UUID Spoofing

Discussion in 'Spigot Discussion' started by superpeanut911, May 16, 2015.

Thread Status:
Not open for further replies.
  1. Sooo,

    Some people just logged onto my server with my UUID and OP'd themselves


    Code (Text):

    [18:32:15] [Thread-960/INFO]: UUID of player Letigo is 99de5dde-39ef-46b0-ae40-8b259cc9af0d
    [18:32:15] [Server thread/INFO]:
    [Essentials] Found new UUID for Letigo. Replacing 5fdcd6ff-5b85-4acc-ab6b-b5e9863fa24b with 99de5dde-39ef-46b0-ae40-8b259cc9af0d
    [18:32:15] [Server thread/INFO]: Letigo[/208.167.254.12:54453] logged in with entity id 20038895 at ([prison]-772.9490779307206, 71.0, 51.44783188955688)
    [18:32:15] [Craft Scheduler Thread - 1463/INFO]: [GAListener] Player: Letigo has 0 votes
    [18:32:15] [Craft Scheduler Thread - 1467/INFO]: [BanManager] Requesting name for 5fdcd6ff-5b85-4acc-ab6b-b5e9863fa24b
    [18:32:24] [Server thread/INFO]: Letigo issued server command: /pl
    The second UUID is mine. They op'd a couple accounts. Using spigot essentials. Spigot version git-870264a-0a645a2

    http://mcuuid.net/?q=5fdcd6ff-5b85-4acc-ab6b-b5e9863fa24b replaced with

    http://mcuuid.net/?q=99de5dde-39ef-46b0-ae40-8b259cc9af0d

    BanManager still requested the proper UUID.
    The hackers accounts all trace to ReliableSite if that's of any relevance ( http://www.ip-tracker.org/locator/ip-lookup.php?ip=208.167.254.12 )
    This is a MASSIVE issue. It could be an Essentials issue since Ban Manager requested the proper UUID.

    @md_5 @Thinkofdeath security loophole?

    And as for the people that did it, they advertised IPs, http://www.blizzardprison.com/index.php Most of the admins from here were also opped.
     
    #1 superpeanut911, May 16, 2015
    Last edited: May 16, 2015
    • Informative Informative x 1
  2. Well, thats fucked up.
    What spigot version are you using?
     
  3. Spigot version git-870264a-0a64a2
     
  4. Just making sure, is it a cracked server?
     
  5. No, the hacker retained their own username, just a different UUID
     
  6. I had this issue months ago, but I forgot to set my IP Tables. Maybe you did not set these?
     
    • Like Like x 1
    • Friendly Friendly x 1
  7. The backend servers are localhost binded :/
    Edit: looks like it isn't. IP forwarding isn't enabled so clients can't connect straight through it but they possibly could've sent some data straight to the server I guess
     
  8. Code (Text):
    [18:37:52] [Server thread/INFO]: CaptainSparklez[/208.167.254.12:60863] logged in with entity id 20158741 at ([world]-123.5, 66.0, 261.5)
    [18:37:52] [Craft Scheduler Thread - 1471/INFO]: [GAListener] Player: CaptainSparklez has 1 queued votes
    [18:37:52] [pool-11-thread-1/INFO]: Creating empty config: /home/ecb/servers/new-prison/plugins/Essentials/userdata/5f820c39-5883-4392-b174-3125ac05e38c.yml
    [18:41:42] [Server thread/INFO]: CaptainSparklez issued server command: /setrank CaptainSparklez Owner
    Well that's not cool. The username is of the famous YTer, CaptainSparklez.
     
  9. Try joining your backend servers directly with the client. If that works, setup iptables or hire a sysadmin to do it. Maybe the localhost binding isn't working for some reason. It could also be a rouge, corrupted, etc. plugin or other program running on the dedi that can act as a proxy, to test this hypothesis, simply check the IP address of a player joining with Essential's /whois command. You could also require that anyone joining with your UUID needs a specific IP -- it could potentially be made to auto-update by loading a webpage and entering a password to switch the IP address if you have a dynamic IP. Lastly, if all else fails, simply re-install the dedi's OS and reconfigure everything -- this smells like a misconfiguration snuck in somehow. Also, while you're at it, try reissing all SSH keys.
     
  10. They definitely joined around hub as a simple /seen on hub pins the players last login as 10 months ago. I can't join myself around it because IP Forwarding isn't enabled but I'm sure there is a way as it actually was not local host binded. I still don't understand how the username was retained but UUID was not though
     
    #10 superpeanut911, May 16, 2015
    Last edited: May 16, 2015
  11. I'm curious to hear more information on this. Do you have "ip-forward" set to "true" in the Bungeecord proxy? As well, do you have "bungeecord" set to "true" in the spigot.yml on any of your Spigot servers?

    Code (Text):

    [18:32:15] [Craft Scheduler Thread - 1467/INFO]: [BanManager] Requesting name for 5fdcd6ff-5b85-4acc-ab6b-b5e9863fa24b
     
    I assume BanManager requested the name of that UUID because it was the old UUID. It wanted to see what name now belonged to that UUID.
     
  12. md_5

    Administrator Developer

    Because your server is offline mode and you haven't firewalled it properly.
     
    • Agree Agree x 4
  13. Correct me if I'm wrong: 99de5dde-39ef-46b0-ae40-8b259cc9af0d is not an offline mode UUID. If it was not firewalled properly, the player would be assigned an offline mode UUID.

    As well, the OP seems to state here:
    IP forwarding is disabled? That complicates this ridiculously, and means there should have been no way for this player to get an online-mode UUID. With that said, if the server truly has ip forwarding disabled, then this isn't a Bungeecord issue. I'm curious what it is however.

    EDIT: If I look at this again with the most logical thinking, I believe I'd come to the conclusion that the OP is confused (Why else would his online-mode UUID be op'd? It must be being forwarded to the Spigot server), IP forwarding is indeed enabled, and this is a simple case of a hack client that took advantage of the Bungeecord IP forward payload that it could send directly due to the fact that the firewall was disabled on the server.
     
    #13 Coelho, May 16, 2015
    Last edited: May 16, 2015
    • Agree Agree x 6
  14. That's actually the other way around. If IP Forwarding is enabled, which means bungeecord is set to true in the spigot.yml file of every Spigot server and ip-forwarding is set to true in the BungeeCord configuration, you can't join the backend servers directly (at least if IPTables is not set up). If IP Forwarding is disabled you should be able to join.

    Also I'd suggest using IPTables instead of binding to localhost/127.0.0.1. I believe the issue is on Spigot's side, they found a way around your "firewall".

    Edit
    Can you check your BungeeCord log(s) to see if they actually connected through the proxy?
     
  15. I always thought that uuids had a way of changing. People have told me that this is not possible, but I have tested this on a plugin I wrote that I attempted to make it work across several servers.

    What I would do is name the player's file to their uuid.someextension and when the player left one server, the plugin would save to that file, then join a another server (on the same bungeed network) and it would create a new file with a different uuid.
     
  16. UUID's are universially unique and do not change.

    Every premium minecraft account has one uuid and it stays the same through name changes and any other changes.

    If your server (cb/spigot) is offline-mode, uuids are generated by the name they used to join, and the uuid is case-sensitive.

    If one is using bungeecord to connect to your cb/spigot server (may also be your bungeecord connecting), the following happens:
    if bungee has online-mode: false or ip-forwarding: false, or spigot has bungeecord: false or ip-forwarding: false either the user gets kicked or nothing other than above happens.

    bungeecord can send an ip and an uuid to spigot servers they should give the joining player. if your spigot server is not properly secured or such options are turned off, everything is ok, else anyone can join with any fake ip and fake uuid
     
  17. Look. This is what I've gotten from here, He's running Bungeecorded servers. Although he didn't block/close the ports. A player's managed to connect directly to one of his servers with their own UUID. I'm not too sure how you'd change the UUID via offline/cracked mode although they've managed it.
     
  18. As I can't find the thread to this, all I remember is:

    1) Run Bungeecord from your PC
    2) Put it in offline-mode
    3) Put the server IP in that you want to connect to

    Bam, you can join and gain OP.

    I'm not 100% sure if this is the correct order, but I read somewhere this is how people are getting in. This will ONLY happen if your firewall is not set!
     
    • Agree Agree x 3
    • Informative Informative x 1
  19. Ah, I didn't think about that. Maybe a modified version of BungeeCord would explain the whole UUID spoofing story.
     
  20. UUID spoofing is available for bungee plugins.
     
Thread Status:
Not open for further replies.