Skip to content

Invalid place style resulting in DoS and difficult to recover world data

Moderate
hakusaro published GHSA-6w5v-hxr3-m2wx Nov 24, 2021

Package

TShock for Terraria (TShock)

Affected versions

<= 4.5.5

Patched versions

>= 4.5.8

Description

Impact

The Terraria multiplayer protocol doesn't sanitize data before resending it to clients. TShock tries to sanitize that data so that it doesn't cause issues with clients, i.e. crashing. This exploit happens because when a client receives an invalid tile, or torch for that matter, it crashes since it's unable to find that invalid torch's color. The attacker can place several of these across the world to render the server unjoinable. Though, it doesn't crash the server. The only means to remove it is with third party tools such as TEdit or a modified client that's immune to invalid tiles.

Patches

This advisory patches 2 vulnerabilities. A defect in max place styles check, present in >4.21104. And a defect in mismatched place style check introduced in 4.5.4. Though 4.5.3 remains unaffected.

≥TShock 4.5.8 patches both vulnerabilities by fixing their respective checks.

  • Max place styles check was changed to prioritize Extraneous place styles first
  • Biome torches check was changed to:
    1. Better correct for biome torches1
    2. Allow right booster tracks to be placed legally. Right booster tracks is an extraneous place style, so the above check would block it from being placed. It is fixed along with the check

Note: @Yoraiz0r patched part of the issue in Terraria 1.4.3.0. This security advisory resolves the issue at the network level, preventing invalid data from reaching TShock in the first place.

1: A compromise is made. Since Terraria doesn't broadcast when a player toggles biome torches, the check checks for either a matching biome torch or the default torch. In other words, it checks for both situations: biome torch on and biome torch off

Workarounds

The mismatched tiles plugin (merged in 4.5.3) by @AgaSpace that simulates TShock 4.5.3 can be used for those who can't update.

References

https://forums.terraria.org/index.php?threads/106210/

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE ID

No known CVE

Credits