PaperMC / Paper

The most widely used, high performance Minecraft server that aims to fix gameplay and mechanics inconsistencies
https://papermc.io/
Other
10.05k stars 2.34k forks source link

Ride-able entity duplication exploit through super-positioning #1316

Closed CloudCraftMC closed 6 years ago

CloudCraftMC commented 6 years ago

Entities can be duplicated by riding them into unloaded chunks, disconnecting, and then using an alternate account to repeatedly move into the glitched chunk. This can be used to duplicate the contents of donkeys.

https://www.youtube.com/watch?v=frasVoWE_Lw

This works on 2b2t which runs the latest 1.12.2 Paper version.

hugmanrique commented 6 years ago

Does this also happen on Vanilla 1.12.2? Spigot 1.12.2?

Black-Hole commented 6 years ago

Should be fixed in recent Paper versions.

DementedSorrow commented 6 years ago

has anyone else been able to recreate this?

sexydolf commented 6 years ago

the video was faked

ghost commented 6 years ago

Sexdolfy is correct,

I contacted the creator of the video, and I can assure you that it is faked.

zachbr commented 6 years ago

Anyone who didn't just join GitHub today have any thoughts about this?

chickeneer commented 6 years ago

If this was reproducible, this is how I interpreted it.

It looks like the principle shown is that you are entering an unloaded chunk with hacks, and logging out while it is loading. That should be handled sync - so I don't see how that should matter.

What does not make any sense, is that horses are stored on the player when the player logs out, not the chunk (so those donkeys should be gone with the player who originally logged out). Additionally, if recent code changes were to blame (the uuid thing) - pretty sure all current handlings of that issue have a check to see if there are others nearby - and to react accordingly.

CloudCraftMC commented 6 years ago

you can still do it but the method has changed, you still speedhack into unloaded chunks to super-position your player (your view will be shaking and you cant move) dont log out. then your second account will go to the chunk where your first is glitched and there will be the donkey. you take all the items from inside the donkey and relog with the first account, the donkey will have the items in still so you have 2 sets of items.

aikar commented 6 years ago

I'm also suspicious on how one would even manage to move into an unloaded chunk as a player. so many things would call .getChunk() and force it to load.

They are also likely not on the latest, as the default dupe uuid mode is set to delete, but the latest report from CloudCraft seems a bit more logical that the entity could still be in the world, but bugged in a non savable state.

not sure how you can get into that state with normal paper though

VADemon commented 6 years ago

Alternatively, the server is running an outdated PaperSpigot version while #1223 was in the process of being fixed.

This works on 2b2t which runs the latest 1.12.2 Paper version.

How do you know?

@aikar: The server allows the entity-speedhack to move at light speed on entities.

aikar commented 6 years ago

That doesn't explain why moving into the chunk didn't cause it to load.

but yes there were some builds that were buggy and may of increased risk, but I'm not aware of a case in latest.

Most of the work in #1223 dealt with "if something CAUSED an entity to duplicate, how do we handle it", and adds checks to avoid saving entities to a chunk that we know are not even in the chunk anymore.

Previously, if an entity duplicated, you couldnt see the duplicate. But the regeneration setting added made them come back out, so i changed it to saferegen to delete if nearby.

2B2T might be on a build where the setting was regen instead of saferegen, and needs to be updated to the desired value, but im not sure any of this relates to the latest 'method' since the old entity is in the world, accessible, but when the player relogs it didnt save the data?

ghost commented 6 years ago

@aikar I tried it on 2b2t.org and it doesn't work after probably one hundred attempts, my donkey either disappeared or I logged back on and there was still only 1 donkey using the updated instructions AND the outdated instructions. This all seems like some prank OR 2b2t has already patched it on their side.

Edit: I also used the entityspeed hack to get stuck in the chunk which was a step of the method.

DementedSorrow commented 6 years ago

@PatchScanner you need 2 accounts

ghost commented 6 years ago

@DementedSorrow A friend helped me with this, and he plays on the server 2b2t.

CloudCraftMC commented 6 years ago

@VADemon 2b2t doesn't 'allow' entityspeed. The owner is actually paying a developer to create a plugin that patches out this exploit that causes large amounts of lag, an exploit that isn't solved by either AAC or NCP.

@aikar the state where your entity gets stuck in unloaded chunks has been around in paper for as long as entityspeed, I have seen it since entityspeed was discovered/popularised in 1.10. It is very easy to reproduce: download any hacked client with it, turn up the speed to max, and fly down a nether tunnel on a pig without stopping. Usually you avoid getting stuck all the time like we are discussing by speeding only to the edge of the chunks that have loaded for you, and waiting for the loaded chunks to catch up. The effect of getting stuck in unloaded chunks is such a common occurrence it inspired the side module of antivoid, which will not allow you to send movement packets to take you in the direction of unloaded chunks when they get within a specified distance.

@PatchScanner try the second method, but just relog with the account that is stuck when you have arrived with the second account. This should produce 2 donkeys.

aikar commented 6 years ago

While we can't reproduce (Sorry I'm not downloading a hack client), based on the concepts you have described, Build 1541 will guarantee that a player can never move into an unloaded chunk (by forcefully loading the chunk when needed), which should solve the issue.

I had suspicion of this code path being a source for entity loss, and tried to fix that recently but the change was done in a way it caused other problems. This method is absolutely safe.

exwundee commented 6 years ago

@sexydolf you noticed 2b2t was down as well?