NaN Exploits

[Vladymyr]

If you set your vertical and/or horizontal position to NaN it will allow you to fly, die (only if you're colliding horizontally), teleport, pass through blocks, become invincible, glitch your arm swimming & walking animation, take no fall damage and even freeze the server. After trying it out multiple times it seems to be consistent.

Version during the incident: 3.1.5.0-SNAPSHOT-sMD5NET-b1043 Footage of the exploits: NoClip/Fly, NoClip and Glitch Animation

The server in which this exploit was discovered had multiple selectable anti-cheats (we had selected NCP) and 1.9.X - 1.11.X cross-compatibility. I'm unsure if Mojang screwed up something with their movement checks or it's the server's fault but I think it was worth reporting.

[asofold]

Can they use this only as the first move after joining , or can they use it anywhere any time / at will?

[Vladymyr]

They can use it any time (No clip, Fly, Teleport) after the player (vertical or horizontal) cliped while colliding with a block/wall (excluding stairs blocks or other blocks with lower height)

[asofold]

A debug log would be nice to have (https://github.com/NoCheatPlus/Docs/wiki/Debugging#on-the-fly-debug-output-for-individual-players).

I'd assume they can somehow clip, e.g. with an untracked move. Do you know if they exploit the server teleporting players on such/similar occasions (Bukkit: teleport events with UNKNOWN reason, used to be uncancellable)?

[Vladymyr]

Sorry, I don't have access to the logs.

Do you know if they exploit the server teleporting players on such/similar occasions?

I don't think so.

Edit: I took a look at NetHandlerPlayServer class and I saw this for CPacketPlayer, it doesn't have any checks for NaN. So the fix would kick the player for "Invalid Position/Rotation" if something is NaN. It should solve the issue, right?

Edit 2: Okay, never mind they + and - NaN for the position.

[asofold]

Yes :), both is needed.

NoCheatPlus should sort out NaN for sure, but perhaps it's "too late" when NCP receives the events. Possibly the server will teleport them somehow, but i can't tell what's happening in between. We could monitor NaN and infinity on packet level, which probably is the best we can do (ProtocolLib).

Edit: Oops, wrong button.

[Vladymyr]

If you're not capable of fixing it, should I report this directly to Spigot?

[asofold]

In fact, this should probably be reported to spigot, especially considering the suggested fix!

(https://hub.spigotmc.org/jira/secure/Dashboard.jspa)

If you don't, i should do on monday.

[KurtisAD]

I run the anarchy server Constantiam.net, and am not able to reproduce. Currently on the latest build of NCP and Spigot

[FirstReplay]

This issue IS happening on all servers including the ones above who the posters above have nothing to do with. The posters above have been using the exploit successfully on both servers. Latest NCP build and latest Paper build with latest ProtocolLib. I believe we would need a private tracker for Issues such as these as they are being actively used to locate exploits. This childish behavior has no place on a serious tracker such as this.

[Black-Hole]

JavaDoc for Doubles.isFinite() states: Returns true if value represents a real number. This is equivalent to, but not necessarily implemented as, !(Double.isInfinite(value) || Double.isNaN(value)).

I suspect the exploit is using some other packet besides PacketPlayInFlying or it's subclasses.

[asofold]

Bounding box would mean .... pre 1.8 or so (unless indirectly causeing the server to set it oddly)?

For guessing, i could as well imagine attacks specific to protocol support plugins, combinations of anti cheating plugins, individual anti cheating plugins, ...

Perhaps there is some double arithmetics bomb somewhere with the vanilla checks (teleporting players out of blocks), or with another packet (VehicleSteer?).

We do need to find out, under which circumstances this is possible (no anti cheating plugins there, Vanilla server?, CRaftBukkit(Spigot), default Spigot ....). Alternatively a specific action/packet/content to check for ....

[Vladymyr]

@jonesdj1 b0at is 1.10.2 but allows other versions.

[asofold]

So client-side it works with bounding boxes, but they don't have a bounding box related packet on 1.11, do they?

[Vladymyr]

@jonesdj1 ye like for example mc.player.setPosition(mc.player.posX + Double.NaN, mc.player.posY + 0.001F, mc.player.posZ + Double.NaN);

[asofold]

I'd love to see which packets are used for bounding boxes... pre-idk1.8-or-so, the moving packets could contain a stance value, but that has been removed. So what would it be now? Perhaps your'e getting kicked, because the hack doesn't work server-side and you're floating too long, effectively? (i assume not)

Appart from the player position packets, which packets are there (on which version of MC)?

[bounding box?? / vehicle steer? vehicle move?]

[Vladymyr]

@asofold I tested it on 1.11 and works for me.

[asofold]

setPosition would result in one of the ordinary player position packets - i can understand that if the sanity checking isn't done, it'll be able to create havoc. I was just asking for the bounding box adaption resulting in which packet. If it's adaptive, it could also just be a position packet.

@Vladymyr96 Why are you using 'mc.player.posX + Double.NaN', would 'Double.NaN' not work?

I have to review NCP, all comparison with == on Double.NaN (and possibly infinity too) is problematic. To avoid confusion, i'll route things through auxiliary methods, also where my own methods return Double.NaN and the like as primitive doubles.

[asofold]

Roughly at build 1049 ~ quick and dirty review of NaN and xyINFINITY use within NCP.

(Still doesn't explain why the server doesn't catch it early, since Doubles.isFinite should catch it. Thus it's probably not checked at all...)

[Xayanix]

I can confirm this issue. I am going to make public fix for it. This is how error log looks like: http://pastebin.com/6yD5pJjp

[Xayanix]

@jonesdj1 Yes, probably it is. Player joins server with NaN location and then server gets freezed.

Log before crash:

[18:44:08] [LoginProcessingThread/INFO]: UUID of player name_of_player is uuid_of_player [18:44:08] [Server thread/INFO]: name_of_player[/ip:port] logged in with entity id 361724 at ([world]NaN, NaN, NaN)

[asofold]

The log by @Xayanix looks like it could be the issue. If that's the spot, then it looks like this should be reported to the jira at the developers hub of spigotmc.org. The log is from 1.10.2 though, it would be best to have such a log with the latest of spigot versions (MC 1.11.2). Reviewing the server code may reveal that 1.11 is still vulbnerable, i haven't checked.

(If i'm mistaken with reading from the log that plugins are not involved directly, please correct me.)

[Xayanix]

@asofold I updated server to 1.11.2 (2 days ago) and i have not reported any crashes. I will let you know if something will happen.

[asofold]

@Xayanix Concerning the 1.10.2 log: I'd be somewhat surprised if that went through (NaN or infinity) with NCP build 1047 or later, with ProtocolLib and the FlyingFrequency check activated. In that case the packet should be received and cancelled by NCP (no kick, only a log message if the player is debugged).

[ghost]

thanks Vlad for breaking my noclip hake

[Vladymyr]

@v0idst4r it' got patched? yey and np bb <3 <3 <3

[ghost]

It will soon becuz of you might as well break 1.9+ NCP flight as well

[ghost]

I tried it and I effectively no clipped on cubecraft without being inside a block

On Jan 11, 2017 11:24 PM, "jonesdj1" notifications@github.com wrote:

mfw this was never a exploit nor could it be used

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/NoCheatPlus/Issues/issues/333#issuecomment-272079252, or mute the thread https://github.com/notifications/unsubscribe-auth/ATE0Xknl6AC-mqZBvfYWI0wtD3uACgR2ks5rRbklgaJpZM4LP-I2 .

[ghost]

Trust me, it works

On Jan 11, 2017 11:38 PM, "jonesdj1" notifications@github.com wrote:

@v0idst4r https://github.com/v0idst4r you can clip down but if you move your mouse you get teleported back lol

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/NoCheatPlus/Issues/issues/333#issuecomment-272080715, or mute the thread https://github.com/notifications/unsubscribe-auth/ATE0XsqVHnf6JLPLYb75pPUu6ux7KcfBks5rRbxXgaJpZM4LP-I2 .

[asofold]

@jonesdj1 You might have to wrap all player moving with the right sequence of packets, otherwise it'll be like turning around while standing in-air, which would get detected usually.

Can anybody still use this on a server that is having NCP build 1054 or later and ProtocolLib running? (Whatever cubecraft is using ....)

[ghost]

You can fly but it has to be either the glitch abusing 1.9+ NCP fly or you have to place a block first

On Jan 16, 2017 7:20 AM, "jonesdj1" notifications@github.com wrote:

@asofold https://github.com/asofold cubecraft uses a build of nocheatplus from like 6+ months ago or so without default config as people can fly on there with things that never would work on ncp.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/NoCheatPlus/Issues/issues/333#issuecomment-272860209, or mute the thread https://github.com/notifications/unsubscribe-auth/ATE0XoxgWfZ-Sp_sQVWm7Sax1Yvyn20wks5rS26ngaJpZM4LP-I2 .

[asofold]

Latest dev counts, sorry :). For altering existing past-builds on random servers from the outer atmosphere i'd need a capable it-engineer and a much much better source of energy ...

@v0idst4r Is it related to NCP in particular? Does it work with NCP (Jenkins.-..)= build 1054?

[ghost]

It's not a problem with NCP, I believe it's a problem with bukkit/spigot. Normally sending a packet with NaN should kick you for "invalid move packet received" but it doesn't on 1.9+ servers.

On Jan 16, 2017 5:40 PM, "asofold" notifications@github.com wrote:

Latest dev counts, sorry :). For altering existing past-builds on random servers from the outer atmosphere i'd need a capable it-engineer and a much much better source of energy ...

@v0idst4r https://github.com/v0idst4r Is it related to NCP in particular? Does it work with NCP (Jenkins.-..)= build 1054?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/NoCheatPlus/Issues/issues/333#issuecomment-272986462, or mute the thread https://github.com/notifications/unsubscribe-auth/ATE0XsJ8BfNwWOSKM_wQ0pOU-cIQBdrBks5rS__5gaJpZM4LP-I2 .

[ghost]

And as @Xayanix 's pastebin shows, you can even crash the server if you send just NaN and not your current position + NaN

[ghost]

On latest 1.11.2 spigot this was fixed and now kicks the player for "Invalid move packet recieved"

[rbreslow]

Not fixed for my build of Spigot... I think this may be a problem with the vanilla branch (from Mojang) and submitted a ticket to their Jira

On Tue, Jan 24, 2017 at 7:03 PM, v0idst4r notifications@github.com wrote:

On latest 1.11.2 spigot this was fixed and now kicks the player for "Invalid move packet recieved"

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/NoCheatPlus/Issues/issues/333#issuecomment-274979301, or mute the thread https://github.com/notifications/unsubscribe-auth/ABsSLfMiPiQomb3lxyQ8680Q3MORQKSfks5rVpFcgaJpZM4LP-I2 .

[ghost]

What build and MC version?

On Jan 24, 2017 7:13 PM, "Rocky Breslow" notifications@github.com wrote:

Not fixed for my build of Spigot... I think this may be a problem with the vanilla branch (from Mojang) and submitted a ticket to their Jira

On Tue, Jan 24, 2017 at 7:03 PM, v0idst4r notifications@github.com wrote:

On latest 1.11.2 spigot this was fixed and now kicks the player for "Invalid move packet recieved"

— You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://github.com/NoCheatPlus/Issues/issues/333#issuecomment-274979301 , or mute the thread https://github.com/notifications/unsubscribe-auth/ ABsSLfMiPiQomb3lxyQ8680Q3MORQKSfks5rVpFcgaJpZM4LP-I2 .

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/NoCheatPlus/Issues/issues/333#issuecomment-274991050, or mute the thread https://github.com/notifications/unsubscribe-auth/ATE0Xniu9dB-irk5rWvPVONSJ083TjgMks5rVqHCgaJpZM4LP-I2 .

[asofold]

Yeah we'll need all the context(s)...

• Vanilla or Spigot (CraftBukkit?) + version.
• NCP version if used. [net checks activated?]
• ProtocolLib version if used.

Otherwise this is just confusing, i'd prefer not to have to write my own client right now (sending stuff via ProtocolLib might work, but it might not).

[asofold]

If that applies, we'll need some means of mitigation for past versions though (1.9.x/1.10.x).

[ghost]

Auto kick if a player's position isn't Double.isFinite ?

On Jan 28, 2017 3:16 PM, "asofold" notifications@github.com wrote:

If that applies, we'll need some means of mitigation for past versions though (1.9.x/1.10.x).

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/NoCheatPlus/Issues/issues/333#issuecomment-275875207, or mute the thread https://github.com/notifications/unsubscribe-auth/ATE0Xuw6rehS-Mzl6CSOXV0aDF9TUwVgks5rW7AjgaJpZM4LP-I2 .

[asofold]

Well usually NCP should cancel such packets, but perhaps there is conditions when it doesn't happen on packet level:

• ProtocolLib not installed.
• The MovingFlying thing is not run for whatever reasons (flyingfrequency disabled and other).
• (Bugs?).

If NCP finds such a position in Bukkit it'd kick the player, but that's likely too late already, because the crashing and stuff seems to happen at an earlier stage.

So perhaps i'll find the reason why the checks don't run.

• https://github.com/NoCheatPlus/NoCheatPlus/blob/master/NCPCompatProtocolLib/src/main/java/fr/neatmonster/nocheatplus/checks/net/protocollib/MovingFlying.java#L171
• https://github.com/NoCheatPlus/NoCheatPlus/blob/master/NCPCompatProtocolLib/src/main/java/fr/neatmonster/nocheatplus/checks/net/protocollib/ProtocolLibComponent.java#L89 (Quick glance: it should be checked and the packet cancelled? Does need ProtocolLib and not having deactivated net.flyingfrequency.)

[asofold]

So i'm still lacking the information, if these really work with NCP 1084 (or better latest) and ProtocolLib on (for the said past versions of Spigot). All moving checks and flyingfrequency / net activated of course.

[asofold]

@jonesdj1 Thanks :) - is that fixed for 1.9.4/1.10.2 too? Otherwise a fix would be nice to have.