Authmereloaded: Possibility BungeeCord security issue.

Created on 7 May 2017  路  15Comments  路  Source: AuthMe/AuthMeReloaded

https://github.com/AuthMe/AuthMeReloaded/blob/master/src/main/java/fr/xephi/authme/util/PlayerUtils.java#L40
In this line p.getAddress() or p.getAddress().getAddress() can be null. I dont know how(maybe ip spoofer or uuid spoofer) but it can be null. And when you try get player ip https://github.com/AuthMe/AuthMeReloaded/blob/master/src/main/java/fr/xephi/authme/process/join/AsynchronousJoin.java#L78 there will be NPE and player probably will not need to be use /login command

bungeecord enhancement help wanted

Most helpful comment

Or just kick the player?

All 15 comments

some logs:
normal join
[12:53:21 INFO]: RGKFCY[/87.117.37.182:46481] logged in with entity id 4620876 at ([world]-7.5, 92.0, -1.5)
RGKFCY[/87.117.37.182:46481]
ip spoofed join
[16:08:03] [Server thread/INFO]: MainDRY[MainDRY:50367] logged in with entity id 875222 at ([world]687.9481154132752, 138.40777263112358, 180.08483307248775)
MainDRY[MainDRY:50367]
player dont have ip address

Do you have a log where this happens with the NPE?

no. this is was with my plugin. and in this server i dont have authme

I've never seen a log such as the one you share, nor do I seem to find anything on the web that this should ever be possible to happen. IMHO, as long as we're not able to reproduce this and we don't see it happening in the wild, I don't really think it's sensible for us to take any action. Do you have any links you can refer us to?

I really dont know how reproduce this. But when bungeecord: true in spigot yml, player.getAddress() can be null.

@sgdc3 What do you think of this?

I really dont know how reproduce this. But when bungeecord: true in spigot yml, player.getAddress() can be null.

Please explain.

Okey. I have server where i fogot to close port. And in this server i have plugin that protect admin accounts. When admin join, it need to enter password. Also this plugin has ip save.
some old code from my plugin

    HashMap<Player, Integer> login = new HashMap<Player, Integer>();
    ArrayList<String> ips = new ArrayList<String>();
    @EventHandler(priority=EventPriority.LOWEST, ignoreCancelled = false)
    public void OnJoin(PlayerJoinEvent event) {
        if (event.getPlayer().isOp() || event.getPlayer().hasPermission("serverprotector.protect")) {
            if (!ips.contains(event.getPlayer().getAddress().getAddress().getHostAddress())) { //error on this line
                login.put(event.getPlayer(), 0);
            }
        }
    }
    @EventHandler(priority=EventPriority.LOWEST, ignoreCancelled = false)
    public void onPlayerInteract(PlayerInteractEvent event) {
        if (login.containsKey(event.getPlayer()) ){
            event.setCancelled(true);
        }
    }

all was good. but when to server join player "without ip" i got NPE on this line:
if (!ips.contains(event.getPlayer().getAddress().getAddress().getHostAddress())) {
'ips' 100% is not null.
Also when i try to write /seen MainDry(essentials command) i get
error: null

  1. What does the log say with the "... logged in with entity "?
  2. Do you use a unmodified Spigot/PaperSpigot build?

[16:08:03] [Server thread/INFO]: MainDRY[MainDRY:50367] logged in with entity id 875222 at ([world]687.9481154132752, 138.40777263112358, 180.08483307248775)
original spigot

it was 2-3 months ago. i dont have full logs.

Ok, then I think I know the source of the NPE.

https://docs.oracle.com/javase/8/docs/api/java/net/InetSocketAddress.html#getAddress--

Returns:
the InetAdress or null if it is unresolved.

The InetSocketaddress in this case is equivalent to new InetSocketAddress("MainDRY", 50367). Just like a domain name google.com. Since Spigot doesn't make connections to this address directly, it doesn't resolve it (DNS -> IP) and so we don't know the IP and we get a NPE.

Spigot doesn't check if it's a legit IPv4 address and I think it's not even necessary, because you can fake any legit IPv4 address too. So you just need to trick the admin into a Skype conversation, joining a Teamspeak server, clicking on a short link (bit.ly, goo.gl, ...) or similar and you have the IP.

In my opinion the best way, is to just make that spigot server port unreachable (i.e. firewall). Just like many wiki pages or tutorials already recommends.

In my opinion the best way is to just make that spigot server port unreachable (i.e. firewall). Just like many wiki pages or tutorials already recommends.
i know this. But i think, that allot of others admins dont know about this.

Thanks for the analysis, guys. So in summary this doesn't fall into our responsibility, but we can easily add an IP check (configurable) as a new feature.

Maybe return a random ip if Player#getAddress is null? This will discard session and prevent throwing error to console

Or just kick the player?

Was this page helpful?
0 / 5 - 0 ratings