Replay against different Server possible?

beac0n / ruroco

Ruroco is a tool that lets you execute commands on a server by sending UDP packets. The commands are configured on the server side, so the client does not define what is going to be executed, it only picks from existing commands.

MIT License

526 stars 15 forks source link

Replay against different Server possible? #3

Closed RubenArtmann closed 1 month ago

RubenArtmann commented 2 months ago

looks to me like the packet does not identify the server and could be replayed against a different server (if the same private key is valid on more than one server)

https://github.com/beac0n/ruroco/blob/ce766751b51c8ff6246a2be02a0d028e8e880bcb/src/client.rs#L90-L113

just saw this on hackernews and this popped into my head while reading: https://github.com/beac0n/ruroco?tab=readme-ov-file#security

Each packet can only be sent once and will be blacklisted on the server.

beac0n commented 2 months ago

Hi @RubenArtmann. Thanks for the feedback. You are right, that could happen!

A solution would be to add the destination server to the encrypted data, and then let the server validate that.

Thanks for pointing it out! I will implement a fix :)

beac0n commented 1 month ago

fixed with https://github.com/beac0n/ruroco/pull/18