Impact
Terraria multiplayer, by default, is not secure in many ways. An attacker can, by default, delete the entire world. TShock attempts to protect against these types of bypasses. However, a vulnerability was recently discovered that allows a user to wipe a TShock protected map arbitrarily, even when the user is disabled. This exploit relies on the fact that TShock's SendTileRect handler was changed to be more tolerant of game logic. While we successfully made the handler more game logic tolerating, a hole was created. This enables an attacker to supply extra tile data, in addition to legitimate conversion data. The extra data is not sanitized and is applied as-is, which means that any bad values in the extra data fields not used for legitimate conversions can be used to destroy tiles.
Patches & versions
TShock 4.5.3 patches the exploit. All subsequent versions include the fix. We believe the underlying vulnerable code to have been introduced in TShock 4.4.0-pre15, but we did not exhaustively test or probe earlier versions of TShock to see if a similar vulnerability exists. It is likely "safe" to run an earlier version of TShock than 4.4.0-pre15, but if you rely on TShock for protection you should strongly consider validating the code yourself. This is particularly true if you maintain a private fork and infrequently update against upstream.
Workarounds
Turn on world backups in config.json, use a whitelist, or password protect your server, if you cannot update.
bartico6 Analyst
Impact
Terraria multiplayer, by default, is not secure in many ways. An attacker can, by default, delete the entire world. TShock attempts to protect against these types of bypasses. However, a vulnerability was recently discovered that allows a user to wipe a TShock protected map arbitrarily, even when the user is disabled. This exploit relies on the fact that TShock's SendTileRect handler was changed to be more tolerant of game logic. While we successfully made the handler more game logic tolerating, a hole was created. This enables an attacker to supply extra tile data, in addition to legitimate conversion data. The extra data is not sanitized and is applied as-is, which means that any bad values in the extra data fields not used for legitimate conversions can be used to destroy tiles.
Patches & versions
TShock 4.5.3 patches the exploit. All subsequent versions include the fix. We believe the underlying vulnerable code to have been introduced in TShock 4.4.0-pre15, but we did not exhaustively test or probe earlier versions of TShock to see if a similar vulnerability exists. It is likely "safe" to run an earlier version of TShock than 4.4.0-pre15, but if you rely on TShock for protection you should strongly consider validating the code yourself. This is particularly true if you maintain a private fork and infrequently update against upstream.
Workarounds
Turn on world backups in
config.json, use a whitelist, or password protect your server, if you cannot update.