PeripheralsPlusPlus icon indicating copy to clipboard operation
PeripheralsPlusPlus copied to clipboard

Published 20 hours ago verified publisher icon austinv11

[Security] Remove any nano bot functions that use java.awt.Robot

Open NPException opened this issue 4 years ago • 2 comments

Description

When playing with PeripheralsPlusOne recently, I noticed a security vulnerability via nano bots. (Reference: https://twitter.com/NPException/status/1247179824956952576)
Someone else noticed that the same issue already exists with Peripherals++. I already opened an issue for PeripheralsPlusOne, but was asked to open one here to.

Steps to Reproduce

As a first proof of concept, I managed to give myself op on a friend's server.

  1. Infect an admin/op player with nano bots.
  2. Wait for them to go afk
  3. Use nano bot functions to open chat for them and input op command.
    (If you need an explicit code example, I can send it via DM on Twitter or Curseforge)

Even worse, I was able to control my friend's Windows command line. I can provide you with the code for that as well if needed.

Peripherals++ & PeripheralsPlusOne were removed from Curse because of that vulnerability.

NPException avatar Apr 09 '20 14:04 NPException

Hi, thanks for the report. Since support has been deprecated for years I cannot guarantee that this will be fixed in a timely manner. In the mean time, you could disable nano bots in the configuration.

austinv11 avatar Apr 09 '20 16:04 austinv11

Yeah, I wasn't expecting any fix at all tbh. 😅 I just wanted to at least get the report out.
Though the author of PeripheralsPlusOne had removed (and later re-added) the player control portion of the nano bots in the past, so maybe the commit he made is a starting point for a fix: https://github.com/rolandoislas/PeripheralsPlusOne/commit/63e9a046dbbb82f9120ec264791d17cb798ec368

NPException avatar Apr 09 '20 19:04 NPException