Security problem in /login force #29
Description
As I was looking into some issues with the plugin, I noticed that you can force a small valid login session to have enough time to execute an admin command on a server
Here are the steps that I took to execute this command:
- First I logged in with my Tlauncher in one of my admins account, that happens to be an unoriginal account.
- Then when logging into my server, I did
/login force <HisAccountName>
After that, I noticed that bungeeauth won't kick me if I stay more than 5 minutes unauthenticated, so in theory, I was authenticated and I was also able to execute any bungeecord command, like /server, /ip and /end, so I could already stop the bungeecord server and leak other players ip addresses, but there's one more problem into it. Here are the steps:
- After exploiting the force login, do /server
- Execute any command in 10 seconds
Because of the failsafe mechanic of bungeeauth, you actually have limited time to execute a command on a specific server other than the authentication server, but even after the failsafe mechanism is activated and you go back to the auth server, you are still logged in and can still execute commands inside the server and in bungeecord
My recommendation to fix that bug is to block the "force" argument when user is not logged in, so the solution would be something like
// Just an example code to explain the idea
if (!user.loggedIn()) {
if (args[0].equals("force")) {
// Send a message to him
return true; // or false, I never looked into bungeeauth's code...
}
}And that's it, hope you're able to fix it