Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Fix the bungee channel messaging possible exploit #205

Closed
Malachiel87 opened this issue Nov 9, 2020 · 9 comments
Closed

[Security] Fix the bungee channel messaging possible exploit #205

Malachiel87 opened this issue Nov 9, 2020 · 9 comments
Labels
bug Something isn't working security Pull requests that address a security vulnerability

Comments

@Malachiel87
Copy link

What behaviour is observed:

[//]: A hacker after sending comand to bungee by using a pluigin, told that i am vulnerable to this attack by using the bungee channel message "changeskin:cmd-fw " and command forward too with channel "forwardcommand"

What behaviour is expected:

[//]: # Get this fixed and usable only from server and don't by users with hacked clients
This exploit make possible to any user to send console comands to bungee
@games647

This comment has been minimized.

Sign in to view
@games647
Copy link
Owner

games647 commented Nov 10, 2020
edited
Loading

So I checked again. Only Bungee reacts to this command. In fact it was not cancelled. However it fetches the receiver of the plugin message. It then unverified casts it to be the Player (as if the message was sent by the server to the player) and then executes the command.

So yes the plugin in fact starts to reading the malicious command by a client, but you would get a ClassCastException where it cancels the execution of the command. This is because the player is sending the command to the server not to itself or others.

@games647 games647 added bug Something isn't working invalid This doesn't seem right labels Nov 10, 2020
@games647 games647 changed the title [Urgent] Fix the bungee channel messaging possible exploit Fix the bungee channel messaging possible exploit Nov 10, 2020
@games647
Copy link
Owner

Relevant code:

ChangeSkin/bungee/src/main/java/com/github/games647/changeskin/bungee/listener/PluginMessageListener.java

Line 44 in 88587c5

ProxiedPlayer invoker = (ProxiedPlayer) messageEvent.getReceiver();

games647 added a commit that referenced this issue Nov 10, 2020
@games647
Check sending direction for processing the forwarding command
ba1957a 
Related #205
@games647
Copy link
Owner

I checked back if any earlier versions had this issue, but this wasn't the case. Nevertheless good catch. I'm thinking about dropping it or at least whitelisting it's functionality, because it allows arbitrary command executing if something really goes wrong.

games647 added a commit that referenced this issue Nov 10, 2020
@games647
Whitelist only ChangeSkin commands for forwarding
0391aec 
Related #205
@games647 games647 changed the title Fix the bungee channel messaging possible exploit [Security] Fix the bungee channel messaging possible exploit Nov 10, 2020
@sgdc3
Copy link

sgdc3 commented Nov 10, 2020

Yep, @Malachiel87 contacted me too and I just double checked, this exploit has never been possible to put into practice

@Malachiel87
Copy link
Author

Thank you, i gonna try the fix tommorow <3

@games647 games647 added the security Pull requests that address a security vulnerability label Nov 10, 2020
@Malachiel87
Copy link
Author

issue seem patched, before was possible also to crash the bungeecord (a friend of mine that is developer tested on his server, it was able to crash the bungee, instead on latest release is not doing anything :), good job and thank you <3

@games647
Copy link
Owner

I'm still interested in how this can be exploited. It's important if there really is an issue that the information about is disclosed and publicly presented in detail. This is about transparency and in order to guarantee that systems will be patched promptly.

Maybe message me in private like in Discord or Spigot for such security relevant topics.

@iSilviu-debug
Copy link

Friend request sent @games647 !

@games647 games647 removed the invalid This doesn't seem right label Nov 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@games647 @Malachiel87 @sgdc3 @iSilviu-debug