Procyon/Luyten/goto_w - Exploiting Procyon 101

Discussion in 'BukkitDev Information and Feedback' started by korikisulda, Oct 27, 2014.

Thread Status:
Not open for further replies.
  1. Offline

    korikisulda

  2. Offline

    FerusGrim

    Very nicely detailed, thanks for sharing. :D
     
    korikisulda likes this.
  3. Offline

    SleepyDog

    You do know, by posting this, loads of childish coders are going to try to use this as much as possible.
    My advise to everyone at this time is to only download plugins that have been popular for some time.
    Do NOT download magical 'new' plugins from people who have never made a decent plugin before.
     
  4. Offline

    korikisulda

    This is not possible on BukkitDev. Worry about other places code needs to be audited.
     
  5. Offline

    rbrick

    Very nice tutorial. Did not know this. Learn something new everyday :)
     
  6. Offline

    AdamQpzm

    korikisulda I think it's been covered pretty well in IRC and such as to why this guide shouldn't exist, but regardless, it should at least not be in this section. This isn't really BukkitDev feedback/information, is it?
     
    Hoolean and mbaxter like this.
  7. Offline

    korikisulda

    Shouldn't it? Since Curse posted the bugreport links, it was public anyway. That's not a choice I actually made. The choice I had to make was between relative obscurity, or disclosure. Perhaps I made a mistake, but I can't change what happened.
    Regardless, of that, you are correct. Problem is, where?
     
  8. Offline

    AdamQpzm

    korikisulda Security through obscurity isn't very reliable, I'll give you that. But it's certainly better than not only no security, but having an actual step-by-step guide showing anyone who happens across is how to exploit the bug. From what I understand, major security issues are usually reported in private, not in public. And the linked reports do not explain exactly how to perform the exploit. This does. Your whole approach is fundamentally wrong here.

    Where? I maintain nowhere on these forums. If I had to pick a section, off-topic would be the most fitting.
     
    TnT likes this.
  9. Offline

    korikisulda

    Fair enough. Prefer the tutorial now? :s
     
  10. Offline

    AdamQpzm

    korikisulda Sadly I can't say no harm done, but it's definitely better than it being there. I appreciate you taking it down.
     
    klosjaarrr and korikisulda like this.
  11. Offline

    korikisulda

    And yeah. I made a mistake. I can only apologise for it.

    At the moment, it's impossible to know if any harm was done. I hope not (obviously. I'm not evil or anything :s), but there's little I can do now. Heyho. I suppose the important thing is that I learn from the mistakes.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jun 14, 2016
  12. Offline

    Kaelten Administrator Curse

    Just so everyone knows Kori's work has made it possible for us to get a tool in place to audit files for the presence of these hidden code snippets. We're doing a retroactive scan currently before we start processing new files again.
     
    korikisulda likes this.
  13. Offline

    Europia79

    This post is worthless.
     
  14. Offline

    FerusGrim

    It was originally a tutorial on how to exploit the discussed vulnerability. It was later removed at the author's discretion, and that image was used as a placeholder.
     
    korikisulda likes this.
  15. Offline

    korikisulda

    Absolutely. At least it's worthless instead of potentially harmful.
     
  16. Offline

    ChipDev

    Wow. We have so much to learn; ORACLE HIRE KORI!
     
    korikisulda likes this.
  17. Offline

    zombiekiller753

    ChipDev
    Are you kidding?

    Oracle did nothing wrong. The only person at any sort of fault is the developer of Procyon, and even then, he's doing it by himself, so it's been an excellent job so far (and even now).
     
  18. Offline

    ChipDev

    I am kidding.
     
    korikisulda and zombiekiller753 like this.
  19. Offline

    korikisulda

    xD
     
  20. Offline

    EODCrafter

    And I thought all along people were doing this to keep others from decompiling there plugins and stealing them :), Thanks for the Info.
     
  21. Offline

    ColonelHedgehog

    Well... I mean, you could do that. I'm probably going to theta-level encrypt one of my plugins that way. :3
     
  22. Offline

    korikisulda

    If a JVM can run it, someone can steal it ^.^ In the end, you've put them to more effort, but it's still possible.
     
  23. Offline

    ColonelHedgehog

    That, or just go to the memory dump and find your constants lol. But it's more fun to make them do more work. :D
     
  24. Offline

    korikisulda

    Don't be surprised if your plugins take weeks to be approved though....
     
  25. Offline

    ColonelHedgehog

    I probably wouldn't put it on BukkitDev. :p
     
  26. Offline

    korikisulda

    Then what's the point? Who can admire your obfuscation art form?
     
  27. Offline

    ColonelHedgehog

    There are other places to put up plugins, you know.

    Just none as popular as BukkitDev.
     
  28. Offline

    korikisulda

     
  29. Offline

    ColonelHedgehog

    ...

    I don't know. Don't question my brilliance! :p
     
Thread Status:
Not open for further replies.

Share This Page