Glitch that allowes players to op themselfes?

Blue · October 23, 2015, 12:55pm

I know this existed, but i thought it got fixed?
I just took a look in my server log this morning:

[07:44:43] [Server thread/INFO]: [sk0rp1s] hi
[07:44:43] [Server thread/INFO]: [sk0rp1s] hi
[07:44:44] [Server thread/INFO]: [sk0rp1s] hi
[07:44:56] [Server thread/INFO]: [sk0rp1s: Opped sk0rp1s]
[07:44:57] [Server thread/INFO]: [sk0rp1s: Opped sk0rp1s]
[07:44:57] [Server thread/INFO]: [sk0rp1s: Opped sk0rp1s]
[07:46:41] [Server thread/INFO]: [sk0rp1s: Set sk0rp1s's game mode to Creative Mode]
[07:46:41] [Server thread/INFO]: [sk0rp1s: Set sk0rp1s's game mode to Creative Mode]
[07:46:41] [Server thread/INFO]: [sk0rp1s: Set sk0rp1s's game mode to Creative Mode]

He ended up in my ban list and i blocked the op command entirely now, but how was he able to do that? I have to admit that the forge/sponge version i use are not the newest (still work on updating my plugins), but does somebody know if anything similar got fixed in the past weeks?
(Sponge: 1.8-1499-2.1DEV-584, Forge: 1499)

Tzk · October 23, 2015, 1:45pm

I’d have a look at the permission management first. If your default group has OP permission, then every new user can /op themselves and gain further rights.

Blue · October 23, 2015, 3:23pm

I programmed this permission management myself, and testing it with a second account all the time … nope! Definitely no!

Kiskae · October 23, 2015, 3:27pm

What does your permission plugin return when queried for “minecraft.command.op”? If the registered PermissionService allows that permission then people can use the /op command

FerusGrim · October 23, 2015, 3:27pm

For the sake of argument, could you supply the source code for your permission plugin?

Blue · October 23, 2015, 3:50pm

Hmm. I got a thought here:
Since i started early with the development of that plugin it is currently not using Sponges Permission-system
It literally reads and cancels command events. (I know its a bad way, don’t hate me ill fix it ) Could that be an issue? That is still a version without Cause's so maybe they are able to perform a command without them beeing the CommandSouce? I need to check that…

Tzk · October 23, 2015, 4:01pm

How come you don’t Sponges Permission API?
I think that might be your problem

Blue · October 23, 2015, 4:13pm

Even if this is a bad way, it should work, shouldn’t it? ^^
Well but you’re right. Ill first try to somehow reproduce that glitch with a better Permission system.
So just ignore this topic for now
Thanks for suggestions.

boformer · October 23, 2015, 4:21pm

I think I found the issue.

This line:

if (evt.getSource() instanceof Player && hasPermission((Player) evt.getSource(), "execute." + evt.getCommand())) return;

must be:

if (evt.getSource() instanceof Player && !hasPermission((Player) evt.getSource(), "execute." + evt.getCommand())) return;

Blue · October 23, 2015, 4:23pm

No, this method returning means it ignores the Command-execution and doesn’t cancel it. So if the Method returns there, the command gets executed!

Rain336 · October 23, 2015, 4:34pm

The problem is that you only cancelling the event if the command is invalid and not if the player doesn’t have the permissions

Blue · October 23, 2015, 4:52pm

To explain the method:

For Every Command that is owned by my plugin:
Just let it run, the command itself checks permission before executing.

For every other command:
Cancel if the player don’t has “execute.” permission.

//ignore commands from console or commandblock
if (evt.getSource() instanceof ConsoleSource) return;
if (evt.getSource() instanceof CommandBlockSource) return;

//ignore commands if the player has "execute.<cmd-name>" permission
if (evt.getSource() instanceof Player && hasPermission((Player) evt.getSource(), "execute." + evt.getCommand())) return;

//Check if the command is owned by my plugin (CNMain.getPlugin())
Set<CommandMapping> commandSet = evt.getGame().getCommandDispatcher().getOwnedBy(CNMain.getPlugin()); 
CommandMapping cm = null;
for (CommandMapping mapping : commandSet){
    if (mapping.getAllAliases().contains(evt.getCommand())){
        cm = mapping;
        break;
    }
}

//if the command is not owned by my plugin cancel it. (If it is owned by my plugin, it'll handle permissions itself)
if (cm == null){
    evt.getSource().sendMessage(Texts.of(TextColors.RED, "Diesen Command gibt es nicht! Gib /help ein um eine Liste verfügbarer Commands zu bekommen!"));
    evt.setCancelled(true);
    evt.setResult(CommandResult.empty());
    return;
}

Jojo_Mustermann · January 11, 2018, 12:22pm

Das war mein Account, aber ich kann ihn nicht mehr benutzen, weil irgendein dummes Arschloch den wohl gehackt un das Passwort geändert hat. Leider komme ich nicht mehr an die E-Mail dran, weil ich die Anmeldedaten nicht mehr habe.

ryantheleach · January 11, 2018, 1:22pm

@Jojo_Mustermann https://help.mojang.com/customer/en/portal/articles/361483-my-account-was-stolen

Bitte besuchen und kontaktieren Sie Mojang / Microsoft. Wir können wenig tun. Ihr Passwort befindet sich wahrscheinlich in einer Datenbank, die für viele Personen freigegeben ist.

Please visit and contact Mojang / Microsoft There is little we can do. Your password is likely in a database shared between many people.

ryantheleach · January 11, 2018, 1:24pm

This thread was from over 2 years ago, Not sure of the resolution of if it was the plugins fault or Sponges.

There was at one point a bug with clashing aliases, that used the permission of the clashing command instead of the permission for the raw minecraft command.

If there was a fake op override, or a command registering /op in order to tell people not to use it, it may have been the cause of the person opping themselves.