Every One Can Send Request To Websocket Port From Any Host

Report bugs found in Poker Mavens

Every One Can Send Request To Websocket Port From Any Host

Postby pookeer » Sat Nov 01, 2014 9:40 am

Hi Bro

Please Add Same-Origin policy To Websocket Port.

We Are In Attack Because Attackers Can Send Websocket Request From Any Host Please Add Same-Origin policy To Websocket Port.

We Received A Huge Off Out Of sequence Packets From Attackers And 2 Times Server Crashed .

I Use Maven 64 4.32

Logs

Out of sequence packet (3) received from , IP 2.182.173.1
Out of sequence packet (3) received from , IP 46.224.149.86
Connection denied to 5.124.131.84 due to client/server version mismatch (4.31/4.31 B1)
WSServerExecute error: Access violation at address 0000000000408D26 in module PMServer.exe. Read of address 0000000000000000
Connection denied to 5.22.41.10 due to client/server version mismatch (4.31/4.31 B1)


And Many Out Of sequence Packets ...
pookeer
 
Posts: 21
Joined: Sun Sep 21, 2014 1:00 am

Re: Every One Can Send Request To Websocket Port From Any Ho

Postby Kent Briggs » Sat Nov 01, 2014 10:21 am

pookeer wrote:Please Add Same-Origin policy To Websocket Port.


Same origin as what? That won't stop a hacking attempt. Anyone can send packet requests to your server. But they won't be executed if the session ID doesn't match the connection thread. And the sequence check is an added protection.
Kent Briggs - [email protected]
Briggs Softworks - http://www.briggsoft.com
Kent Briggs
Site Admin
 
Posts: 3931
Joined: Wed Mar 19, 2008 8:47 pm

Re: Every One Can Send Request To Websocket Port From Any Ho

Postby pookeer » Sat Nov 01, 2014 11:27 am

Websocket uses 4way handshake and "Origin" is a header in this handshake

If you check Orgin header and just allow requests from maven server ip address attackers can't send request from own pages to Websocket.

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:23.0) Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Sec-WebSocket-Version: 13
Origin: https://blahblahblah
Sec-WebSocket-Key: x7nPlaiHMGDBuJeD6l7y/Q==
Connection: keep-alive, Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket


my server 2 times crashed under attack.

the another bug is in eventlog when attacker send a huge string as server version in websocket request and you show version(huge string) in event log as version error and memory of maven become 7gb or more than it and maven crashes.

sry for bad english.
pookeer
 
Posts: 21
Joined: Sun Sep 21, 2014 1:00 am

Re: Every One Can Send Request To Websocket Port From Any Ho

Postby pookeer » Sat Nov 01, 2014 11:48 am

Also maven have csrf vlun.
and attacker with social engineering can give a link to any client and send any request from client to server because you dont check Orign.

Please see this post for more information :

http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html
pookeer
 
Posts: 21
Joined: Sun Sep 21, 2014 1:00 am

Re: Every One Can Send Request To Websocket Port From Any Ho

Postby Kent Briggs » Sat Nov 01, 2014 12:17 pm

pookeer wrote:If you check Orgin header and just allow requests from maven server ip address attackers can't send request from own pages to Websocket.


What's to stop the hacker from setting that header to anything they want?

the another bug is in eventlog when attacker send a huge string as server version in websocket request and you show version(huge string) in event log as version error and memory of maven become 7gb or more than it and maven crashes.


I'll look into that.
Kent Briggs - [email protected]
Briggs Softworks - http://www.briggsoft.com
Kent Briggs
Site Admin
 
Posts: 3931
Joined: Wed Mar 19, 2008 8:47 pm

Re: Every One Can Send Request To Websocket Port From Any Ho

Postby pookeer » Sat Nov 01, 2014 12:31 pm

Attacker can change header of own request but cant change header of a client in a web page with a websocket connection.

For example an attacker make a page with a websocket connection to maven packet port and put it in a site with 1000 Visitor all of this vistors have a session in maven server without authority.

but if you check orign any of this sessions not create

...
pookeer
 
Posts: 21
Joined: Sun Sep 21, 2014 1:00 am

Re: Every One Can Send Request To Websocket Port From Any Ho

Postby johndoo » Tue Nov 04, 2014 3:18 am

Concerning the eventlog issue, is there some kind of global cutting mechanism in the code that truncate any string with an irrelevant length (> maximum expected length) ?

Perhaps this could also apply to data received in the websocket: if a buggy very long string is sent to the server, the server should put a "hack attempt ?" line in event log and close immediately the session that sent this string (depending on the component you use to receive data packets, this will also save a lot of memory/cpu) .
johndoo
 
Posts: 50
Joined: Mon Nov 03, 2014 4:42 pm

Re: Every One Can Send Request To Websocket Port From Any Ho

Postby Kent Briggs » Tue Nov 04, 2014 10:20 am

johndoo wrote:Perhaps this could also apply to data received in the websocket: if a buggy very long string is sent to the server, the server should put a "hack attempt ?"


Yes, this is being tested now and will be in the next update.
Kent Briggs - [email protected]
Briggs Softworks - http://www.briggsoft.com
Kent Briggs
Site Admin
 
Posts: 3931
Joined: Wed Mar 19, 2008 8:47 pm


Return to Bugs

Who is online

Users browsing this forum: No registered users and 9 guests

cron