GHSA-hvm9-wc8j-mgrc: TShock Security Escalation Exploit

Impact

An issue with the way OTAPI manages client connections results in stale UUIDs remaining on RemoteClient instances after a player disconnects.

Because of this, if the following conditions are met a player may assume the login state of a previously connected player:

1. The server has UUID login enabled
2. An authenticated player disconnects
3. A subsequent player connects with a modified client that does not send the ClientUUID#68 packet during connection
4. The server assigns the same RemoteClient object that belonged to the originally authenticated player to the newly connected player

Patches

TShock 5.2.1 hotfixes this issue. A more robust fix will be made to OTAPI itself.

Workarounds

Implement a RemoteClient reset event handler in a plugin like so:

public override void Initialize() { On.Terraria.RemoteClient.Reset += RemoteClient_Reset; }

private static void RemoteClient_Reset(On.Terraria.RemoteClient.orig_Reset orig, RemoteClient client) { client.ClientUUID = null; orig(client); }

References

• GHSA-hvm9-wc8j-mgrc
• Pryaxis/TShock@5075997