[Security] Fix the bungee channel messaging possible exploit
Malachiel87 opened this issue ยท 9 comments
What behaviour is observed:
[//]: A hacker after sending comand to bungee by using a pluigin, told that i am vulnerable to this attack by using the bungee channel message "changeskin:cmd-fw " and command forward too with channel "forwardcommand"
What behaviour is expected:
[//]: # Get this fixed and usable only from server and don't by users with hacked clients
This exploit make possible to any user to send console comands to bungee
If changeskin is installed on the proxy it already prevents it from forwarding further.
So I checked again. Only Bungee reacts to this command. In fact it was not cancelled. However it fetches the receiver of the plugin message. It then unverified casts it to be the Player (as if the message was sent by the server to the player) and then executes the command.
So yes the plugin in fact starts to reading the malicious command by a client, but you would get a ClassCastException where it cancels the execution of the command. This is because the player is sending the command to the server not to itself or others.
I checked back if any earlier versions had this issue, but this wasn't the case. Nevertheless good catch. I'm thinking about dropping it or at least whitelisting it's functionality, because it allows arbitrary command executing if something really goes wrong.
Yep, @Malachiel87 contacted me too and I just double checked, this exploit has never been possible to put into practice
issue seem patched, before was possible also to crash the bungeecord (a friend of mine that is developer tested on his server, it was able to crash the bungee, instead on latest release is not doing anything :), good job and thank you <3
I'm still interested in how this can be exploited. It's important if there really is an issue that the information about is disclosed and publicly presented in detail. This is about transparency and in order to guarantee that systems will be patched promptly.
Maybe message me in private like in Discord or Spigot for such security relevant topics.
Friend request sent @games647 !