Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1.21: Chat Packet Issue #3041

Open
gre3x opened this issue Jan 24, 2025 · 2 comments
Open

1.21: Chat Packet Issue #3041

gre3x opened this issue Jan 24, 2025 · 2 comments

Comments

@gre3x
Copy link

gre3x commented Jan 24, 2025
edited
Loading

Are you using MySQL?

No

Are you using a proxy?

Yes - BungeeCord

"/version ChatControlRed" - plugin version

10.28.5 - This exploit exists in v10 and v11

Optional: Error log

N/A

ZIP of "/chc debug"

N/A

Steps to reproduce

This exploit exists in v10 and v11

I previously reported this and you said that it was fixed but it was not. You never actually moved the plugin messaging channel to be under the "BungeeCord" channel. The channel never changed from "plugin:chcred" and therefore the exploit was never patched.
Here is your previous comment: #2664 (comment)

There are 2 severe exploits due to the "plugin:chcred" channel (details below):

  1. Players can send ANY message that they want by sending a plugin message packet. There is NO WAY to disable this.
  2. If you have the command forwarding feature enabled, players can execute any console commands that they want.

To fix these, please do one of the following:

  • Implement the proper security blocks to prevent this (in the BungeeCord proxy plugin) like this: QuickShop-Community/QuickShop-Hikari@1a4cce0
  • Do what you said before and make the plugin messaging channel under the "BungeeCord" channel
  • Encrypt/decrypt the messages with a secret key that is shared between all the servers on the network

You said that you would provide security updates for v10 until March, so hopefully this fix can be in v10 too! @kangarko

Exploit 1:

Players are able to spoof any message on the Bungee sub-server that they are currently on through custom clients by sending plugin message packets with the correct arguments and the server name is the same as the current server.

This is related to Bungee command forwarding, but the Bungee server is not involved I think. This all happens on the spigot server. However, I think this issue is also abusible on the Bungee server.

I do not have access to these clients or the exact code of how they are doing it, since these are being used my malicious players on my server and not by me, but here is what I think is close to an example of what a dangerous packet sent on an example "Hub1" server would look like:

  • Channel = "plugin:chcred"
  • Subchannel = "plugin:chcred"
  • UUID = input.readUTF() = "7aa44332454-93dfgd472-938dfgddf47-2dfgdfg34"
  • serverName = input.readUTF() = "Hub1"
  • actionName = input.readUTF() = "NOTIFY"
  • permission= input.readString() = "essentials.spawn"
  • component= input.readString() = "{"Current_Component":{"Text":"§cMy spoofed message"},"Past_Components":[]}"

There is no way to block these right now without disabling Bungee integration entirely.

Exploit 2:

Players are able to execute console commands on the server they are currently on through custom clients by sending plugin message packets with the "FORWARD_COMMAND" argument and the server name is the same as the current server.

This is related to Bungee command forwarding, but the Bungee server is not involved. This all happens on the spigot server.

I do not have access to these clients or the exact code of how they are doing it, since these are being used my malicious players on my server and not by me, but here is what I think is close to an example of what a dangerous packet sent on an example "Hub1" server would look like:

  • Channel = "plugin:chcred"
  • Subchannel = "plugin:chcred"
  • UUID = input.readUTF() = "7aa44332454-93dfgd472-938dfgddf47-2dfgdfg34"
  • serverName = input.readUTF() = "Hub1"
  • actionName = input.readUTF() = "FORWARD_COMMAND"
  • server = input.readString() = "Hub1"
  • command = input.readString() = "give Notch cookie 1"
@gre3x
Copy link
Author

gre3x commented Jan 24, 2025

@kangarko this is actively being used by malicious actors on several networks. Please take a look asap

@kangarko
Copy link
Owner

kangarko commented Jan 25, 2025
edited
Loading

Hello,

First of all I apology if I misimplemented the fix.

I checked the code but we are indeed broadcasting on the BungeeCord channel. We write the "plugin:chcred" as the first subchannel on it:

A

(Both Foundation and ChatControl are open source, you can verify this yourself)

So if the malicious client sent something like this:

Channel = "plugin:chcred"
Subchannel = "plugin:chcred"

It would simply not work at all, they'd need to be having the Channel set to BungeeCord.

Furthermore, our Bungee listener is already the same security patches as the QuickShop plugin you are referring to:

a

Same for Velocity:

a

(I checked this for v11, let's make sure it's 100% patched there so I can backport the proper fix at the end to v10)ň

Conclusion

I strongly believe it was already patched in the latest v11. Do you have any fresh evidence that it wasn't as of the latest version?

Our entire codebase is open source now and can be audited, if you or someone else spots anything that I missed I apology and please open a pull request prompty.

I unfortunately don't have the time to compile a custom client but there are a handful of open source projects which could be modified to specifically test this custom packet. I will try to find more time to compile a custom client and test this but would welcome a confirmation that it's still happening on the latest v11.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kangarko @gre3x