search

Updated-NoCheatPlus / NoCheatPlus

Anti-cheating plugin for Minecraft (1.5-1.21, Bukkit/Spigot)
https://ci.codemc.io/job/Updated-NoCheatPlus/job/Updated-NoCheatPlus/
GNU General Public License v3.0
483 stars 102 forks source link

NoCheatPlus bug/crash exploit #7

Closed andris155 closed 3 years ago

andris155 commented 4 years ago

Full output of /ncp version

[17:00:01 INFO]: ---- Version information ----
[17:00:01 INFO]: #### Server ####
[17:00:01 INFO]: git-Paper-235 ~MC: 1.15.2~
[17:00:01 INFO]: detected: 1.15.2
[17:00:01 INFO]: #### NoCheatPlus ####
[17:00:01 INFO]: Plugin: 3.17-SNAPSHOT-b5.7.2
[17:00:01 INFO]: MCAccess: 1.13-1.15.2|? / Bukkit-API
[17:00:01 INFO]: Features:
[17:00:01 INFO]: blocks: BlocksMC1_4 | BlocksMC1_5 | BlocksMC1_6_1 | BlocksMC1_7_2 | BlocksMC1_8 | BlocksMC1_9 | BlocksMC1_10 | BlocksMC1_11 | BlocksMC1_12 | BlocksMC1_13 | BlocksMC1_14 | BlocksMC1_15 | MCAccessBukkitModern
[17:00:01 INFO]: checks: FastConsume | Gutenberg | HotFixFallingBlockPortalEnter | AttackFrequency | FlyingFrequency | KeepAliveFrequency
[17:00:01 INFO]: defaults: pvpKnockBackVelocity
[17:00:01 INFO]: packet-listeners: UseEntityAdapter | MovingFlying | OutgoingPosition | KeepAliveAdapter | SoundDistance | WrongTurnAdapter | NoSlow | Fight
[17:00:01 INFO]: Hooks: Citizens2~cncp~ 2.0 | mcMMO~cncp~ 2.3 | MyPet 1.1 | ViolationFrequency~NCP~ 1.0
[17:00:01 INFO]: #### Related Plugins ####
[17:00:01 INFO]: CompatNoCheatPlus v6.6.5-RC-sMD5NET-b90 | ProtocolLib v4.5.1-SNAPSHOT-b448 | ConditionalCommands v1.5

Describe the issue

The players crashed my server with onepacketcrasher hack.

How to reproduce the issue

https://www.youtube.com/watch?v=QhtwqaO9_Dg

Extra links/Videos (Including debug logs)

[15:42:44] [Netty Epoll Server IO #3/ERROR]: [NoCheatPlus] Unhandled exception occured in onPacketReceiving(PacketEvent) for NoCheatPlus
java.lang.NullPointerException: null
    at fr.neatmonster.nocheatplus.checks.net.protocollib.WrongTurnAdapter.onPacketReceiving(WrongTurnAdapter.java:41) ~[?:?]
    at com.comphenix.protocol.injector.SortedPacketListenerList.invokeReceivingListener(SortedPacketListenerList.java:114) ~[?:?]
    at com.comphenix.protocol.injector.SortedPacketListenerList.invokePacketRecieving(SortedPacketListenerList.java:67) ~[?:?]
    at com.comphenix.protocol.injector.PacketFilterManager.handlePacket(PacketFilterManager.java:590) ~[?:?]
    at com.comphenix.protocol.injector.PacketFilterManager.invokePacketRecieving(PacketFilterManager.java:557) ~[?:?]
    at com.comphenix.protocol.injector.netty.ProtocolInjector.packetReceived(ProtocolInjector.java:352) ~[?:?]
    at com.comphenix.protocol.injector.netty.ProtocolInjector.onPacketReceiving(ProtocolInjector.java:317) ~[?:?]
    at com.comphenix.protocol.injector.netty.ChannelInjector.decode(ChannelInjector.java:533) ~[?:?]
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[patched_1.15.2.jar:git-Paper-220]
    at com.comphenix.protocol.injector.netty.ChannelInjector$2.channelRead(ChannelInjector.java:259) ~[?:?]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:284) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:808) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:408) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:308) ~[patched_1.15.2.jar:git-Paper-220]
    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884) ~[patched_1.15.2.jar:git-Paper-220]
    at java.lang.Thread.run(Unknown Source) [?:?]
[15:42:44] [Netty Epoll Server IO #3/ERROR]: Parameters:
  net.minecraft.server.v1_15_R1.PacketPlayInFlying$PacketPlayInLook@51f4ec75[
    x=0.0
    y=0.0
    z=0.0
    yaw=-111.60535
    pitch=8.100017
    f=true
    hasPos=false
    hasLook=true
  ]

Any possible config options changed or plugins that may cause interference?

CaptainObvious0 commented 4 years ago

Currently, NoCheatPlus does not protect against large/quickly sent packets. I'm assuming that this exploit is simply doing that using CustomPayload. The only place it does enforce a sane amount of packets is Flying/Moving packets.

ViaVersion does have protection against this, but it doesn't look like you're running that plugin. Taking a look at this plugin (https://www.spigotmc.org/resources/packet-limiter.70217/) it should patch this exploit. I'm going to treat this as an enhancement/feature request rather than a bug.

The error you see in console is unrelated. That should have been fixed in the latest commit/build. If you still see the error after updating, please let me know.

andris155 commented 4 years ago

Thanks!

CaptainObvious0 commented 4 years ago

Seems I forgot that NoCheatPlus does actually enforce sane packet speed under PacketFrequnency, but this check is disabled for server versions above 1.8. Not sure if it has been disabled for a reason, but I’ll look into seeing if this could be enabled for all server versions as well.