Every One Can Send Request To Websocket Port From Any Host

Report bugs found in Poker Mavens
Post Reply
pookeer
Posts: 21
Joined: Sun Sep 21, 2014 1:00 am

Every One Can Send Request To Websocket Port From Any Host

Post by pookeer »

Hi Bro

Please Add Same-Origin policy To Websocket Port.

We Are In Attack Because Attackers Can Send Websocket Request From Any Host Please Add Same-Origin policy To Websocket Port.

We Received A Huge Off Out Of sequence Packets From Attackers And 2 Times Server Crashed .

I Use Maven 64 4.32

Logs
Out of sequence packet (3) received from , IP 2.182.173.1
Out of sequence packet (3) received from , IP 46.224.149.86
Connection denied to 5.124.131.84 due to client/server version mismatch (4.31/4.31 B1)
WSServerExecute error: Access violation at address 0000000000408D26 in module PMServer.exe. Read of address 0000000000000000
Connection denied to 5.22.41.10 due to client/server version mismatch (4.31/4.31 B1)
And Many Out Of sequence Packets ...
Kent Briggs
Site Admin
Posts: 5878
Joined: Wed Mar 19, 2008 8:47 pm

Re: Every One Can Send Request To Websocket Port From Any Ho

Post by Kent Briggs »

pookeer wrote:Please Add Same-Origin policy To Websocket Port.
Same origin as what? That won't stop a hacking attempt. Anyone can send packet requests to your server. But they won't be executed if the session ID doesn't match the connection thread. And the sequence check is an added protection.
pookeer
Posts: 21
Joined: Sun Sep 21, 2014 1:00 am

Re: Every One Can Send Request To Websocket Port From Any Ho

Post by pookeer »

Websocket uses 4way handshake and "Origin" is a header in this handshake

If you check Orgin header and just allow requests from maven server ip address attackers can't send request from own pages to Websocket.
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:23.0) Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Sec-WebSocket-Version: 13
Origin: https://blahblahblah
Sec-WebSocket-Key: x7nPlaiHMGDBuJeD6l7y/Q==
Connection: keep-alive, Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
my server 2 times crashed under attack.

the another bug is in eventlog when attacker send a huge string as server version in websocket request and you show version(huge string) in event log as version error and memory of maven become 7gb or more than it and maven crashes.

sry for bad english.
pookeer
Posts: 21
Joined: Sun Sep 21, 2014 1:00 am

Re: Every One Can Send Request To Websocket Port From Any Ho

Post by pookeer »

Also maven have csrf vlun.
and attacker with social engineering can give a link to any client and send any request from client to server because you dont check Orign.

Please see this post for more information :

http://www.christian-schneider.net/Cros ... cking.html
Kent Briggs
Site Admin
Posts: 5878
Joined: Wed Mar 19, 2008 8:47 pm

Re: Every One Can Send Request To Websocket Port From Any Ho

Post by Kent Briggs »

pookeer wrote:If you check Orgin header and just allow requests from maven server ip address attackers can't send request from own pages to Websocket.
What's to stop the hacker from setting that header to anything they want?
the another bug is in eventlog when attacker send a huge string as server version in websocket request and you show version(huge string) in event log as version error and memory of maven become 7gb or more than it and maven crashes.
I'll look into that.
pookeer
Posts: 21
Joined: Sun Sep 21, 2014 1:00 am

Re: Every One Can Send Request To Websocket Port From Any Ho

Post by pookeer »

Attacker can change header of own request but cant change header of a client in a web page with a websocket connection.

For example an attacker make a page with a websocket connection to maven packet port and put it in a site with 1000 Visitor all of this vistors have a session in maven server without authority.

but if you check orign any of this sessions not create

...
johndoo
Posts: 50
Joined: Mon Nov 03, 2014 4:42 pm

Re: Every One Can Send Request To Websocket Port From Any Ho

Post by johndoo »

Concerning the eventlog issue, is there some kind of global cutting mechanism in the code that truncate any string with an irrelevant length (> maximum expected length) ?

Perhaps this could also apply to data received in the websocket: if a buggy very long string is sent to the server, the server should put a "hack attempt ?" line in event log and close immediately the session that sent this string (depending on the component you use to receive data packets, this will also save a lot of memory/cpu) .
Kent Briggs
Site Admin
Posts: 5878
Joined: Wed Mar 19, 2008 8:47 pm

Re: Every One Can Send Request To Websocket Port From Any Ho

Post by Kent Briggs »

johndoo wrote:Perhaps this could also apply to data received in the websocket: if a buggy very long string is sent to the server, the server should put a "hack attempt ?"
Yes, this is being tested now and will be in the next update.
Post Reply