Mojira Archive
MC-242462

Replay attack against encrypted sessions

Minecraft's protocol uses AES-CFB8 encryption with no MACs or nonces. This makes it trivially susceptible to replay attacks.

Any attacker able to intercept the communication between a client and server can record those packets and replay them at a later date, provided they change 5 bytes in the "serverbound key packet" to account for the different nonce.

I have a 200 line proof of concept for this that is able to log in as a player after observing their connection packets.

Additionally, as Minecraft does not kick players for sending invalid packets, it is theoretically possible to replay actions out-of-order.
CFB8 is self-correcting after 16 bytes of invalid data, meaning an attacker can send the 16 bytes of data preceding the packet they want to send in order to replay an arbitrary packet.
This is a more complex attack to pull off, but devastating in its consequences - it potentially allows an attacker to log in and play as a player, simply by being on the same network as them for a short period of time.

Suggested fix:

Switch to TLS encryption, with a secure cipher such as XSalsa20-Poly1305.

There are some other possible mitigations, but these are not recommended as they are much more error prone and potentially less secure:

  • Switch to an authenticated cipher, such as AES-GCM, or better, XSalsa20-Poly1305. Use a nonce provided by the server in this cipher. This ensures the encrypted stream cannot be replayed or tampered with
  • Encrypt the nonce and secret key together, rather than separately. This ensures the serverbound key packet cannot be replayed. Also increase the nonce size significantly to reduce the risk of nonce reuse

Some other potential weak points in the protocol, with suggested improvements:

  • 1024-bit RSA. Upgrade to at least 2048-bit. 4096-bit would be be better; Curve25519 would be even better (ideally used with TLS)
  • 4 byte nonce. Not used properly at present; should be replaced with a properly used, much larger nonce (or just use TLS)
  • SHA-1 hashes used in authentication with Mojang servers. Upgrade to SHA-2

Unresolved

vktec

2021-11-21, 03:16 PM

2024-12-17, 02:12 PM

2

3

Plausible

Important

Platform

Networking

1.17.1, 1.18 Pre-release 5

-