Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Minecraft "Insecure Mode" Detection Script
From: David Fifield <david () bamsoftware com>
Date: Sun, 9 Jan 2011 17:18:07 -0800

On Mon, Dec 20, 2010 at 03:35:14PM +0200, Toni Ruottu wrote:
  Merry Christmas time!

This time I wrote a script for auditing security of Minecraft. The
Minecraft multiplayer server has an "insecure mode". When running in
this mode the server does not verify usernames against minecraft.net.
Running the server in insecure mode makes it possible to play the game
offline despite the authentication server being unreachable. As a
side-effect the game allows any player to enter the game with any
username, even ones registered to other users. See
http://notch.tumblr.com/post/942787216/minecraft-alpha-1-0-16-minecraft-server-0-1-1-and-a
for details. Minecraft multiplayer server admins can run the attached
minecraft-auth NSE script against their online servers to make sure
they are not running in the "insecure mode".

Thanks Toni. I've added the script. After I read that link, I decided to
take the script out of the "vuln" category and put it in "auth". Does
that sound right? I guess this could be a vulnerability in the situation
you described, but is it more likely that this is just a configuration
decision made by the admin?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]