1.20.1: Command Packet Issue

gre3x commented 5 months ago

"/version ChatControlRed" - plugin version

10.23.7

Are you using MySQL?

Yes

Are you using BungeeCord?

Yes

Error log (if applicable)

N/A

"/chc debug" output (strongly recommended)

debug.zip

Information about the issue/bug

Players are able to execute console commands on the server they are currently on through custom clients by sending plugin message packets with the "FORWARD_COMMAND" argument and the server name is the same as the current server.

This is related to Bungee command forwarding, but the Bungee server is not involved I think. This all happens on the spigot server.

I do not have access to these clients or the exact code of how they are doing it, since these are being used my malicious players on my server and not by me, but here is what I think is close to an example of what a dangerous packet sent on an example "Hub1" server would look like:

Channel = "plugin:chcred"
Subchannel = "plugin:chcred"
UUID = input.readUTF() = "7aa44332454-93dfgd472-938dfgddf47-2dfgdfg34"
serverName = input.readUTF() = "Hub1"
actionName = input.readUTF() = "FORWARD_COMMAND"
server = input.readString() = "Hub1"
command = input.readString() = "give Notch cookie 1"

There is no way to block these right now, even though I don't use the command forwarding feature.

Can you please add a way to disable processing these packets if we don't use the feature? Like if there is a FORWARD_COMMAND packet, then check a config option to see if command forwarding is enabled? Then we can disable it ourselves in the config

gre3x commented 5 months ago

@kangarko @ElBananaa @TheIntolerant sorry for the ping, but I believe this should be handled quickly. Let me know if you need any more info

kangarko commented 5 months ago

Thanks for reporting. This is strange, because I do recall patching this earlier and checking for non player senders: https://i.imgur.com/mI1oJyA.png

I recommend you set the key Enable_Forward_Command to false in BungeeControl's latest current version. It will turn this feature off completely.

gre3x commented 5 months ago

@kangarko will toggling it off on the Bungee also block the interaction on Spigot servers? There is no toggle on the spigot servers to prevent this, so how do I block it on my spigot servers too?

gre3x commented 5 months ago

I am assuming that clients can interact with spigot plugins and just because it is not processed on the Bungee plugin, does not mean that the Spigot plugin will not get the packet.

Again, this is on the spigot server, not the Bungee.

And I just checked and I already had the Enable_Forward_Command to false on the Bungee sadly @kangarko

kangarko commented 5 months ago

Thanks, you were correct. I'll push a new release tonight.

kangarko / ChatControl-Red