Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Impact
An issue with the way OTAPI manages client connections results in stale UUIDs remaining on RemoteClient instances after a player disconnects.
Because of this, if the following conditions are met a player may assume the login state of a previously connected player:
The server has UUID login enabled
An authenticated player disconnects
A subsequent player connects with a modified client that does not send the ClientUUID#68 packet during connection
The server assigns the same RemoteClient object that belonged to the originally authenticated player to the newly connected player
Patches
TShock 5.2.1 hotfixes this issue. A more robust fix will be made to OTAPI itself.
Workarounds
Implement a RemoteClient reset event handler in a plugin like so:
public override void Initialize()
{
On.Terraria.RemoteClient.Reset += RemoteClient_Reset;
}
private static void RemoteClient_Reset(On.Terraria.RemoteClient.orig_Reset orig, RemoteClient client)
{
client.ClientUUID = null;
orig(client);
}
References
https://github.com/Pryaxis/TShock/security/advisories/GHSA-hvm9-wc8j-mgrc
https://github.com/Pryaxis/TShock/commit/5075997264b48e27960e3446a948ecb0ea0f5a03
https://github.com/advisories/GHSA-hvm9-wc8j-mgrc
December 18th, 2024 (4 months ago)
|
|
|
Description: A plugin name containing a path separator may allow an attacker to execute an arbitrary binary.
Such a plugin name can be provided to the rage CLI through an attacker-controlled recipient or identity string, or to the following age APIs when the plugin feature flag is enabled:
age::plugin::Identity::from_str (or equivalently str::parse::<age::plugin::Identity>())
age::plugin::Identity::default_for_plugin
age::plugin::IdentityPluginV1::new
age::plugin::Recipient::from_str (or equivalently str::parse::<age::plugin::Recipient>())
age::plugin::RecipientPluginV1::new
On UNIX systems, a directory matching age-plugin-* needs to exist in the working directory for the attack to succeed.
The binary is executed with a single flag, either --age-plugin=recipient-v1 or --age-plugin=identity-v1. The standard input includes the recipient or identity string, and the random file key (if encrypting) or the header of the file (if decrypting). The format is constrained by the age-plugin protocol.
An equivalent issue was fixed in the reference Go implementation of age, see advisory GHSA-32gq-x56h-299c.
Thanks to ⬡-49016 for reporting this issue.
References
https://github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w
https://github.com/str4d/rage/commit/703152ecfa86f27952a35b57dd525ed39396a227
https://github.com/advisories/GHSA-4fg7-vxc8-qx5w
December 18th, 2024 (4 months ago)
|
|
|
Description: A plugin name containing a path separator may allow an attacker to execute an arbitrary binary.
Such a plugin name can be provided to the rage CLI through an attacker-controlled recipient or identity string, or to the following age APIs when the plugin feature flag is enabled:
age::plugin::Identity::from_str (or equivalently str::parse::<age::plugin::Identity>())
age::plugin::Identity::default_for_plugin
age::plugin::IdentityPluginV1::new
age::plugin::Recipient::from_str (or equivalently str::parse::<age::plugin::Recipient>())
age::plugin::RecipientPluginV1::new
On UNIX systems, a directory matching age-plugin-* needs to exist in the working directory for the attack to succeed.
The binary is executed with a single flag, either --age-plugin=recipient-v1 or --age-plugin=identity-v1. The standard input includes the recipient or identity string, and the random file key (if encrypting) or the header of the file (if decrypting). The format is constrained by the age-plugin protocol.
An equivalent issue was fixed in the reference Go implementation of age, see advisory GHSA-32gq-x56h-299c.
Thanks to ⬡-49016 for reporting this issue.
References
https://github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w
https://github.com/str4d/rage/commit/703152ecfa86f27952a35b57dd525ed39396a227
https://github.com/advisories/GHSA-4fg7-vxc8-qx5w
December 18th, 2024 (4 months ago)
|
|
|
Description: A phishing campaign targeting automotive, chemical, and industrial manufacturing companies in Germany and the UK is abusing HubSpot to steal Microsoft Azure account credentials. [...]
December 18th, 2024 (4 months ago)
|
|
|
Description: Today, CISA urged senior government and political officials to switch to end-to-end encrypted messaging apps like Signal following a wave of telecom breaches across dozens of countries, including eight carriers in the United States. [...]
December 18th, 2024 (4 months ago)
|
|
|
Description: Malicious Visual Studio Code extensions were discovered on the VSCode marketplace that download heavily obfuscated PowerShell payloads to target developers and cryptocurrency projects in supply chain attacks. [...]
December 18th, 2024 (4 months ago)
|
|
|
Description: Attackers are using links to the popular Google scheduling app to lead users to pages that steal credentials, with the ultimate goal of committing financial fraud.
December 18th, 2024 (4 months ago)
|
|
|
Description: Good Samaritan Health Center of Cobb Has Been Claimed a Victim to Qilin Ransomware
December 18th, 2024 (4 months ago)
|
|
|
Description: National Atomic Energy Commission Has Been Claimed a Victim to Money Message Ransomware
December 18th, 2024 (4 months ago)
|
|
|
Description: A Threat Actor Claims to be Selling Access to an Unidentified Law Company in UK
December 18th, 2024 (4 months ago)
|