From a9830c3bbaa22ca0893ed134cc2662b7fe48d3b3 Mon Sep 17 00:00:00 2001 From: TheBrokenRail Date: Fri, 16 Jul 2021 18:17:49 -0400 Subject: [PATCH] Fix RakNet::RakString Security Bug --- VERSION | 2 +- docs/CHANGELOG.md | 3 +++ libreborn/include/libreborn/minecraft.h | 3 +++ mods/src/misc/misc.c | 13 +++++++++++++ 4 files changed, 20 insertions(+), 1 deletion(-) diff --git a/VERSION b/VERSION index ac2cdeba0..7d2ed7c70 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1.3 +2.1.4 diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 0631b7800..f6307c5c1 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -1,5 +1,8 @@ # Changelog +**2.1.4** +* Fix RakNet::RakString Security Bug + **2.1.3** * Workaround Broken Library Search Path On Some ARM 32-Bit Systems diff --git a/libreborn/include/libreborn/minecraft.h b/libreborn/include/libreborn/minecraft.h index ad61d2403..a6c57e5ff 100644 --- a/libreborn/include/libreborn/minecraft.h +++ b/libreborn/include/libreborn/minecraft.h @@ -360,6 +360,9 @@ static uint32_t FillingContainer_linked_slots_length_property_offset = 0x14; // // RakNet::RakString +typedef unsigned char *(*RakNet_RakString_t)(unsigned char *rak_string, const char *format, ...); +static RakNet_RakString_t RakNet_RakString = (RakNet_RakString_t) 0xea5cc; + typedef void (*RakNet_RakString_Assign_t)(unsigned char *rak_string, const char *str); static RakNet_RakString_Assign_t RakNet_RakString_Assign = (RakNet_RakString_Assign_t) 0xe9e34; diff --git a/mods/src/misc/misc.c b/mods/src/misc/misc.c index 5c8152533..38d69bac1 100644 --- a/mods/src/misc/misc.c +++ b/mods/src/misc/misc.c @@ -64,6 +64,16 @@ static void LoginPacket_read_injection(unsigned char *packet, unsigned char *bit free(new_username); } +// Fix RakNet::RakString Security Bug +// +// RakNet::RakString's format constructor is often given unsanitized user input and is never used for formatting, +// this is a massive security risk, allowing clients to run arbitrary format specifiers, this disables the +// formatting functionality. +static unsigned char *RakNet_RakString_injection(unsigned char *rak_string, const char *format, ...) { + // Call Original Method + return (*RakNet_RakString)(rak_string, "%s", format); +} + // Init void init_misc() { if (feature_has("Remove Invalid Item Background", 0)) { @@ -82,6 +92,9 @@ void init_misc() { // Sanitize Username patch_address(LoginPacket_read_vtable_addr, (void *) LoginPacket_read_injection); + // Fix RakNet::RakString Security Bug + overwrite_calls((void *) RakNet_RakString, RakNet_RakString_injection); + // Init C++ _init_misc_cpp(); }