Possible bukkit/spigot permissions exploit

Discussion in 'Systems Administration' started by invincible64, Dec 20, 2014.

Thread Status:
Not open for further replies.
  1. Here is an excerpt from my servers log, in which a brand new user name ron105 grants himself Operator.
    I tried reproducing his same commands, but to no avail. My permissions are set up correctly, and none of my staff opped him.

    Code (Text):
    [21:17:05] [User Authenticator #212/INFO]: UUID of player Ron105 is 10687a81-c414-40ad-9616-1e30588fc3f9
    [21:17:05] [Server thread/INFO]: Creating a new skyblock file for Ron105
    [21:17:05] [Server thread/INFO]: Loaded player file for Ron105
    [21:17:05] [Server thread/INFO]: [ProjectKorra] Created new BendingPlayer for Ron105
    [21:17:05] [Server thread/INFO]: Ron105[/24.1.138.58:22067] logged in with entity id 5410872 at ([Factions-pvp] 182.5, 90.0, -43.5)
    [21:17:05] [Craft Scheduler Thread - 1387/INFO]: [GAListener] Player: Ron105 has 0 votes
    [21:17:05] [pool-12-thread-1/INFO]: Creating empty config: C:\Users\arin\Desktop\McMyAdmin\Minecraft\plugins\Essentials\userdata\10687a81-c414-40ad-9616-1e30588fc3f9.yml
    [21:17:05] [Server thread/INFO]: [CONSOLE->Ron105] Hey there, Ron105!
    [21:17:05] [Server thread/INFO]: [CONSOLE->Ron105] Welcome to Freedomcraft
    [21:17:08] [Server thread/INFO]: skater1236 issued server command: /back
    [21:17:08] [Async Chat Thread - #75/INFO]: *Sentinel [Operator] Ben>> Welcome Ron105!
    [21:17:09] [Async Chat Thread - #75/INFO]: *TheShire [Donor] Colin>> and threw Poisona nd harming pots at us
    [21:17:09] [Server thread/INFO]: Ron105 issued server command: /server
    [21:17:12] [Async Chat Thread - #75/INFO]: *TheShire [Donor] Colin>> Welcoem ro
    [21:17:12] [Async Chat Thread - #75/INFO]: **SniperClan [Member] Skater>> welcoem
    [21:17:15] [Async Chat Thread - #75/INFO]: **SniperClan [Member] Skater>> welcome
    [21:17:16] [Async Chat Thread - #75/INFO]: *TheShire [Donor] Colin>> Ron105
    [21:17:19] [Async Chat Thread - #75/INFO]:  [Member] Ron105>> yrd
    [21:17:41] [Async Chat Thread - #75/INFO]: *Olympus [Donor] gasum3000>> boooo
    [21:17:44] [Async Chat Thread - #75/INFO]: **Olympus [Donor] kingaling>> hey
    [21:17:46] [Async Chat Thread - #75/INFO]: *Olympus [Donor] gasum3000>> hi
    [21:17:52] [Async Chat Thread - #75/INFO]: *Olympus [Donor] gasum3000>> what are you making?
    [21:17:59] [Server thread/INFO]: Ron105 issued server command: /spawn
    [21:18:05] [Server thread/INFO]: Ron105 issued server command: /server
    [21:18:08] [Async Chat Thread - #75/INFO]: **SniperClan [Member] Skater>> wait I saw some bunnies near
    [21:18:21] [Server thread/INFO]: gasum3000 lost connection: Disconnected
    [21:18:21] [Server thread/INFO]: Removing player from memory: gasum3000
    [21:18:21] [Server thread/INFO]: gasum3000 left the game.
    [21:18:28] [User Authenticator #213/INFO]: UUID of player GalafreyGirl is 106073ac-7fa0-46e8-8d4c-7125a1bd92a2
    [21:18:28] [Server thread/INFO]: Loaded player file for GalafreyGirl
    [21:18:29] [Server thread/INFO]: GalafreyGirl[/71.34.254.56:51432] logged in with entity id 5428085 at ([Factions-pvp] 1100.300000011921, 65.0, 7227.566188820435)
    [21:18:29] [Craft Scheduler Thread - 1388/INFO]: [GAListener] Player: GalafreyGirl has 0 votes
    [21:18:29] [Server thread/INFO]: [CONSOLE->GalafreyGirl] Hey there, GalafreyGirl!
    [21:18:29] [Server thread/INFO]: [CONSOLE->GalafreyGirl] Welcome to Freedomcraft
    [21:18:30] [Async Chat Thread - #75/INFO]: *TheShire [Donor] Colin>> holy shit
    [21:18:35] [Async Chat Thread - #75/INFO]: **SniperClan [Member] Skater>> :D bunnies
    [21:18:36] [Server thread/INFO]: [CONSOLE->Ron105] Kneesnap works
    [21:18:37] [Server thread/INFO]: GalafreyGirl issued server command: /home
    [21:18:41] [Server thread/INFO]: Ron105 issued server command: /who
    [21:18:41] [Server thread/INFO]: §cRon105 §4was denied access to command.
    [21:18:44] [Server thread/INFO]: Ron105 issued server command: /list
    [21:18:44] [Server thread/INFO]: §cRon105 §4was denied access to command.
    [21:18:45] [Async Chat Thread - #75/INFO]: *TheShire [Donor] Colin>> I just got 63 lapis from 4 Lapis ore blocks :D
    [21:18:48] [Server thread/INFO]: Ron105 issued server command: /customtext
    [21:18:48] [Server thread/INFO]: §cRon105 §4was denied access to command.
    [21:18:49] [Async Chat Thread - #75/INFO]: *Sentinel [Operator] Ben>> nice
    [21:18:50] [Async Chat Thread - #75/INFO]: **SniperClan [Member] Skater>> :D
    [21:18:50] [Server thread/INFO]: Ron105 issued server command: /help
    [21:18:53] [Server thread/INFO]: Ron105 issued server command: /help 2
    [21:18:55] [Server thread/INFO]: Ron105 issued server command: /help 3
    [21:18:57] [Server thread/INFO]: Ron105 issued server command: /staff
    [21:19:17] [Async Chat Thread - #75/INFO]: *TheShire [Donor] Colin>> I think I have the most lefit coal
    [21:19:21] [Async Chat Thread - #75/INFO]: *TheShire [Donor] Colin>> legit*
    [21:19:25] [Server thread/INFO]: Ron105 issued server command: /pex
    [21:19:56] [Server thread/INFO]: CuteGurl03 issued server command: /warp factions
    [21:20:06] [Server thread/INFO]: Ron105 issued server command: /who
    [21:20:06] [Server thread/INFO]: §cRon105 §4was denied access to command.
    [21:20:07] [Server thread/INFO]: Ron105 issued server command: /help
    [21:20:07] [Server thread/INFO]: §cRon105 §4was denied access to command.
    [21:20:08] [Async Chat Thread - #75/INFO]: *TheShire [Donor] Colin>> Jordan, can I use nightvision potions on myself from gmc when mining?
    [21:20:16] [Server thread/INFO]: MasterMcNulty issued server command: /gmc
    [21:20:17] [Server thread/INFO]: CuteGurl03 issued server command: /warp factions
    [21:20:19] [Server thread/INFO]: MasterMcNulty issued server command: /gms
    [21:20:22] [Async Chat Thread - #75/INFO]: *Sentinel [Operator] Ben>> thats fine
    [21:20:22] [Server thread/INFO]: CuteGurl03 issued server command: /warp factions
    [21:20:24] [Server thread/INFO]: Ron105 issued server command: /who
    [21:20:25] [Async Chat Thread - #75/INFO]: **SniperClan [Member] Skater>> its my army
    [21:20:25] [Async Chat Thread - #75/INFO]: *TheShire [Donor] Colin>> yeah?
    [21:20:29] [Server thread/INFO]: GalafreyGirl issued server command: /home
    [21:20:33] [Server thread/INFO]: Ron105 issued server command: /seen Shi
    [21:20:38] [Server thread/INFO]: Ron105 issued server command: /seen ShuziamA
    [21:20:46] [Server thread/INFO]: Ron105 issued server command: /pex group
    [21:20:47] [Async Chat Thread - #75/INFO]: *TheShire [Donor] Colin>> Skate, should ahve come minging
    [21:20:53] [Server thread/INFO]: Ron105 issued server command: /pex group Operator
    [21:20:54] [Async Chat Thread - #75/INFO]: **SniperClan [Member] Skater>> ok
    [21:21:00] [Async Chat Thread - #75/INFO]: *TheShire [Donor] Colin>> WHAT THE HECK MAN
    [21:21:04] [Async Chat Thread - #75/INFO]: **SniperClan [Member] Skater>> what
    [21:21:07] [Async Chat Thread - #75/INFO]: *TheShire [Donor] Colin>> UGN I HATE THIS PLUGin
    [21:21:08] [Server thread/INFO]: Ron105 issued server command: /op Ron105
    [21:21:08] [Server thread/INFO]: [Ron105: Opped Ron105]
    [21:21:11] [Server thread/INFO]: Ron105 issued server command: /who
    [21:21:18] [Server thread/INFO]: Ron105 issued server command: /help
    [21:21:20] [Async Chat Thread - #75/INFO]: *TheShire [Donor] Colin>> My pickaxe is now spawned in creative :I
    [21:21:22] [Server thread/INFO]: Ron105 issued server command: /help 2
    [21:21:24] [Server thread/INFO]: Ron105 issued server command: /help 3
    [21:21:35] [Server thread/INFO]: Ron105 issued server command: /help 4
    [21:21:37] [Server thread/INFO]: Ron105 issued server command: /help 5
    [21:21:42] [Server thread/INFO]: Ron105 issued server command: /help 6
    [21:21:45] [Server thread/INFO]: Ron105 issued server command: /nuke
     
    #1 invincible64, Dec 20, 2014
    Last edited: Dec 20, 2014
  2. OPs can not be done client side, please make sure you configs are setup right then report back.
     
  3. Are you sure that he wasn't opped before from a corrupt admin or you gave access to pex permissions on accident? Players can't get opped with a client or anything like that.
    Well I got sniped.
     
  4. No, he was brand new to the server, and as the log shows there was no outside interference that caused it.
     
  5. I checked, member has no perms that would allow that.
     
  6. To clarify, by client side I mean a hack that exploits the server side.
     
  7. As I said before, try to check if a admin had gave him permissions before he logged on or anything like that. It's possible a configuration went wrong possibly as well. As portalblockz said, Ops can not be done from client side so I would start searching for things in your entire server console.
     
  8. If he was opped before he joined, it would not have created a new config.
     
  9. It created a new essentials configuration, Essentials does not handle ops so it would of created one even if he was opped before. Although I'm not completely sure if it means that a player file already existed, I still found this so possibly he had data before joining.
    PHP:
    [21:17:05] [Server thread/INFO]: Loaded player file for Ron105
     
  10. Hmm, Ill go check the date of creation for all his player files.
     
  11. Either way this seems unrelated to PEX. If it is a problem in PEX it will exist in 1.7+ servers so the likely hood of it being a new exploit is minimal.
     
  12. Heres what I found:
    Untitled.png

    All of his players were created on the same day, at almost the same time. The console shows that he opped himself within this timeframe. Every other file was created only after he joined.
     
  13. I am guessing you have a malicious plugin or a misconfiguration then. Can I see a list of plugins?
     
  14. Well thank you for clarifying. You did however /kill two of my members and I do not appreciate it. You are not welcome back.
     
  15. I hope you realize that someone with malicious intent would screw over your server with WorldEdit or something else.
     
    • Agree Agree x 1
  16. @invincible64 you should change the title of the post so it is not misleading then.
     
    • Agree Agree x 1
  17. Sorry to bring this up again, however, my server had the same exact issue.

    1. A new player joined the server, with an IP which has never connected to our services before.
    2. The player quickly gets hold of a commandblock or so it seems. (It's a creative server, so that's why he could get hold of one)
    3. Somehow he manages to make it send a command, which messages him "Kneesnap works".

    Then he started deopping everyone, destroyed all loaded entities on our server, changed spawn into rainbow wool, purged our Prism data.
    This wasn't really all that big of a deal. We quickly fixed everything added a few patches, such as:
    - Disabling the use of commandblocks (We didn't use them for anything anyways)
    - Disabling any pex command from being run in-game.
    - Disabling prism purge/delete, from being run in-game.

    Although we could quickly recover from this, it seems as there's an actual problem here. I don't like the fact that anyone could potentially join a creative server, that allows for the spawning of commandblocks and suddenly gain access to essentially, a miniature console allowing him to execute whatever command he pleases.
     
  18. Commandblocks only work if you are OP, which would explain how he got one in the first place.

    @invincible64 Looking though your console log, it looks like at first he wasn't OP, as he was indeed being denied commands by PEX. Then all of sudden he began running commands and wasn't being denied. At this point he ran OP for show.

    So my guess is both of you have malicious plugins. Dump your plugin lists and let's see what is going on.
     
  19. Agreed, at this point it has a 95% chance of being a plugin. Put either a screenshot or a pastebin of your plugins and we will take a look.
     
  20. I know all of the plugins being used aren't malicious, seeing as most of them are either coded by me, are respectable (Such as WorldEdit) or have gone through Bukkit's approval system.

    However, here's a list of plugins (without my custom coded once) anyways:
    Code (Text):
    CleanroomGenerator, TerrainControl, Minetrends,
    ClearLag, CompatNoCheatPlus, PlugMan, Buycraft,
    WorldBorder, NametagEdit, Votifier, ProtocolLib,
    NoCheatPlus, PermissionsEx, Top, Vault, WorldEdit,
    Essentials, PlotMe, Multiverse-Core, WorldGuard,
    EssentialsProtect, EssentialsChat, EssentialsAntiBuild,
    EchoPet, Prism, EssentialsSpawn, BlocksHub
    The only plugins that I can think of, that hasn't gone through Bukkit's approval system are the following: Minetrends, ProtocolLib, Top (Made by MVdWSoftware who's quite respectable in this community).

    What I have a feeling is the case, is that the whole "You cannot edit a commandblock" thing, that happens when a non-op player, tries to edit a commandblock, is either client-sided, which allows hacked clients to bypass this. (This I really don't think is the case, but it might be), or there might be some certain string of text, that confuses the way that the command blocks work, therefor allowing them to process (Kind of similar how SQL injection works, on unsafe websites).
     
    • Agree Agree x 1
Thread Status:
Not open for further replies.