WORLDEDIT-2721 - Reported by Luke.R

Lately my creative and survival servers have been under attack by armies of exploiters.

Somehow using WorldEdit on a PlotMe server. PlotMe uses GMASK to prevent worldediting on protected plots.
However they were able to break this and somehow destroy our spawn and damage several other peoples plots.
I attempted to get the user to explain how it was done, but with no luck. I checked all of the permissions on the default group, and found everything to be in order, after multiple checks i found nothing which could give any form of explantion.

I beleive it to be PlotMe's fault originally, however just this evening the same attack has been used on my survival server
The survival server has:
Using of the player's inventory is enabled in the config, as shown here
http://paste.thezomg.com/8243/79869513/
I have not imposed a standard block limit, as a players inventory size is not very large, thus i felt no need.

Even with these restrictions, and only the following permission nodes
worldedit.wand
worldedit.selection.pos
worldedit.set

The user was able to execute the following commands
http://paste.thezomg.com/8245/36279892/

Even though he did not have the available items. He was not ranked (He was default with the standard perms i mentioned above) There were several massive lava and water blocks set.

So to summarize i have had this happen to me on 2 different servers coming from a number of users, over and over again. I am unable to find out how to do it, but i will keep attempting to interrogate the users and find out how. However note one thing, on either of these operation CoreProtect did NOT log this. It seemed to completely evade all detection, even in the main server log. The only place i could find the records was in WorldEdits log file.

Also OP is disabled in all plugins that support it, and it is allowed only from the console. And the user each time was not a staff member , nor the permissions to perform the actions.

Thanks for any input. I will carry on in my attempts to deduce the method of performing these actions. I was initially going to write it off, but since my survival server was attacked with the exact same symptoms.

Comment by sk89q

Did you forget to paste something after "The survival server has:"?

If not, do both servers have PlotMe?

Comment by Luke.R

Sorry, apologies i think i had a train of thought loss. Only the creative server has plotme. Aplogies again for any bad grammar / mistakes, it is 4AM here

Comment by Luke.R

If it is any help:
Survival server plugins:
INFO Plugins (26): NoCheatPlus, WorldEdit, CommandBook, Vault, SimpleHelpTickets, PermissionsEx, PlayTimeV2, LWC, WorldGuard, TreeAssist, AntiJoinBot, boosCooldowns, dynmap, PersonalMOTD, DisguiseCraft, CoreProtect, Fly, BanManager, PartyManager, ScheduledAnnouncer2, MultipleHomeManager, Votifier, PwnFilter, ChatManager, BlockHat, VanishNoPacket

Creative server plugins:

INFO Plugins (26): NoCheatPlus, WorldEdit, CommandBook, Vault, SimpleHelpTickets, PlotMe, PermissionsEx, AntiInvisibilityPotion, PlayTimeV2, WorldGuard, AntiJoinBot, boosCooldowns, dynmap, DynmapPlotMe, PersonalMOTD, DisguiseCraft, CoreProtect, Fly, BanManager, PartyManager, ScheduledAnnouncer2, MultipleHomeManager, PwnFilter, ChatManager, BlockHat, VanishNoPacket

Comment by sk89q

I'm going to change the visibility of this issue. If you can't see this anymore (hoping that you have emails enabled), email me at [email protected].

Comment by Luke.R

I can still see it, thanks. If you get anymore information on it can you please keep me in the loop. I will do my best to look into it aswell.

Comment by sk89q

Err, so wizjany and I discovered the problem. The block inventory code lets water/lava blocks be placed without being in the inventory, because at the time the code was written, water/lava buckets could not be stacked in your inventory and it was not feasible to have enough water/lava in your inventory to fill even a small pool.

Unfortunately, we're looking over the code and it's clearly extremely outdated. For comparison, WorldEdit was written in 2010 (Bukkit in 2011), and there wasn't even multiplayer survival back then at the time (health was not supported). Also, it seems there is a lack of data value support, so you can place red wool if you have blue wool in your inventory.

Right now we're not sure what to do immediately, because clearly this code needs an overhaul. I'm currently working on a major update to WorldEdit, and I can only ask you at the moment to wait a bit. It's possible to hot patch it so you can't place liquids without their relevant bucket, though it doesn't fix the issue with data values.

But this doesn't explain your creative server.

With your creative server, were the following true too?

The command did not show up in server.log.

The command did show up in worldedit.log.

The command did not show up in CoreProtect's log.

The change did not show up in CoreProtect's log.

Comment by wizjany

5. The gmask that PlotMe placed was bypassed. (Since it is probably unrelated with the water/lava issue)

Comment by Luke.R

Yes. That is completely true for all of them. Coreprotect had no idea that the command was being executed and that the change had happened.
It was also the same for the survival server, CoreProtect was left clueless. As well as the main server log.

I have had to temporarily remove WE on my survival server, and on my creative server i have had to implement a auto-rank up system to stop people who know of the exploit using it.

I will wait upon the fix for the issue, thank you for the time and effort you put into this amazing plugin. I will keep WE out of reach for default players on the survival server for now. Do you have a place to accept donations?

Thank you again
Luke

Comment by Luke.R

Also as an extra to add, they also managed to use //set 0 despite it was on the blocked item list, as i just found a giant rectangle un-logged hole in the map

Comment by wizjany

There's really only one worldedit issue here, as far as I can tell - being able to place liquids while use-inventory is enabled.
Being able to bypass the gmask and worldedit logging is completely unrelated to that issue and likely not on WorldEdit's end either.

I took a look at CoreProtect's code, and my best bet is that you had it disabled for that world. When we bring PlotMe into the picture, this scenario seems even more unlikely. If a block set had happened outside of the plot, CoreProtect should still have logged it, reaffirming my conjecture that WorldEdit logging was disabled on that world.
Furthermore, the fact that CoreProtect wasn't logging commands continues to reaffirm this. WorldEdit only uses Bukkit's onCommand for handling commands, which means that CoreProtect isn't logging the CommandPreprocess event (again, the only reason this should happen is if player-commands is disabled for that world). The fact that it shows up in worldedit's log means that the command is coming through to worldedit normally.

For PlotMe, things look similar. While the liquids issue was already found to be a WorldEdit issue, that is only for fetching blocks from the blockbag. The fact that players can still set blocks outside their Plot means that the gmask wasn't set (or wasn't set correctly), which are issues out of WE's control. The alternative is that CoreProtect is interfering with PlotMe's functions, but the code looks fine and other people using those plugins together aren't having that issue.

Lastly, to make sure that CoreProtect is working correctly, do you mind putting your server log on pastebin and linking it here.

Comment by Luke.R

Which part of the server log? The creative server attacks happened 2 weeks ago, and i do not have a log for that period, as my logs get rotated daily due to the high traffic amount, and i only keep 7 logs back, otherwise i end up with logs nearly 500mb in size.

At the time of the event i had WorldEdit logging disabled.
HOWEVER the commands when used by normal players would still turn up on the standard server log.
They would also be fully logged by CoreProtect, as we were able to roll them back with no problems. Also the GMASK would work fully

When the user intent on damage used the commands:

• They would not show up in the server log
• They would not show up in CoreProtects log
• They would evade the GMASK PlotMe places on the plots
• They would evade the banned items list (They would normally use either lava, water or sand)
• They would NOT be able to evade the maximum block limit by the looks of it, as all the WE changes they performed were small

I initially thought it must be a PlotMe issue, and i made a ticket with the developer, however the incident with the survival server has lead me to believe it may not be. I have not had a response yet from the developer of PlotMe. However i have come up with my own solution to the problem on that front, thus it is not as important for now.

Thank you for your time
Luke

Comment by wizjany

Any part that includes the startup.

As far as commands not showing up in the server log, was that before or after turning on WE logging?
As far as banned items, looking at your config shows that liquids and sand are not actually disallowed.

Comment by Luke.R

That configuration was for the survival server, the creative server had the items blocked at the time. And the commands used to show up in the console before logging was enabled, they were just not stored in the worldedit.log file.