SSRF vulnerability in ComputerCraft/CC: Tweaked

[SquidDev]

As you may nave noticed, we've recently published a security vulnerability in ComputerCraft/CC: Tweaked. That advisory contains all technical details, but I felt it was worth posting a more user-friendly description here too:

Summary

Many popular cloud providers offer an metadata services API endpoint, which can be queried by a host machine. These metadata APIs are not blocked by CC: Tweaked's default configuration, meaning that a Minecraft server running on such a cloud provider may expose sensitive information to players, potentially allowing them to pivot or privilege escalate into the hosting provider.
Many thanks to @JLLeitschuh for finding and reporting this.

Impact

This can allow a player on a server, using a CC: Tweaked computer, to retrieve sensitive information like:

• User-data passed to the system at boot time (could contain secrets).
• IAM role credentials (could allow access to the greater cloud account).

Scope

This affects all versions of ComputerCraft and CC: Tweaked since ComputerCraft 1.1¹. To be vulnerable, the server operator must be:

• Running their Minecraft server on a cloud provider which offers a metadata endpoint. This includes:

  • Alibaba Cloud
  • AWS
  • Azure ²
  • Digital Ocean²
  • GCP ²
  • Oracle Cloud

  Other cloud providers may also be affected. Please check with their documentation or support to see if they expose an unauthenticated metadata service.

• Have the HTTP API enabled.

  • On Minecraft 1.12 and below, this is configured by the http_enable option in config/computercraft.cfg.
  • On Minecraft 1.13 and later, this is configured by the http.enabled option in <save folder>/serverconfigs/computercraft-server.toml.

• Be using a HTTP configuration which is not whitelist-only.

A quick test to see if your ComputerCraft version and its configuration is vulnerable is to do the following:

• Place down a computer.
• Run the lua program.
• Paste the following code and press enter:

  http and (http.checkURL("http://169.254.169.254") or http.checkURL("http://[fd00:ec2::254]") or http.checkURL("http://192.0.0.192") or http.checkURL("http://100.100.100.200"))
  

If this prints true or an error, you are most likely vulnerable. If this prints false, then things are probably fine, but it is still recommended you apply the following mitigations.

Mitigations

The recommended mitigation is to update to the latest version of CC: Tweaked. Updates are available for the following versions:

Minecraft version	CC: Tweaked version
1.16.5	1.101.3 or later
1.18.2	1.101.3 or later
1.19.2	1.101.3 or later
1.19.4	1.106.0 or later
1.20.1	1.106.0 or later

If an update is not available for your version of Minecraft, it is recommended to update your config:

• On all versions of ComputerCraft prior to CC: Tweaked, disable the HTTP API (http_enable=false in config/computercraft.cfg).
• For versions of CC: Tweaked on Minecraft 1.12, update your blocked_domains config to match the following:

  S:blocked_domains <
   0.0.0.0
   10.0.0.0/8
   100.100.100.200
   127.0.0.0/8
   169.254.0.0/16
   172.16.0.0/12
   192.0.0.192
   192.168.0.0/16
   ::/128
   ::1/128
   fd00::/8
   fe80::/10
   fec0::/10
   ff00::/8
  >
  

• For versions of CC: Tweaked on unsupported Minecraft versions, disable the HTTP API (http.enabled = false in <save folder>/serverconfigs/computercraft-server.toml).

After applying one of the above mitigations, please follow the steps in "Scope" to confirm that the vulnerability is patched.

Timeline

• 9th June 2023: Vulnerability was reported via GitHub's vulnerability reporting system.
• 13th June 2023: Vulnerability was acknowledged by the CC: Tweaked team.
• 14th June 2023 to 28th June 2023: Possible solutions were discussed with @JLLeitschuh and @asiekierka. Patches were settled upon.
• 7th July 2023: Patch was committed and update was released. Vulnerability was publicly disclosed.

Further reading

These links provide a little more information about SSRFs and exploits against cloud provider metadata services.

• https://www.sans.org/blog/cloud-instance-metadata-services-imds-/
• https://hackingthe.cloud/gcp/general-knowledge/metadata_in_google_cloud_instances/
• https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/
• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md

Footnotes

1. • The HTTP API was disabled by default between ComputerCraft 1.1 and 1.62.
   • ComputerCraft 1.63 used a whitelistby default, which blocks these endpoints.
   • CC: Tweaked 1.95.0 to CC: Tweaked 1.105.0 block the 169.254.0.0/16 address range, which mitigates this vulnerability on some cloud providers².
   ↩

2. Some cloud providers expose their metadata endpoint under the 169.254.0.0/16 address range, which is blocked since CC: Tweaked 1.95.0. ↩ ↩² ↩³ ↩⁴