Bungee in brief
BungeeCord is a proxy server that allows game projects to combine multiple Minecraft servers with the ability to quickly switch players between them.
In this article I will share my experience with the kernel, talk about security problems on servers using it, and also give some simple tips that may help prevent hacking of such a server.
Briefly where BungeeCord is used most often:
- Servers with several game modes (including servers with mini-games)
- Servers with high load and the need for online distribution
- Servers that use BotFilter-based protection against bot attacks (a characteristic feature of such a server is "drop check" or captcha upon login)
The most common vulnerabilities of such servers:
- Uncontrolled access to proxy server commands
- Authorization server bypass
- Spoofing player data
- Vulnerabilities in staging server modules
How it works
Most of the projects run by BungeeCord represent the following chain of servers (which can be located on at least one IP with different ports, even on machines in different parts of the world).
Proxy
The first stage - in fact, this is the server itself, to which the players are connected. He does not have a spawn point or game worlds - his task is to redirect the connected to the next stage.
It would seem that everything is simple here - but no.
The main charm, and at the same time the problem at this stage, is the redirection itself - the server does not just redirect the player to another IP, but plays the role of an intermediate server.
Simply put, all the commands that the player sends, all the sync packets, each message in the chat are processed right here first.
How does this threaten us?
Let me explain with a hypothetical example: Our developer Drygok, valiantly doing his job, has the rights on the servers close to the maximum. He perfectly protected his account with his own authorization system - a complex password, two-factor authentication, and even binding to a specific range of IP addresses of his provider, after which he leaves the server with peace of mind, but after 10 minutes all the players “fly out” and the servers stop because someone executed the / end command on their behalf.
What happened? It's simple: An unknown person entered the game under the nickname of our developer and, ignoring the server's request to log in, entered a command that is processed by the Proxy server itself, which means it cannot be prevented even for unauthorized users.
How to prevent?
The easiest way to prevent such situations is to disable all internal kernel commands and reset any rights at this stage. Even for a developer. Especially for a developer.
Authorization server
The second stage in the chain is the server where the player registers and logs in.
It is here that our user will first feel the solid cube ground beneath their geometric feet.
Most often, the servers of this stage look something like this:
- A small piece of land in the endless space of an empty world, where the player stands before successful (or not so) authorization
- Basic plugins:
SkinsRestorer - , , -
( , )
, ( )
, ( AI , , .)
,
AutoSaveWorld
- Lack of any control of rights
- Lack of any protection systems against kernel vulnerabilities or the game itself
The main problem at this stage is emergency rights for the players. Rarely does someone configure them, because only an authorized player can use them, and when the player is authorized, they immediately redirect to the next stage.
How does this threaten us?
In some cases, the player can prevent redirection to another server after authorization: Often, fast reconnections to the game server are prevented by the kernel or plugins of that server. So, when the player reconnects immediately after successful authorization, the server at the next stage may reject the connection and the authorized player will remain on the authorization server.
Further, the player who has elevated rights quietly learns the list of plugins installed in our country (/ plugins), and then, learning their capabilities with the rights he has, begins his dark business.
I will give two examples that I have personally met more than once.
First example. Access to ASW.
AutoSaveWorldIs an extremely useful and at the same time dangerous plugin for any server. Its capabilities in my retelling, briefly:
- Automatically save the world
- Automatic world backup
- Cleaning the world according to the specified settings
- Connecting, restarting and disconnecting plugins without restarting the game server (/ asw pmanager)
- Start, stop and control spawned processes (/ asw process)
We are interested in the last item from this list.
No, this is not a mistake. On a huge number of servers, there really is a plugin that allows you to start any process with the appropriate access, which some servers provide to all players at this stage.
In this case, some
/asw process start QQHABR rm -rf /
(DO NOT EXECUTE THIS COMMAND!) Will be the least of the problems. I don't think it's worth telling what a "cracker" can do with access to the terminal.
Example two. A harmless SkinsRestorer.
SkinsRestorerIs an extremely popular plugin used on a huge number of servers. It is mainly used to recover skins that were lost due to the use of proxy skins, but it also has the ability to install your own. This very opportunity is a potential vulnerability.
Using the / skin command, you can not only load the skin of another player with his nickname, but also set your own by specifying the image address (/ skin URL). The danger of this team lies in the fact that initially access to it is assumed for the players (and not only if the rights are incorrectly configured, as in the case of ASW).
How can this be used? Uploading an image to the specified address is a regular GET request. A request made from the server itself.
There are many options for further use - starting with a call to a closed API (for example, issuing a donation), access to which is provided for certain IP addresses, and ending with a regular flood.
How to prevent?
You can prevent this by restricting the rights of players (which is recommended to do on any server), block all possible commands except for the authorization and registration commands, as well as prohibit the installation of your own skin by URL (I recommend doing this on all servers)
Hub
Hub - a common space where players go to select a game server and mode
Most often, Hubs, like the main game servers, are unique for each server, but some security issues are the same for them.
Direct connection
By connecting to this server directly (to its IP), the player can bypass the previous stages, including authorization
How does this threaten us?
Having skipped the authorization stage, the player can use all the rights of the user whose nickname was used to connect
How to prevent?
Most server cores have a built-in setting to block connections without using BungeeCord. For example Spigot in spigot.yml:
settings:
bungeecord: true
If you use this setting, be sure to read the next paragraph!
Spoofing player data
Almost all server cores that block direct connection to the server (including Spigot) have an active vulnerability related to the substitution of player data through their own BungeeCord server: The player puts his proxy server with redirecting connections to our main game server, thus the core the game server determines that BungeeCord is used to connect and trusts all data transmitted from it (the proxy IP is not checked for a match with the server IP in this case)
How does this threaten us?
Most often, the following are substituted in this way: the player's IP (bypassing sessions and gaining access to someone else's account) and UUID (used by some plugins and the server itself to identify the player, bypass the rights control and access the rights of other players).
When using BungeeCord, you need to fix it yourself, otherwise it could allow an attacker to gain access not only to player accounts, but also to the capabilities of administrators!
How to prevent?
The easiest way to prevent this is by closing unnecessary ports for third-party connections, and => any possibility of connecting to the server bypassing the proxy server.
It is recommended to close for external connection all ports of all servers except the main BungeeCord server!
Game servers
Game servers with their own modes. All of the above is relevant.