search

joe7575 / pdp13

A 16-bit minicomputer simulation inspired by DEC, IBM, and other Vintage Computers from the 60s and 70s
GNU Affero General Public License v3.0
8 stars 1 forks source link

security issue: pdp13 tape data is unencrypted #1

Open tigercoding56 opened 2 years ago

tigercoding56 commented 2 years ago

this can lead to an exploit where it is possible to get the code required for ALL 3 exam tapes that are needed to get the J/OS (which i think should not require an exam to begin as people who use J/OS learn how to use it like i learned how to use linux by using it ) (maybe it should be a config option if you need an exam or not ) but by enabling local map saving (possible in un modified client ) Screenshot from 2022-07-07 22 28 35 and then connecting to a server that has the pdp13 mod like ... TASS you get a folder in the ~/.minetest/worlds directory

begining with _server or something like that and having the address of the server you went on now this can be abused by on the server loading mapchunks with a pdp13 tape chest containing tapes other players have written to pass the exam like idk ....mony and then remembering the coordinates it is possiple to create a single node singleplayer world with the pdp13 mod and then just /grantme all on the single player world now exit the single player world and take the sqlite3 file inside the _server folder and copy it in your single player world folder (replacing the sqlite3 file already in the singleplayer worlds folder ) join the single player world and tp to coordinates of tape chests take the exam tapes and copy and paste the text inside into some text files on your pc (this method bypasses any protection mods installed on the server ) a solution would be to have tapes be encrypted using the players username as encryption key along with some salt set by the server Screenshot from 2022-07-07 22 30 52 Screenshot from 2022-07-07 22 29 40

joe7575 commented 2 years ago

Does that really work?

The code of the tapes is not stored in the pdp13 tape chest containing tapes, nor in the tapes. The tapes only store a filename. The code is stored in real files on the server file system: Bildschirmfoto_2022-07-08_16-05-57

tigercoding56 commented 2 years ago

it worked for me ( a thing i did i did not descripe here is i rightklicked the chest on the server interacted with the tapes (of course the protection mod moved them back if i tried to put them into them inventory )

Sent with Proton Mail unsecure email.

------- Original Message ------- On Friday, July 8th, 2022 at 7:10 AM, Joachim Stolberg @.***> wrote:

Does that really work?

The code of the tapes is not stored in the pdp13 tape chest containing tapes, nor in the tapes. The tapes only store a filename. The code is stored in real files on the server file system: Bildschirmfoto_2022-07-08_16-05-57

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>