client connecting is banned upon the Request World Data packet.\n\nA malicious client can easily just not send this packet, and still join the server even while being banned.\nAlso by not sending Request World Data, the malicious client is still able to receive all packets from the server \u0026 even chat. \n\nOther clients will not be notified of their join/leave but will be able to see them on the player list.\nLeading to potential chat spam \u0026 \"spying\" on packets of players within the server.",
  "id": "GHSA-f8mx-cwfh-7hr2",
  "modified": "2025-02-03T16:02:56Z",
  "published": "2025-02-03T16:02:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Pryaxis/TShock/security/advisories/GHSA-f8mx-cwfh-7hr2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Pryaxis/TShock/commit/134f80f5b8eac8929aa10f518c00970700d5913d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Pryaxis/TShock"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "TShock allows chat while not fully connected, possible ban evasion"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…