search

sekwah41 / Advanced-Portals

An advanced portals plugin for bukkit
GNU Lesser General Public License v3.0
157 stars 65 forks source link

ForceOP AntiMalware #300

Closed Link0Darck closed 2 years ago

Link0Darck commented 2 years ago

Good morning, the AntiMalware has detected a force op command in your plugin which is vulnerable if you don't check by yourself with the spigot staff plugin plugin : (https://www.spigotmc.org/resources/spigot-anti-malware.64982/) `[AntiMalware] [00:30:13] [INFO]: Using locale en

[AntiMalware] [00:30:13] [INFO]: Any bugs and/or false-positives should be reported either on the GitHub repo, plugin discussion page, or on the discord server [AntiMalware] [00:30:13] [INFO]: Registering checks [AntiMalware] [00:30:13] [INFO]: Finished registering checks [AntiMalware] [00:30:13] [INFO]: Setting up the Auto-Updater [AntiMalware] [00:30:13] [INFO]: Finished initializing [AntiMalware] [00:30:13] [DETECTED]: plugins\Advanced-Portals-0.0.41-snapshot.jar MIGHT be infected with Spigot.MALWARE.ForceOP.A Class Path: com/sekwah/advancedportals/portals/Portal ; SourceFile/Line Portal.java/463 Remaining files to scan: 0`

sekwah41 commented 2 years ago

The force op is related to being able to run the commands as op. To be able to create these you already need to be op as well as they can be disabled through the config.

We tried to have this disabled by default however sadly a LOT of users were confused on how to enable it or saying the plugin was "broken" so we got a lot of bad reviews because we tried to keep users secure and safe from rogue admins.

The problem is the only way from what I can tell to temp set someone is op for the duration of a command or at least the command call phase which due to the nature of how mc executes its not really possible to abuse this in a weird way unless you force crash the server, and at that point the server wont have even written the op settings to any user data.

There was a suggestion from one of the people from this anti-malware (possibly a different one) plugin and their suggestion was to make some proxy user, which in practice isnt possible due to the fact the reason people want to run the commands this way is it needs to affect the user sending the command. As well as the suggested method they came up with you would theoretically have to make a compatibility layer for every version of craftbukkit you plan to support as well as you would have a tonne of side effects on top of that adding to both an unrealistic maintainability effort as well as other problems.

If anyone is aware of another way to run commands with elevated permissions feel free to comment or show an example however from checking other plugins such as command signs this seems to be the common way to do this.

sekwah41 commented 2 years ago

Btw this isn't me saying this isn't an issue. I 100% agree it is an issue however the user community voted for being insecure by default by a massive level of complaints and negative reviews. (look back at old reviews).

The reason this plugin flags advanced portals is that its just warning you that if that behavior isnt expected then it likely has a hidden backdoor.

If you would like to see the lines it is flagging they can be found here https://github.com/sekwah41/Advanced-Portals/blob/d09ad72491b1a79281c7a0689349041a134f26cf/src/main/java/com/sekwah/advancedportals/bukkit/portals/Portal.java#L581

and it is only possible to run them if they are enabled in config https://github.com/sekwah41/Advanced-Portals/blob/d09ad72491b1a79281c7a0689349041a134f26cf/src/main/java/com/sekwah/advancedportals/bukkit/portals/Portal.java#L577

If someone has made a command portal with these tags in the past it will ignore them and run as a non-elevated version

We also very quickly set it back using a try-finally to try to make sure no errors can force past this. https://github.com/sekwah41/Advanced-Portals/blob/d09ad72491b1a79281c7a0689349041a134f26cf/src/main/java/com/sekwah/advancedportals/bukkit/portals/Portal.java#L585

sekwah41 commented 2 years ago

Also, this code hasn't changed for a while so the same is the case both in the old and new ones :P I am open to any discussion about this though have closed the issue as this has previously been discussed in the past.

If you have any ideas on how to proceed with this feel free to re-open the issue and I will look to try to make them or at least discuss the pros/cons. Sorry if I've jumped the gun and closed this issue too soon.

Link0Darck commented 2 years ago

for one of the plugins I use it was the same thing the person solved it and answered this :

Ah okay so I see why it flagged it as malware now, I checked the source code of the anti-malware plugin since it is open source, if I had it specify specifically player.setOp(false) directly after setting them to player.setOp(true) it wouldn't have flagged it. The reason its flagged is because I use a dynamic variable, I fetch the players OP status prior to setting them to OP then I set them back to that status after they are set to OP. If I didn't do that then some players who were already OP prior to executing the command would end up getting de-opped when they are not supposed to.

If you want I put the link because there is not that your plugin I report on the github after I prefer to report on the github that on the spigot or it can ban you but I know that your plugin is not created to harm the server otherwise here is the link : https://github.com/RockinChaos/ItemJoin/issues/438

I'm sorry for the long wait but I had a lot of things to do but I wanted to warn you now there is a lot of malware that infects mineraft servers like HostFlow that now almost everyone puts the anti malware and even I got this malware while I didn't have a crack plugin

sekwah41 commented 2 years ago

Oh dw I already went through this with the spigot guys and was temp banned years ago :P Usually, they just ban you to be safe then after seeing the code they unban you.

I'll take a look at how they have resolved it and see if it resolves it for advanced portals too :)

Strahilchu commented 2 years ago

There is no backdoor in this plugin, that Anti-Malware plugin just has weird false-positives and finds things people don't understand and panic for no reason.

sekwah41 commented 2 years ago

@Link0Darck could you give this a test? https://cdn.discordapp.com/attachments/273239935648006144/936328815712563210/Advanced-Portals-0.9.1--canary.318.672b544-SNAPSHOT.jar

sekwah41 commented 2 years ago

@Strahilchu while I did try to contact the author of McAntiMalware about this a few years back there is a way to remove the false positive at least now. He was entirely unhelpful and proposed pretty ridiculous solutions, which in theory could work but the first class you look at and realise wait that's not how mc works or spigot at least you'd find it would break far more than it would fix.

Hence why it was ignored till now but it does make sense when there is a solution even if it doesn't change it logically to just make people happy with a small tweak. Even though it is a false positive.

Link0Darck commented 2 years ago

There is no backdoor in this plugin, that Anti-Malware plugin just has weird false-positives and finds things people don't understand and panic for no reason.

That's what I came to say, if there was a way to not be detected because people might panic for nothing, I'm here to warn you, I'm not here to damage the reputation of the plugin as I use it and this plugin is not one and the creator comes from the spigot staff plus as you say it's not weird because I was infected with the HostFlow malware I'm a Frenchman and I'm not good in English

Link0Darck commented 2 years ago

@Link0Darck could you give this a test? https://cdn.discordapp.com/attachments/273239935648006144/936328815712563210/Advanced-Portals-0.9.1--canary.318.672b544-SNAPSHOT.jar

I'm testing this later today on my spigot 1.8.8 server and I'll tell you what

sekwah41 commented 2 years ago

@Link0Darck any updates?

Link0Darck commented 2 years ago

I'm trying to set up portals but it doesn't work and yes I'm still on spigot 1.8.8 (it's a good version that I like and it's stable in terms of ram because the other versions eat up ram like crazy)

`[01:35:11] [Server thread/ERROR]: Error occurred while enabling AdvancedPortals v0.9.1--canary.318.672b544-SNAPSHOT (Is it up to date?) java.lang.NoSuchFieldError: ENTITY_ENDERMAN_TELEPORT at com.sekwah.advancedportals.bukkit.effects.WarpEffects.(WarpEffects.java:27) ~[?:?] at com.sekwah.advancedportals.bukkit.AdvancedPortalsPlugin.onEnable(AdvancedPortalsPlugin.java:70) ~[?:?] at org.bukkit.plugin.java.JavaPlugin.setEnabled(JavaPlugin.java:321) ~[spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at org.bukkit.plugin.java.JavaPluginLoader.enablePlugin(JavaPluginLoader.java:340) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at org.bukkit.plugin.SimplePluginManager.enablePlugin(SimplePluginManager.java:405) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at org.bukkit.craftbukkit.v1_8_R3.CraftServer.loadPlugin(CraftServer.java:357) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at org.bukkit.craftbukkit.v1_8_R3.CraftServer.enablePlugins(CraftServer.java:317) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at net.minecraft.server.v1_8_R3.MinecraftServer.s(MinecraftServer.java:414) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at net.minecraft.server.v1_8_R3.MinecraftServer.k(MinecraftServer.java:378) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at net.minecraft.server.v1_8_R3.MinecraftServer.a(MinecraftServer.java:333) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at net.minecraft.server.v1_8_R3.DedicatedServer.init(DedicatedServer.java:263) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at net.minecraft.server.v1_8_R3.MinecraftServer.run(MinecraftServer.java:525) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at java.lang.Thread.run(Thread.java:750) [?:1.8.0_322]

[01:38:14] [Server thread/INFO]: Link_Darck issued server command: /portal reload

org.bukkit.command.CommandException: Unhandled exception executing command 'portal' in plugin AdvancedPortals v0.9.1--canary.318.672b544-SNAPSHOT at org.bukkit.command.PluginCommand.execute(PluginCommand.java:46) ~[spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at org.bukkit.command.SimpleCommandMap.dispatch(SimpleCommandMap.java:141) ~[spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at org.bukkit.craftbukkit.v1_8_R3.CraftServer.dispatchCommand(CraftServer.java:641) ~[spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at net.minecraft.server.v1_8_R3.PlayerConnection.handleCommand(PlayerConnection.java:1162) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at net.minecraft.server.v1_8_R3.PlayerConnection.a(PlayerConnection.java:997) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at net.minecraft.server.v1_8_R3.PacketPlayInChat.a(PacketPlayInChat.java:45) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at net.minecraft.server.v1_8_R3.PacketPlayInChat.a(PacketPlayInChat.java:1) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at net.minecraft.server.v1_8_R3.PlayerConnectionUtils$1.run(SourceFile:13) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_322] at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_322] at net.minecraft.server.v1_8_R3.SystemUtils.a(SourceFile:44) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at net.minecraft.server.v1_8_R3.MinecraftServer.B(MinecraftServer.java:715) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at net.minecraft.server.v1_8_R3.DedicatedServer.B(DedicatedServer.java:374) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at net.minecraft.server.v1_8_R3.MinecraftServer.A(MinecraftServer.java:654) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at net.minecraft.server.v1_8_R3.MinecraftServer.run(MinecraftServer.java:557) [spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at java.lang.Thread.run(Thread.java:750) [?:1.8.0_322] Caused by: java.lang.NoClassDefFoundError: org/bukkit/block/data/BlockData at com.sekwah.advancedportals.bukkit.AdvancedPortalsCommand.onCommand(AdvancedPortalsCommand.java:458) ~[?:?] at org.bukkit.command.PluginCommand.execute(PluginCommand.java:44) ~[spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] ... 15 more Caused by: java.lang.ClassNotFoundException: org.bukkit.block.data.BlockData at org.bukkit.plugin.java.PluginClassLoader.findClass(PluginClassLoader.java:91) ~[spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at org.bukkit.plugin.java.PluginClassLoader.findClass(PluginClassLoader.java:86) ~[spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] at java.lang.ClassLoader.loadClass(ClassLoader.java:418) ~[?:1.8.0_322] at java.lang.ClassLoader.loadClass(ClassLoader.java:351) ~[?:1.8.0_322] at com.sekwah.advancedportals.bukkit.AdvancedPortalsCommand.onCommand(AdvancedPortalsCommand.java:458) ~[?:?] at org.bukkit.command.PluginCommand.execute(PluginCommand.java:44) ~[spigot-1.8.8.jar:git-Spigot-21fe707-741a1bd] ... 15 more`

sekwah41 commented 2 years ago

This latest version only supports 1.13+ due to the block changes. Older versions support 1.8

Link0Darck commented 2 years ago

So it's not compatible with 1.8.8?

sekwah41 commented 2 years ago

No version since around 0.0.41 has been.

https://dev.bukkit.org/projects/advanced-portals/files?filter-game-version=2020709689%3A532

sekwah41 commented 2 years ago

Closing the issue and this is no longer relating to the problem and from my tests it seems to be fine now.

github-actions[bot] commented 2 years ago

:rocket: Issue was released in v0.9.2 :rocket:

github-actions[bot] commented 2 years ago

:rocket: Issue was released in v0.9.2 :rocket:

github-actions[bot] commented 2 years ago

:rocket: Issue was released in v0.9.2 :rocket: