This report contains an exploit that has been successfully patched in Resonite. It serves as an excellent guide on exploit report writing. Copying the format is allowed and encouraged.
What have I found?
An exploit allowing a malicious actor to join sessions while impersonating another user.
How did I find it?
I am specifically searching for exploits with large security impacts due to the new security issue bounty policy.
How serious do you think this is?
I believe this to at the very least be a medium severity issue. It has the following impact:
- Impersonation of users, including Resonite Staff
- Forced entry into Contacts/Contacts+ sessions if the malicious actor has the session ID
- Forced entry into Private sessions if the impersonated user has a valid invite and the malicious user knows the session ID
- SimpleAvatarProtection bypass as an attacker can *become* whoever's asset they're trying to steal
A PoC implementation has been created and verified to be working in the current version of Resonite (2021.9.3.1281).
Who is aware of this?
I am the only person who has the full details of the exploit. I recruited [PlayerA] and [PlayerB] for multiplayer testing but they are only aware that an impersonation exploit exists and does not have specific details on how it works.
Logs
The logs from the host the attacker joins show nothing out of the ordinary, but I can hunt down the logs if requested.
Replication steps
The Characters
- "Sally" is hosting a session named "SallyWorld"
- "Eve" is a malicious actor who wants to gain access to SallyWorld
- "John" is a user in a session hosted by Eve
The Attack
- Eve connects to SallyWorld using John's username and userid
- Sally issues a JoinChallenge to Eve
- Eve forwards this JoinChallenge on to John
- John signs the JoinChallenge with his private key, and sends the JoinAuthenticate response back to Eve
- Eve forwards this JoinAuthenticate response to Sally
- Sally accepts Eve into the world as John
Screenshots
Shows that there are two [PlayerB]'s in the world: one real, and one me impersonating him: Omitted for Anonymization
Videos
In this video I impersonate [PlayerA]: Omitted for Anonymization
A link or URL to a replication item
The replication item is a Resonite plugin that isn't currently packaged up in a way I can distribute. If you need it, I can make a special build for you.
Possible Mitigations
- Change from using only a nonce to using nonce + sessionIdentifier as the signed data
- Verify that JoinChallenges come from the host (this may only be a partial fix)
</translate>