GHSA-hvm9-wc8j-mgrc: TShock Security Escalation Exploit

December 18, 2024

An issue with the way OTAPI manages client connections results in stale UUIDs remaining on RemoteClient instances after a player disconnects.

Because of this, if the following conditions are met a player may assume the login state of a previously connected player:

The server has UUID login enabled
An authenticated player disconnects
A subsequent player connects with a modified client that does not send the ClientUUID#68 packet during connection
The server assigns the same RemoteClient object that belonged to the originally authenticated player to the newly connected player

References

github.com/Pryaxis/TShock
github.com/Pryaxis/TShock/commit/5075997264b48e27960e3446a948ecb0ea0f5a03
github.com/Pryaxis/TShock/security/advisories/GHSA-hvm9-wc8j-mgrc
github.com/advisories/GHSA-hvm9-wc8j-mgrc

Code Behaviors & Features

Detect and mitigate GHSA-hvm9-wc8j-mgrc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →