Peripherals++

Peripherals++

359k Downloads

[Security] Remove any nano bot functions that use java.awt.Robot

NPException opened this issue ยท 2 comments

commented

Description

When playing with PeripheralsPlusOne recently, I noticed a security vulnerability via nano bots. (Reference: https://twitter.com/NPException/status/1247179824956952576)
Someone else noticed that the same issue already exists with Peripherals++. I already opened an issue for PeripheralsPlusOne, but was asked to open one here to.

Steps to Reproduce

As a first proof of concept, I managed to give myself op on a friend's server.

  1. Infect an admin/op player with nano bots.
  2. Wait for them to go afk
  3. Use nano bot functions to open chat for them and input op command.
    (If you need an explicit code example, I can send it via DM on Twitter or Curseforge)

Even worse, I was able to control my friend's Windows command line. I can provide you with the code for that as well if needed.

Peripherals++ & PeripheralsPlusOne were removed from Curse because of that vulnerability.

commented

Hi, thanks for the report. Since support has been deprecated for years I cannot guarantee that this will be fixed in a timely manner. In the mean time, you could disable nano bots in the configuration.

commented

Yeah, I wasn't expecting any fix at all tbh. ๐Ÿ˜… I just wanted to at least get the report out.
Though the author of PeripheralsPlusOne had removed (and later re-added) the player control portion of the nano bots in the past, so maybe the commit he made is a starting point for a fix: rolandoislas@63e9a04