[Hacking] ChipNBTSet packet

Question

[Hacking] ChipNBTSet packet

TheAndrey opened this issue 6 years ago · 10 comments

TheAndrey commented 6 years ago

I found unsafe packet handler.
https://github.com/MrTJP/ProjectRed/blob/master/src/mrtjp/projectred/transportation/packethandlers.scala#L178-L179

    private def setChipNBT(packet:PacketCustom, player:EntityPlayerMP)
    {
        val slot = packet.readUByte()
        val stack = packet.readItemStack()
        player.inventory.setInventorySlotContents(slot, stack)
        player.inventory.markDirty()
}

This puts received from client item to player inventory. Hackers can use this to get ANY item on the server!
You can never trust data that you receive from a client. You should always check what you have received from the client.
In this case, you only need to transfer the NBT tag, but not the entire item.

Zaxar163 · Answer 1 · 2018-08-16T12:54:29.000Z

@TheAndrey, I can say that developer doesn`t think about servers, because I finded this bug an year ago, but then I join into discord i was kicked.

covers1624 · Answer 2 · 2018-08-16T13:07:59.000Z

ProjectRed doesn't have a discord, I've added this to my list and will check it out this weekend.

mrqs001 · Answer 3 · 2018-08-28T16:12:12.000Z

This is becoming a serious issue on servers.

FoxMcloud5655 · Answer 4 · 2018-08-28T16:28:55.000Z

Agreed. I patched it manually because we couldn't wait for a patch.

mrqs001 · Answer 5 · 2018-08-28T17:09:38.000Z

Since i believe there won't be a patch soon and i don't have that good of a knowledge of how to fix it could you tell me how you did it?

mrqs001 · Answer 6 · 2018-08-28T17:33:57.000Z

I apparently might have a fix just have no idea of how to use it

The current code
https://github.com/MrTJP/ProjectRed/blob/master/src/mrtjp/projectred/transportation/packethandlers.scala#L178-L179
GitHub
MrTJP/ProjectRed
ProjectRed - Extending redstone functionality to FMP

Lines 178 and 179
It can be fixed by replacing line's 175 below with this code
private def setChipNBT(packet:PacketCustom, player:EntityPlayerMP)
    {
        val slot = packet.readUByte()
        val stack = packet.readItemStack()
        val playerstack = player.inventory.getStackInSlot(slot)
        if (stack.getUnlocalizedName == playerstack.getUnlocalizedName)
        {
            player.inventory.setInventorySlotContents(slot, stack)
            player.inventory.markDirty()
        }
        else
        {
            player.addChatMessage(new ChatComponentText("YOU DIRTY HACKER"))
        }
    }

TheAndrey · Answer 7 · 2018-08-28T18:06:41.000Z

@man-of-stone50 this fix is not safe. Hackers can write any NBT tag to item (like item name, lore, enchantments). Also using getUnlocalizedName() is not good idea, use getItem()

mrqs001 · Answer 8 · 2018-08-28T18:08:02.000Z

Oh damn that sounds bad, we might have to remove ProjectRed Transportation temporarily.

TheAndrey · Answer 9 · 2018-10-20T07:51:22.000Z

@MrTJP Will the exploit be fixed?

MrTJP · Answer 10 · 2018-10-26T21:54:03.000Z

Fixed via 121cca1 and a0c65c4.

Share to