From af2db43c53b9690fceabfb813987572bf2258db5 Mon Sep 17 00:00:00 2001 From: David Cook Date: Sat, 5 Sep 2020 13:47:44 -0500 Subject: [PATCH] Block 0.0.0.0/8 from internet card by default The 0.0.0.0/8 subnet refers to "this network", (c.f. RFC 3330) and in particular, 0.0.0.0 can be used to refer to the local computer. As such, it should be blocked by default, as loopback addresses currently are. This default configuration was relevant to a challenge in the ALLES! CTF 2020 competition, see https://play.allesctf.net/tasks/ALLES!Craft or https://ctftime.org/event/1091. The challenge involved multiple servers interconnected with Waterfall as a proxy, to enable server teleportation. The solution to the challenge was to use an internet card on one of the servers to connect to 0.0.0.0, bypassing the Waterfall proxy, and replay or reverse proxy a Minecraft handshake in Lua, which allowed spoofing as a different user. --- src/main/resources/application.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main/resources/application.conf b/src/main/resources/application.conf index 9312cf05f..70b8432c5 100644 --- a/src/main/resources/application.conf +++ b/src/main/resources/application.conf @@ -975,6 +975,7 @@ opencomputers { # mod's context in an appropriate manner, e.g. using a system firewall. blacklist: [ "127.0.0.0/8" + "0.0.0.0/8" "10.0.0.0/8" "192.168.0.0/16" "172.16.0.0/12"