PSA: Decompiler Vulnerability

Discussion in 'Community News and Announcements' started by Kaelten, Oct 26, 2014.

Thread Status:
Not open for further replies.
  1. Offline

    ColonelHedgehog

    Awesome! :)
     
  2. Offline

    Chintzi

    Hey if you guys need help with anything cause im willing anything to get this moving faster i have so important files i need approved for my plugin
     
  3. Offline

    obnoxint

    People always tried to publish malicious code on DBO. That's nothing new. There is no sarcasm in what you're trying to say.
     
    korikisulda likes this.
  4. Offline

    korikisulda

    People having malicious intent? It's all a conspiracy!
     
  5. Offline

    Toyz

    korikisulda on your Goto_W code why not simple use the byte length of giiven class instead of statically defining 1mb this could prevent issues in the future
     
  6. Offline

    korikisulda

    Because when a class is roughly this size, it's almost certainly going to contain long jumps anyway. By all means though, if you want to change this, submit a pull request ;) I wrote it in a hurry.
     
  7. Offline

    Toyz

    Ya I cloned it I'll work on it a bit and tweak it to complier easier and be a tad cleaner when I get to my Mac
     
    korikisulda likes this.
  8. Offline

    korikisulda

    Welp, I've made a github org, transferred the repo, and you have push access, so whenever you're ready... :D
     
    Toyz likes this.
  9. Offline

    Toyz

    Well thank ya kindly I should be home in a few hours had to run to one of the company's I do contract work for they had a huge software exploit that one of there engineers failed to catch... The nightmares of doing contract software security
     
    korikisulda likes this.
  10. Offline

    james137137

    just an idea but maybe we should have to upload to bukkit the source code and all the depences (libs) (or better still have maven format) and therefore we wont need to worry about decompling
     
  11. Offline

    ColonelHedgehog

    I was agreeing with you until you got to "Maven." I hate Maven.
     
    korikisulda likes this.
  12. Offline

    q3hardcore

    How do you verify that the source corresponds to the compiled code? Particularly if an obfuscator is involved.
     
  13. Offline

    eyamaz

    What they are talking about is uploading src and any dependencies needed (unless already on the maven) and having an internal jenkins generate the plugin off that. That would allow review of the code before the plugin is actually created.
     
    korikisulda likes this.
  14. Offline

    Toyz

    This could work, but for bigger plugins your queue would get much larger much faster, you should look into maybe a public more open option by letting the community verify plugins... A company I do work for does this same thing they call it "Peer-Review" and if it fails preview its throw to the "CS" staff to validate it and look it over... This could actually keep the queue down

    Same way we do normal plugins obfuscated code is still the same ByteCode and can be exploited and you can easily understand that code if you understand java byte code... Or understand how to decompile java and recompile the source... This is done all the time with games like Runescape and many other java based programs...

    ______

    It's all based on what you know and how you know how know how to apply it in java honestly...
     
    korikisulda likes this.
  15. Offline

    james137137

    I was thinking of giving the moderators the source and getting them to build the plugin, removing the need to decompile


    there's always gradle :p

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jun 14, 2016
  16. Offline

    ColonelHedgehog

    Gradle isn't as bad, I guess.
     
  17. You say that like it's a new idea here - you know about the former BukkitDev staff, right? Where do you think they came from? :p
     
  18. Offline

    korikisulda

    Narnia.
     
  19. Can confirm this.
     
  20. Offline

    ZeldoKavira

    Posted an update on the main post.
     
    korikisulda likes this.
  21. Offline

    korikisulda

    Wooooooooooooo!

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jun 14, 2016
  22. Offline

    ZeldoKavira


    Im sorry! I fixed it!
     
    korikisulda likes this.
  23. Offline

    korikisulda

    It's too late for that now... *evil laughter*
     
  24. Offline

    Toyz

    Now mt question is, kinda like how we do it with Javascript but couldn''t you in theory use ASM and completely rape it without a GOTO_W I was able to slightly inject isOP commands on my bukkit server using ASM code and it came up as no GOTO_W found...

    According to the ScriptEngine in java it can run any for of raw javascript thus could we store it as a base64 byte thats loaded as a completlly external server that looks competely harmless... And use ASM from that to do it... I mean it's 100% possible cause ScriptEngine allows you to Import native classes from JAVA... Here is a code sample of what i mean in the ScriptEngine (This just loads a simple GUI)

    Code:
    importPackage(javax.swing);
    importPackage(java.awt.event);
     
    var h = new FocusListener({
        focusGained: function(e){
            print("hello");
        },
        focusLost: function(e){
            print("died");
        }
    });
     
    function engine(main){
        var frame = new JFrame();
     
        frame.setSize(200, 200);
     
        var label = new JButton("fish");
     
        label.addActionListener(function(e){
            print("fish");
        });
     
        label.addFocusListener(h);
     
        frame.add(label);
        frame.setVisible(true)
    }
    --- Side Edit

    That code could be a simple PSK encrptyion so you really couldn't do anything and would see it fully harmless or even more simpler but still looks harmless a simple Base64 function... I see this all the time during my exploiting a company I do work for... And I use it a lot to run exploited code on there systems
     
  25. Do you mean put in the plugin something to load something from an external source? Because that totally wouldn't be allowed for obvious reasons, regardless of how harmless it 'looks'
     
  26. Offline

    Toyz


    It's already allowed with Metrics... It uses HTTP calls... Use that as your starting point just use Simple HEAD calls with fake hostname or even better use datagrams... Or seeing as most linux boxes come default with CURL... use Runtime after you make a simple Header Call to a random server with a fake hostname...

    Java removed host name validation after Java6 because some servers validate it for you...
     
  27. Toyz Metrics does not read or load any data from external sources, it only sends the data across without opening any channels to allow anything to come back. A plugin that loads anything from an external source would not be allowed, due to the obvious security risks this poses.
     
  28. Offline

    Toyz


    There is no one sided request with HTTP in java... You send HEAD and request HEAD on any HTTP request...

    You can inject a extneral object into that HEAD and reflection out of it... and/or just throw a simple JSON in it... Heck even Base64 Would work... I've tested this numours times

    --- Edit:
    Java used to use that HEAD request to validate the Hostname to check for hostname injections... But this feature was removed because servers can do that validation now... But in servers you don't have to actually validate the hostname... So on request of "HEAD" in my server I can return it with a header such as "myclass: classdata" and java would just skip over it nativally but I can use that as a reflection and pull it out of it...

    Do a java request to a server and watch wireshark... It sends two request your HEAD to validate and then another request with your get/post data... Unless your java8 then it sends it as one reuqest but same method applys

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jun 14, 2016
  29. Toyz If you can provide any examples of code that would meet the current BukkitDev guidelines and could be used maliciously, I suggest you report this to the staff. :)
     
  30. Offline

    Toyz


    Heres the worlds simplest POC

    res.writeHeader({"java": "public class fish{public static void out(){System.out.println('fish')}}"};x

    Up to you to figure out how you'd get that to be ASM and run it... Java has tons of built in classes to do it... If you wanted to be more run just convert it to a ASM and call it via classloader... Bukkit uses it all the time when we call other plugins...
     
Thread Status:
Not open for further replies.

Share This Page