Huge shoutout to BuiltByBit for sponsoring this video, if you are interested in anything minecraft and server related, please check them out - builtbybit.com/themisterepic/
It confuses me how it took so long for anyone to find this. Yeah, not everyone is going to think "maybe if I rename this chest to the name of a server UI chest, it will give me that UI," but the process is so simple in hindsight that I'm surprised that it wasn't tested sooner.
From idk how none of the devs did a check if you had the permissions or not. Its like if typing rm -f / on Linux never checked to see if you had root privileges and just ran the command anyway or if windows just let a guest account delete system 32 without checking if they were a admin like how does the biggest anticheat for Minecraft miss such a simple crucial check
it probably wasn't found cause a good chunk of people who play don't really know how these plug ins work as it was a paid service, and if you are wantin to troll you don't exactly wanna put actual cash into learning how a plug in works to exploit it
I did something similar on a cracked server once. I renamed a chest to Auction House and was able to open the auction house with it. Renaming chests to other server menus sometimes made it impossible to move any items in your inventory. I didn't think to take it much further though. It was kind of just a fun little bug that I shared with a few people and reported.
What if there is something even worse than that? Perhaps being able to absolutely remove the server from the existence? Time will tell, people are still unaware of potential possibilities that are still unknown for them
@@ANONYMOUS-vf2nnIt's possible to grab the server's FTP credentials from the owner using log4j and then deleting everything on the serverbox remotely via ftp.
@@Theunicorn2012 That ending took it from "Yeah this is powerful, but unless you're careful it can always be rolled back" to "Holy hell, this is a deadly exploit."
@@Golden-lc6oi crashing doesnt because you guy get the server back up, but duping has negative effects to a server due to the fact that it literally makes all pay to win gimmicks pointless and makes literally any minecraft server lose profit
@@alalalalsekkeke The server owners and developers can just use an older backup of the server, whilst it may do some damage, incentives are the main problem. It takes constant duping and attacks for the server to become unprofitable, at this point, the server owner and devs are more likely to start from scratch with a new server at this point than try and become a non-pay to win server.
“Once in a decade exploit” *remembers log4j error, a Java exploit that allows you to run code remotely on any computer through a string value, something far more powerful than a simple /op*
@@Velocifyerit not affects just minecraft, but the whole world services and applications thay depends on java. iirc the log4j exploit was first discovered by alibaba far earlier even before 2019. who found it and utilised it? sure, it was initially 2b2t players who discovers it
Today's Fact: In 2020, researchers used quantum entanglement to teleport information between two chips in a silicon-based system, a major step forward for quantum computing.
this is... a very, very old and basic oversight that has been done (and will be done) by many plugin developers that want to use chest GUIs until bukkit/paper/whatever implement a standardised solution. ofcourse it's hardcore that this has happened to a big anticheat plugin and there's no checks whatsoever after opening the menu, but the ground principle of "opening renamed chest to get to GUI" has been around for a long while
@@SaschahiGG InventoryHolder is years old, dates back to at the latest 2016, when I started plugin development, it was THE way to do inventories so to use the old method, in my opinion, you're just asking for problems
I recently found a 1.7 dupe: 1. Lock a hopper. 2. Open your inventory with e 3. Use q to drop items 4. Close your inventory 5. Right-click the hopper. This resets your inventory. 6. Go back to step 2. Repeat ad infinitum.
Would’ve been funny if he banned all the mods/admins. With OP privilege he has higher authority than them, so he could’ve banned anyone except other OP’s and the owner (who is an OP)
In Insanity on 23:03, you actually got OP access. However, some permission plugins can override commands to use the permission system rather than op access. That's why you cannot use commands but can see spy messages, they configured that incorrectly so you can see.
I would like to provide some insight into this as I am an amateur server dev, and this exploit came from a very large oversight. So server chest guis work by having inventories and using the event to detect when someone clicks an item (as you described) What likely happened here was that the developers of vulcan forgot to add proper item checks to what they were clicking, so the server just assumed that they had permissions. Yes, there should be permission checks there. However, it is (from what I've seen) standard practice to add checks to the item clicked such as it having lore (meaning the player couldn't have modified it to have that lore), so that you don't ever accidentally detect them clicking an item in their inventory. The oversight of not adding permission checks isn't as egregious as not having the proper item checks for the gui, as its the very first thing you HAVE to get right.
You're on the right track, I'd also like to provide some insight as an experienced dev. A lot of (especially beginner) developers compare their inventories by title - this means that to check if a GUI opened by a player is the GUI that the plugin wants, it compares the title of the GUI. This is wrong on multiple levels - the video shows exactly why. You were correct about the lore-for-the-item thing, but also not 100%. From my experience, it's standard to use NBT data for an item (add a tag that identifies this item) - this way it's completely fool proof. On versions of 1.14.4 and above it's especially easy to implement with the PersistentDataContainer API.
I legitimately can not believe this even occured like this, NBT acts as a key, why did they feel the need to use the title which everyone can change?@@afraid2letgo
@@Omega-mr1jg Yep. Basically a lot of rookie mistakes - overlooks that were done due to the sheer complexity of the rest of the plugin. The developer probably didn't put too much thought into the GUIs because those were not even close to being the main focus.
why would even anyone use this old rookie method for custom menus, when you can make a menu by implementing InventoryHolder and don't have to care about permission checks 😭
Man, when you were describing the hierarchy, I had an idea: I make a server donation plugin, one that has a built in dupe exploit. One the server owners have to buy- in other words, the explicit purpose of the plugin is to gank P2W assholes.
As a professional developer who used to create hacked clients for Minecraft (this was 5 years ago at this point though), I can very much say this: It isn't impossible to find exploits like this, and if people with genuine cyber security backgrounds where to look at Minecraft, they could likely exploit it within the same week, it's just that they have better things to do than stare at a block game.
People do it all the time. He’s a server owner himself so there’s clear bias (he actively defended and helped purple prison which promotes gambling to children)
@@BigTarbYea, I was sitting here thinking, console level commands aren't even that hard to do, you don't even need to hack, you can just like. Ask and most people will input them for you if you're good at lying.
@@PetalRose450most people? at most there's like 2-3 people on a server with console access you eejit and unless they genuinely have something genuinely wrong with them they're not gonna be stupid enough to input ANYTHING some random person asks them to into the console, at MOST they'd do a / command using the chat, never the console itself
This is so wild I'm writing a college level security report on CWE-94, I'm going to source this video as an example of injection code as it is loosely related to it! Great video!
To any aspiring plugin developers trying to avoid this happening to them: just use interfaces that extend from InventoryHolder and check the type of the inventory, don't bother with inventory titles or item names. Not only will it avoid this issue but your code is gonna be so much easier to read and maintain because you don't have to deal with strings and a complicated if/else tree
Or.... dont. Or just let some people enjoy something instead of patching shit out in mere hours. There is already enough fucking grinding and other bs in real life.
I feel like your exploit scale is missing a tier, log4j was known as an RCE exploit, which should be far more powerful than forceop. For example, if multiple servers exist on a single machine, you'd only need to attack one. Or you could steal/modify sensitive data, or install malware/ransomware directly to their server hardware.
@@CrioChamber spawn is really easy to reverse, im 99% sure a server like purpleprison has their own build server where their builders can build then turn them into schematics to be pasted at the live server
On all pre-1.13 versions, by creating a piston with data value 6 (invalid rotation), it will crash the game whenever powered or whenever it recieves a block update. It is also an update suppressor and can get you block 36, half beds, half doors, floating blocks, piston heads, etc.
@@vytautaszygelis1106 nothing more fun than ruining your own/others' experience and fun and reducing the entire game to a pentesting playground before promptly leaving the game until another exploit is found.
Very cool and detailed video about this Vulcan exploit and I think we may not see something like this again in the near future and I am still bothered that I was not able to actually use it myself as there was not enough time after the owners of Minemalia discovered that we were accessing their Vulcan menu and as I said we did not know that you could edit punishment commands which we found out afterwards when they had already alerted frep. One thing I would like to add is that there is a way to access the main GUI without knowing its name. In my case I used a feather and the chest title "Check Types" which allowed me to access GUIs without knowing the name of the main GUI.
It is quite a mistake not to check for permissions on the GUIs, which should NEVER happen, but to be fair, frep handled it very well by releasing a free patch for everyone. But I think there will be a lot of servers vulnerable to this exploit for a long time to come. Also the video was unlisted, since I released another one right afterwards which included the aspect of Force-OP. :)
as someone whos been making inventory guis and other various minecraft stuff, i can say that the statement at 18:20 is incorrect, it is *VERY EASY* to check if the inventory instance is correct, and check permissions accordingly. But even if it wasn't, if you're doing scripted events when clicking a gui button, that should 100% BE BEING CHECKED!
I can imagine an issue arising where players spam open inventories to lag servers If it needs to run a check *every time* anyone opens any inventory, imagine the lag from just 2 or 3 accounts just spamming e
@@tacticallemon7518 yeah except it does that check anyway, but for the container name Also opening an inventory and opening a container are entirely different operations, spamming e wouldnt even trigger that check
@user-kz1zc7vm4l log4shell was a Java exploit that easly allowed you to execute remote commands to the players computer, is not even in the server, they could easly get all you information saved in your computer, crash it, infect with malware and a lot worst. It was a Java exploit and not a plugin one, they fix it very fast but some damage was done. Also it wasn't minecraft exclusive since a LOT OF THINGS works using Java, so just imagine the possible damage. Once in a life exploit, one of the most or the most powerful exploit ever
@@EmanuelLopesS2 this vulnerability existed for a very long time and it was not taken advantage of but when it did, it made playing Minecraft an actual security problem, especially on Minecraft servers and the ones where there are hackers around that can just remotely enter your computer and do anything they want to do. Log4j exploit is one if the most insane exploits to ever exist in digital computing
I remember this happening to a small server, the exploit was dangerously abused on it; even going as far as leaking IP addressess and saying sensitive words using the broadcast command.
I love how whenever the character has to climb up to the very top of the hierarchy, he is always just out of reach of the top, but the video "glitches" and all of a sudden he is on the top. unexplicably. very poetically shown
Or even better like I do. Add the player to cache when exetuting the command to open the gui and by ever click and interaction just check for permission. It's not that hard. It's kinda bad how a anti cheat dev did this.
I just love the part when the music starts playing and EVERYTHING escalates COMPLETLY - I love how you cut you Videos Epic, thank you for making videos - I just love it!
It’s actually amazing how far some of the community’s knowledge went, to actual force op exploits. As much damage as this has done, it’s actually baffling.
Wtf. I reported this to the Vulcan developer a while back and he fixed it within about an hour. I had no idea it was this big tho. The chest you click on in the inventory does not have to be named btw. Only the inventory name matters.
In Minecraft wiiu all your need to do is change some memory addresses and you can do basically anything you want with and make it impossible to be removed.
@@MC_CN Yeah you can edit the system memory in real time with a tool called TCP gecko, clients do exist for Minecraft though and at there core, they are simply modified versions of the minecraft.rpx (the core of the game) So no disc mods needed just some homebrew
I havent watches your videos on 3 years. I just got back into MC 4 days ago and immediately saw this video recommended to me. Your content has gotten SO MUCH better. Amazing stuff.
My server which averages around 200 players got nuked by a competitor server and they deleted our saves causing us to have to remake some aspects of our server, it was not fun
There is a force op in 1.2.5 and below that you didn't mention. Back then the Minecraft protocol wasn't encrypted. What this meant is that the connection between clients and servers were not secure and could be tampered by anyone in a MitM attack. The force op worked by getting an admin of the target server join an attacker controlled server. When joining the malicous server, the malicous server would then try and login to the target server and forward the handshake packet back to the admin's client allowing the malicous server to successfully login to the target server as that admin. The malicous server while logged in with the admin account could execute any command including op. The malicous server doesn't have to forward any other packets back to the admin so it can just kick the admin with an error message or have them join a fake server so it isn't suspicious.
Half the mods on that server literally false ban you for the stupidest stuff. Like one auto hackusated then banned me just cause I so happen to run forge on 1.8.9 yeah OK but for OptiFine only! Effing tards.
@@ionisator1 Dont care. I wanted to try this. Cant. Why? Because its fucking gone. Tried to find dupe exploits. Cant. Why? Cause fucking monkeys patched them out.
As a developer that has worked on dozens of plugins involving hundreds of inventory GUIs, I take issue with the statement that it's difficult to check. One of my main go to methods of implementing chest UIs was to create a custom inventory container class similar to how all standard inventory types have their own class in the code. Internally in logic it would be identical to a chest UI, but I could then test the player's currently opened ui's class against my custom one. Opening a normal chest or player inventory would result in the currently opened inventory's class being PlayerInventory or DoubleChestInventory (or equivalent as the names have changed at various points in times) but they would not be the custom class. On top of that considering the UI is accessed via command and Spigot servers have events for opening and closing inventories in addition to just clicking in the inventories, it's not difficult to keep track of the current inventory of the player. All of that is then on top of basic permission checks, it's odd. And it's even stranger that the developer removed the UI entirely instead of just adding the checks to the code. The developer obviously knows what they're doing as making an Anti Cheat is not something someone does on a whim, especially one so well received, so it's baffling this got through.
This feels less like a permission issue and more like an input sanitization issue. Not sure if it has to do with Minecraft or the anti cheat but there should be an input sanitization process that should prevent just renaming something to get access to a console.
It’s wild their excuse was “it’s extremely annoying and hard to program” like bro when the command is set to execute put to check a list of approved users to execute. So hard.
As a skript developer myself I can confirm it is a major pain to do this, but it can be prevented by placing buffer characters like colored spaces after the text is finished like "GUI&a &r" this fixes all your problems and makes it virtually impossible for players to open this gui. I can confirm that like every skript I have seen doesn't check perms, but the all use colored text and that makes it impossible for players to get UI named this way. Third mistake most people missed is that Vulcan checks it based on the item clicked as opposed to a slot, which is kinda of a bummer
I allow players to put colours in anvil. Slot checking would have been even easier to exploit, just click the empty slot where Manage Checks was supposed to be.
17:54 this could also be used to open any named chests allowing for you to have a chest that is named the exact same as another chest making it to where you can access all the stuff in it kind of like an ender chest but easier to obtain
It's funny that, to this day, many mods/plugins still use custom names of items to branch the behaviors of that item from the original implementations. I personally prefer going with the built-in NBT tags system. It works well along with the OOP concepts and cannot be easily tampered by players. Though in Vulcan's case they should've used controlled commands like what old-school NCP does in the first place.
this kinda reminds me about a roblox bug naming your character lets say bosscampos, so boss camera position, so the game would get confused cause there are 2 files named the same thing so it would freeze and bug the game
The fact that /op is a thing makes situations like this dangerous. It's so straightforward to understand that gets you too many permissions. Why can't server developers just remove it and add a MFA for promoting anyone to moderator or higher level statuses?
This exploit has been known for other plugins for a loong time now... not much of a surprise that it would happen to more popular plugins at some point
Should have destroyed the hell out of purple prison, and cripple the server ENTIRELY. A once in a decade expliot could have gone to use and destroy this P2W server, and yet you choose to tell the staff of said server. SMH dude
@@seazonss1 he mentioned how rare the exploit is, how much damage could be done with console access, and how purple prison is scummy in multiple ways. there wasn't anything he didn't know, he just said he "didn't want to cross that line"
cant believe Vulcan used inventory titles to distinguish inventory GUIs LOL thats so terribly coded it is NOT difficult AT ALL to use a HashMap which maps the player to the inventory object when the inventory is opened and only handle click events on that GUI
Huge shoutout to BuiltByBit for sponsoring this video, if you are interested in anything minecraft and server related, please check them out - builtbybit.com/themisterepic/
ok
April fools video, dupe on your server 😎
what's that sick ass dnb track that plays during the exploit of purple prison? nevermind, that's in the desc.
please put an epilepsy warning if youre going to have things like 0:53
The dnb track is in the description yep
Players manage to bypass your servers spawn protection. What do they do with this newfound incredible power? Dig straight down
Neuron activated
Big brain
@@Tenzhi Action executed
;
@@aaadidubeey thank you for your input
It confuses me how it took so long for anyone to find this. Yeah, not everyone is going to think "maybe if I rename this chest to the name of a server UI chest, it will give me that UI," but the process is so simple in hindsight that I'm surprised that it wasn't tested sooner.
From idk how none of the devs did a check if you had the permissions or not. Its like if typing rm -f / on Linux never checked to see if you had root privileges and just ran the command anyway or if windows just let a guest account delete system 32 without checking if they were a admin like how does the biggest anticheat for Minecraft miss such a simple crucial check
it probably wasn't found cause a good chunk of people who play don't really know how these plug ins work as it was a paid service, and if you are wantin to troll you don't exactly wanna put actual cash into learning how a plug in works to exploit it
@@tux_the_astronaut because it isn't the biggest anticheat for Minecraft, Grim is
generally, the simpler the idea, the more likely people are to think it has already been tested
I did something similar on a cracked server once. I renamed a chest to Auction House and was able to open the auction house with it. Renaming chests to other server menus sometimes made it impossible to move any items in your inventory. I didn't think to take it much further though. It was kind of just a fun little bug that I shared with a few people and reported.
A scale so large, it won't happen again
100%
@surge1229 thats not how that works
Biggest plugin(s) will contain at least 1 oversight.
What if there is something even worse than that? Perhaps being able to absolutely remove the server from the existence? Time will tell, people are still unaware of potential possibilities that are still unknown for them
@@ANONYMOUS-vf2nnIt's possible to grab the server's FTP credentials from the owner using log4j and then deleting everything on the serverbox remotely via ftp.
That ending took it from "Yeah this is powerful, but unless you're careful it can always be rolled back" to "Holy hell, this is a _deadly_ exploit."
That ending took it from "Yeah this is powerful, but unless you're careful it can always be rolled back" to "Holy hell, this is a deadly exploit."
@@Theunicorn2012...thanks?
@@Theunicorn2012 That ending took it from "Yeah this is powerful, but unless you're careful it can always be rolled back" to "Holy hell, this is a deadly exploit."
That ending took it from "Yeah this is powerful, but unless you're careful it can always be rolled back" to "Holy hell, this is a deadly exploit."
That ending took it from "Yeah this is powerful, but unless you're careful it can always be rolled back" to "Holy hell, this is a deadly exploit."
"what i dont like is unethical gambling" then proceeds to blow the server the fuck up in retaliation (w)
He then helped them solve the problem so he effectively did nothing. If he were actually against it he would’ve done damage he said he could do
@@BigTarb Fun Fact: Duping/Crashing or doing anything to those servers often does nothing or almost nothing.
@@Golden-lc6oi I know
@@Golden-lc6oi crashing doesnt because you guy get the server back up, but duping has negative effects to a server due to the fact that it literally makes all pay to win gimmicks pointless and makes literally any minecraft server lose profit
@@alalalalsekkeke The server owners and developers can just use an older backup of the server, whilst it may do some damage, incentives are the main problem.
It takes constant duping and attacks for the server to become unprofitable, at this point, the server owner and devs are more likely to start from scratch with a new server at this point than try and become a non-pay to win server.
“Once in a decade exploit”
*remembers log4j error, a Java exploit that allows you to run code remotely on any computer through a string value, something far more powerful than a simple /op*
Keep in mind, that's not a Minecraft exploit, that's a security vulnerability in java
@@TheMisterEpic still WAY more powerful than any other exploit has been yet
Sure, but not a Minecraft exploit
@@Velocifyer ain't cuz you can run it on minecraft that it's a minecraft exploit though...
@@Velocifyerit not affects just minecraft, but the whole world services and applications thay depends on java. iirc the log4j exploit was first discovered by alibaba far earlier even before 2019.
who found it and utilised it? sure, it was initially 2b2t players who discovers it
Today's Fact: In 2020, researchers used quantum entanglement to teleport information between two chips in a silicon-based system, a major step forward for quantum computing.
cool
that sounds like fast internet speed
Thank you facterino
Yeah…but the silicon-based system does have quantum crystals right
Ant man did it first fr
this is... a very, very old and basic oversight that has been done (and will be done) by many plugin developers that want to use chest GUIs until bukkit/paper/whatever implement a standardised solution.
ofcourse it's hardcore that this has happened to a big anticheat plugin and there's no checks whatsoever after opening the menu, but the ground principle of "opening renamed chest to get to GUI" has been around for a long while
There is already a standardised soloution for years, inventory view instances. The developers just used a decade old method.
there is, its called InventoryHolder
@@game_time1633 didn't know that, is that added from bukkit, spigot or paper?
@@SaschahiGG from what I remember Bukkit? Correct me if I’m wrong though, but yeah pretty sure that was bukkit.
@@SaschahiGG InventoryHolder is years old, dates back to at the latest 2016, when I started plugin development, it was THE way to do inventories so to use the old method, in my opinion, you're just asking for problems
Tbh the funniest thing that you could do is add /stop to random flag and make staff wonder what the hell is happening
That would have been hilarious ngl, especially if the exploit never ended up becoming known by many others
also include unbanning yourself and doing it to every flag and keeping the ban for the flags
"If you reinforce a door by making it impossible to break down they'll just destroy the door frame"
Or climb in the open window.
its amazing how few people protect the door hinge and leave the pin right there for the taking
Mmhmm. Taught my DM this lesson by abusing Mold Earth to get around nearly every unbreakable locked door in his campaign.
I recently found a 1.7 dupe:
1. Lock a hopper.
2. Open your inventory with e
3. Use q to drop items
4. Close your inventory
5. Right-click the hopper. This resets your inventory.
6. Go back to step 2. Repeat ad infinitum.
make a video.
stay safe there 1.7 servers, the 3 of them.
lol@@xfi6658
yes. the 2 defunct ones and that weird 1 anarchy 2b2t clone@@xfi6658
@@xfi6658yeah why would people use 1.7 when 1.8 exists
29:24 i saw your intrusive thoughts telling you to /ban *
Would’ve been funny if he banned all the mods/admins. With OP privilege he has higher authority than them, so he could’ve banned anyone except other OP’s and the owner (who is an OP)
In Insanity on 23:03, you actually got OP access. However, some permission plugins can override commands to use the permission system rather than op access. That's why you cannot use commands but can see spy messages, they configured that incorrectly so you can see.
Fun fact: you have been on a hungarian server it was the one with the ban reason being "hi fan, what are you doing?"
27:52 "Everyone's owner", now that is what I'd call an anarchy server
nice profile picture bro
@@ryan_765 Thanks, yours too
I would like to provide some insight into this as I am an amateur server dev, and this exploit came from a very large oversight.
So server chest guis work by having inventories and using the event to detect when someone clicks an item (as you described)
What likely happened here was that the developers of vulcan forgot to add proper item checks to what they were clicking, so the server just assumed that they had permissions. Yes, there should be permission checks there. However, it is (from what I've seen) standard practice to add checks to the item clicked such as it having lore (meaning the player couldn't have modified it to have that lore), so that you don't ever accidentally detect them clicking an item in their inventory.
The oversight of not adding permission checks isn't as egregious as not having the proper item checks for the gui, as its the very first thing you HAVE to get right.
You're on the right track, I'd also like to provide some insight as an experienced dev.
A lot of (especially beginner) developers compare their inventories by title - this means that to check if a GUI opened by a player is the GUI that the plugin wants, it compares the title of the GUI. This is wrong on multiple levels - the video shows exactly why.
You were correct about the lore-for-the-item thing, but also not 100%. From my experience, it's standard to use NBT data for an item (add a tag that identifies this item) - this way it's completely fool proof. On versions of 1.14.4 and above it's especially easy to implement with the PersistentDataContainer API.
I legitimately can not believe this even occured like this, NBT acts as a key, why did they feel the need to use the title which everyone can change?@@afraid2letgo
beyond that, not even checks were present, leading to a fatal flaw
@@Omega-mr1jg Yep. Basically a lot of rookie mistakes - overlooks that were done due to the sheer complexity of the rest of the plugin. The developer probably didn't put too much thought into the GUIs because those were not even close to being the main focus.
why would even anyone use this old rookie method for custom menus, when you can make a menu by implementing InventoryHolder and don't have to care about permission checks 😭
Man, when you were describing the hierarchy, I had an idea: I make a server donation plugin, one that has a built in dupe exploit. One the server owners have to buy- in other words, the explicit purpose of the plugin is to gank P2W assholes.
probably wouldn't last long, but it would certainly be funny
99% of servers use tebex/buycraft, wouldn't work
they all use tebex/buycraft, so there is no real way to make another donation plugin
@@maasnelsonhailey218 It's not about the damage, it's about sending a message
That idea is SO GOOD and so CRUEL... I love it,,
16:28 “this isn’t the most powerful forceop exploit ever, this is the only forceop exploit ever”
We just gonna pretend bungeespoofing doesn’t exist
Yeah, he forgot the true biggest exploit, literally applied to any server with bungeecord
im pretty sure there are different adaptable parent server exploits too
it's the most powerful and the least powerful
from what I understand, this was already well known for a long time and fixed in other proxies like velocity by design
or UUID lol
As a professional developer who used to create hacked clients for Minecraft (this was 5 years ago at this point though), I can very much say this: It isn't impossible to find exploits like this, and if people with genuine cyber security backgrounds where to look at Minecraft, they could likely exploit it within the same week, it's just that they have better things to do than stare at a block game.
People do it all the time. He’s a server owner himself so there’s clear bias (he actively defended and helped purple prison which promotes gambling to children)
2b2t players building malware that could pose a national security threat to fund 9 year olds bases in a block game: “you underestimate my power”
@@BigTarbYea, I was sitting here thinking, console level commands aren't even that hard to do, you don't even need to hack, you can just like. Ask and most people will input them for you if you're good at lying.
@@BigTarb did you like watch the video?
@@PetalRose450most people? at most there's like 2-3 people on a server with console access you eejit
and unless they genuinely have something genuinely wrong with them they're not gonna be stupid enough to input ANYTHING some random person asks them to into the console, at MOST they'd do a / command using the chat, never the console itself
This is so wild I'm writing a college level security report on CWE-94, I'm going to source this video as an example of injection code as it is loosely related to it! Great video!
To any aspiring plugin developers trying to avoid this happening to them: just use interfaces that extend from InventoryHolder and check the type of the inventory, don't bother with inventory titles or item names. Not only will it avoid this issue but your code is gonna be so much easier to read and maintain because you don't have to deal with strings and a complicated if/else tree
Thanks a lot
Just checked a tutorial on it, it's much better than the usual ways people learn to make inventories
you mean like extending the inventory class? wdym
Or.... dont. Or just let some people enjoy something instead of patching shit out in mere hours. There is already enough fucking grinding and other bs in real life.
@@vytautaszygelis1106 are you real?
@@iilwybots can cope and seethe too lmfao.
at 28:33 that /save-all mustve felt SO GOOD hahahha
I feel like your exploit scale is missing a tier, log4j was known as an RCE exploit, which should be far more powerful than forceop. For example, if multiple servers exist on a single machine, you'd only need to attack one. Or you could steal/modify sensitive data, or install malware/ransomware directly to their server hardware.
that's not a minecraft-specific exploit, it affected a lot of java-related stuff in general, not only minecraft
@@JustVldKsh Read the comment again. No where it said its a minecraft-specific exploit. They only wanted a new RCE exploit tier.
@@kidscreativitys The video was talking about Minecraft exploits, but yeah an RCE exploit tier would make some sense
@@SolTheIdiotIts still a exploit anyone could abuse nonetheless
@@JustVldKshI mean the JNDI lookups were able to be turned off so the fact that Minecraft didn’t kind of makes it a Minecraft exploit.
"What a cool looking minecraft server! I wanna go play it." *Joins server and sees the chaos* " oh my "
It was noble of you to show restraint with this exploit. If another group discovered it, imagine the mayhem that could have been caused.
Except Purple Prison. XD That poor spawn!
@@CrioChamber spawn is really easy to reverse, im 99% sure a server like purpleprison has their own build server where their builders can build then turn them into schematics to be pasted at the live server
@@qrae_qrae6629I mean, I didn't think they wouldn't have a backup somewhere, just before they rolled it back that spawn got oofed.
@@CrioChamber nonetheless, if purple prison didn't have a backup, fuck them LOL
2:44
"Rare but not that uncommon"
come on man just pick one
Lmao
I head that too. Must be a mistake in the script
theyre rare(hard*) to find but pretty common since they are frequently found anyway
Corny ass video and script lol, good video but my god these kind of youtubers just try so hard to make it super dramatic, it's minecraft ffs LOL
@@RRareGaming how?
i think its crazy that people still find ways to terrorize servers
On all pre-1.13 versions, by creating a piston with data value 6 (invalid rotation), it will crash the game whenever powered or whenever it recieves a block update. It is also an update suppressor and can get you block 36, half beds, half doors, floating blocks, piston heads, etc.
its the one used in 2b2t right @@bennyl9228
Terorize? I just want in on some fun. I keep trying to look for reliable dupes, but everything is so ''secure'' nowdays.
@@vytautaszygelis1106🫤 look for the dupes yourself
@@vytautaszygelis1106 nothing more fun than ruining your own/others' experience and fun and reducing the entire game to a pentesting playground before promptly leaving the game until another exploit is found.
Very cool and detailed video about this Vulcan exploit and I think we may not see something like this again in the near future and I am still bothered that I was not able to actually use it myself as there was not enough time after the owners of Minemalia discovered that we were accessing their Vulcan menu and as I said we did not know that you could edit punishment commands which we found out afterwards when they had already alerted frep.
One thing I would like to add is that there is a way to access the main GUI without knowing its name. In my case I used a feather and the chest title "Check Types" which allowed me to access GUIs without knowing the name of the main GUI.
It is quite a mistake not to check for permissions on the GUIs, which should NEVER happen, but to be fair, frep handled it very well by releasing a free patch for everyone. But I think there will be a lot of servers vulnerable to this exploit for a long time to come.
Also the video was unlisted, since I released another one right afterwards which included the aspect of Force-OP. :)
@@CCBlueXhi ccbluex. was fun trolling minemalia XD
Hi
Hi
Hi
as someone whos been making inventory guis and other various minecraft stuff, i can say that the statement at 18:20 is incorrect, it is *VERY EASY* to check if the inventory instance is correct, and check permissions accordingly. But even if it wasn't, if you're doing scripted events when clicking a gui button, that should 100% BE BEING CHECKED!
I can imagine an issue arising where players spam open inventories to lag servers
If it needs to run a check *every time* anyone opens any inventory, imagine the lag from just 2 or 3 accounts just spamming e
@@tacticallemon7518 yeah except it does that check anyway, but for the container name
Also opening an inventory and opening a container are entirely different operations, spamming e wouldnt even trigger that check
@@tacticallemon7518 These checks are very cheap
ThatMisterEpic's final checkpoint everytime: Purple Prison 😂
"This vulkon the worst exploit ever" Log4Shell: "Hold me beer."
I saw some other people talking about this, could you explain it to me :P
(and possibly how to do it ;))
@user-kz1zc7vm4l log4shell was a Java exploit that easly allowed you to execute remote commands to the players computer, is not even in the server, they could easly get all you information saved in your computer, crash it, infect with malware and a lot worst. It was a Java exploit and not a plugin one, they fix it very fast but some damage was done. Also it wasn't minecraft exclusive since a LOT OF THINGS works using Java, so just imagine the possible damage. Once in a life exploit, one of the most or the most powerful exploit ever
@@EmanuelLopesS2 this vulnerability existed for a very long time and it was not taken advantage of but when it did, it made playing Minecraft an actual security problem, especially on Minecraft servers and the ones where there are hackers around that can just remotely enter your computer and do anything they want to do.
Log4j exploit is one if the most insane exploits to ever exist in digital computing
@@CDZ1309 person above me explains it
@@CDZ1309 th-cam.com/video/w2F67LbEtnk/w-d-xo.html
Remote code execution exploits are even higher up on the exploit pyramid. You can literally edit files on the server.
Literally The Purple Prison mods: "I don't get paid enough for this."
In your exploit hierarchy, you missed a tier above ForceOP: Full server control. This is where Log4Shell sits.
And even higher: total RCE. Being able to run code on other players' systems. I think log4j could do that?
is there an exploit that allows you to goto anyones house irl
That ending felt like I was watching Team Avolition again.
The panic server owners must have felt because of this is hilarious
Its not that bad, restore from backup, patch exploit thanks to logs, and continue with your day
@@tarakivu8861 not every server does that
@@joetheblu3 No not every server does that... Only the popular ones that still live...
Idk about anyone else.. But seeing the sun SIDEWAYS at the start is cursed to hell.
I remember this happening to a small server, the exploit was dangerously abused on it; even going as far as leaking IP addressess and saying sensitive words using the broadcast command.
I love how whenever the character has to climb up to the very top of the hierarchy, he is always just out of reach of the top, but the video "glitches" and all of a sudden he is on the top. unexplicably.
very poetically shown
19:23 the moment where he actually is working on op-ing everyone
If that ever happend to me, i'd call my friend Micheal.
i think it'd be better to call saul
Thank god for michael
What ungodly powers does Micheal have, Should I be scared of that man... or- Or- GOD??
Log4J was the “Once in a decade exploit” for Minecraft servers, and many other things of course.
Log4J wasn't just a "once in a decade exploit" for Minecraft, it was a "once in a decade exploit" for literally the entire internet.
@@brandon9172original commenter alsp said "...and many other things"
@@brandon9172 Yeah, this exploit doesn't even come close to that.
Still can't believe they were just checking the name of the inventory and not using `instanceof`. It's incredible that this is even possible. Wow.
I think they should @Deprecated and @ForRemoval it. It truly is a bad option. Tho, I used it for years, it's time for a change.
You shouldn't even instanceof them, you should check if it's a specific instance of the inventory
@@russianyoutube oh hi, I know you
@@Xnoob545 oh hi, I know you too
Or even better like I do. Add the player to cache when exetuting the command to open the gui and by ever click and interaction just check for permission. It's not that hard. It's kinda bad how a anti cheat dev did this.
24:40 You really did test it on a variety of servers...
I love that you've showed a translation aswell. :D
rivalsnetwork my beloved
"Le flight" tho instead of expiration
I like how the reason he got banned is just so Hungarian.
@@ThatAnony I also like how there's probably at least three Hungarian people in this comment thread, and we're all speaking in English. :D
@@ThatAnony mennyire igaz
26:54 very nice dutch person in chat
iknow hahaha
Comment I was looking for
At 24:44 the texts are in hungarian
bro was best blij
mKiffesh
He probably speaks Arabic or Tamazigh
Possibly Lives Somewhere In Borgerhout
This was absolutely insane. Last time I was involved in something like this was when iTristan gave me a 32k sword.
What a lovely message on the bottom left at 6:54
spotted that also
25:04 Scott Buckley's music really works very well with this scene
100%
I just love the part when the music starts playing and EVERYTHING escalates COMPLETLY - I love how you cut you Videos Epic, thank you for making videos - I just love it!
The story telling in these videos is actually insane, keep it up!
🤖
Stop appearing everywhere you chicken
Kurczak is chicken
It’s actually amazing how far some of the community’s knowledge went, to actual force op exploits. As much damage as this has done, it’s actually baffling.
Wtf. I reported this to the Vulcan developer a while back and he fixed it within about an hour. I had no idea it was this big tho. The chest you click on in the inventory does not have to be named btw. Only the inventory name matters.
No way bro finally launched an effective attack on purple prison
17:37 I recognized Lemmino's music right away. Awesome selection
perfect end to the purple prison arc
Those random flashing lights with no warning is crazy
The person who found this first was a german youtuber named Garkolym, he made a video about it on January 22
In Minecraft wiiu all your need to do is change some memory addresses and you can do basically anything you want with and make it impossible to be removed.
That's messing with console/disc code
basically an equivalent to hacked clients/mods
@@MC_CN Yeah you can edit the system memory in real time with a tool called TCP gecko, clients do exist for Minecraft though and at there core, they are simply modified versions of the minecraft.rpx (the core of the game)
So no disc mods needed just some homebrew
Yes if you have physical access to something you can do anything...
@@MC_CN damn TH-cam deleted my previous reply to thsi
@@DorperSystems I'm talking about modifying address on, _your own_ system to trick the game into thinking that your the host
I havent watches your videos on 3 years. I just got back into MC 4 days ago and immediately saw this video recommended to me. Your content has gotten SO MUCH better. Amazing stuff.
My server which averages around 200 players got nuked by a competitor server and they deleted our saves causing us to have to remake some aspects of our server, it was not fun
How did they destroy saves? Wouldn’t those have been stored off of the internet?
I absolutely loved watching this especially with good noise canceling headphones the choice of music was amazing
I love how PurplePrizzon disolves into chaos in only a couple of minutes. It just goes to show how powerful this exploit is!!
There is a force op in 1.2.5 and below that you didn't mention. Back then the Minecraft protocol wasn't encrypted. What this meant is that the connection between clients and servers were not secure and could be tampered by anyone in a MitM attack. The force op worked by getting an admin of the target server join an attacker controlled server. When joining the malicous server, the malicous server would then try and login to the target server and forward the handshake packet back to the admin's client allowing the malicous server to successfully login to the target server as that admin. The malicous server while logged in with the admin account could execute any command including op. The malicous server doesn't have to forward any other packets back to the admin so it can just kick the admin with an error message or have them join a fake server so it isn't suspicious.
My man let Purple Prison off like crazy, even helped them get back up.
Skip to 10:10 to save 10mins of overdramatized buildup
This was one of the craziest exploits I've ever seen or been apart of.
the absolute misery you unleashed on purple prison brought me unspeakable joy
Ah yes, the good men and women of Purple Prison's finest. The Purple Prison Moderator Team: Vigilant, but incompetent.
Half the mods on that server literally false ban you for the stupidest stuff. Like one auto hackusated then banned me just cause I so happen to run forge on 1.8.9 yeah OK but for OptiFine only! Effing tards.
This is actually insane. Kudos to finding it, I hope the purple prison devs didn't get too mad at you
man, i've been following zman since the unturned days. crazy to see him come so far
Damn and they could've saved so many people money by stopping Purple Prison entirely.
this is why exploits need to be fixed super quick so people don't destroy sevrers
This is why exploits don't need to be fixed because they are more fun to have than to not have
@@fatfurryMinor exploits bugs and glitches can be fun, but fundamentally comprimising exploits are not
@@ionisator1 🤓
@@fatfurryok clown
@@ionisator1 Dont care. I wanted to try this. Cant. Why? Because its fucking gone. Tried to find dupe exploits. Cant. Why? Cause fucking monkeys patched them out.
mann it's crazy what people find out how to do
Dude that camera work at 28:03 is crazy to watch . I loved it
As a developer that has worked on dozens of plugins involving hundreds of inventory GUIs, I take issue with the statement that it's difficult to check. One of my main go to methods of implementing chest UIs was to create a custom inventory container class similar to how all standard inventory types have their own class in the code. Internally in logic it would be identical to a chest UI, but I could then test the player's currently opened ui's class against my custom one. Opening a normal chest or player inventory would result in the currently opened inventory's class being PlayerInventory or DoubleChestInventory (or equivalent as the names have changed at various points in times) but they would not be the custom class.
On top of that considering the UI is accessed via command and Spigot servers have events for opening and closing inventories in addition to just clicking in the inventories, it's not difficult to keep track of the current inventory of the player.
All of that is then on top of basic permission checks, it's odd. And it's even stranger that the developer removed the UI entirely instead of just adding the checks to the code. The developer obviously knows what they're doing as making an Anti Cheat is not something someone does on a whim, especially one so well received, so it's baffling this got through.
This feels less like a permission issue and more like an input sanitization issue. Not sure if it has to do with Minecraft or the anti cheat but there should be an input sanitization process that should prevent just renaming something to get access to a console.
Hacker: Lets use an exploit!
TheMisterEpic: Lets use the only forceop exploit!
its very nice to know that the minecraft server community moves at lightning speed when it comes to some kind of danger to their servers
Coming from someone that used to play on Purple Prison, this was amazing ❤️
With great power comes great responsibility ❌
with great power comes exceeding great rarity ✅
Haha, le classique demonstration of the first rule of networking - "Never trust the client"
You should give a class on how to pad out a 10 minute video to 35 minutes since this had more fluff than a pillow.
It’s wild their excuse was “it’s extremely annoying and hard to program” like bro when the command is set to execute put to check a list of approved users to execute. So hard.
As a skript developer myself I can confirm it is a major pain to do this, but it can be prevented by placing buffer characters like colored spaces after the text is finished like "GUI&a &r" this fixes all your problems and makes it virtually impossible for players to open this gui. I can confirm that like every skript I have seen doesn't check perms, but the all use colored text and that makes it impossible for players to get UI named this way. Third mistake most people missed is that Vulcan checks it based on the item clicked as opposed to a slot, which is kinda of a bummer
I allow players to put colours in anvil. Slot checking would have been even easier to exploit, just click the empty slot where Manage Checks was supposed to be.
27:00 that was so fucking fun to watch lmao, the background music and editing makes it so entertaining and epic
Related to the video, this is really both interesting and scary at the same time
17:54 this could also be used to open any named chests allowing for you to have a chest that is named the exact same as another chest making it to where you can access all the stuff in it kind of like an ender chest but easier to obtain
It's funny that, to this day, many mods/plugins still use custom names of items to branch the behaviors of that item from the original implementations. I personally prefer going with the built-in NBT tags system. It works well along with the OOP concepts and cannot be easily tampered by players. Though in Vulcan's case they should've used controlled commands like what old-school NCP does in the first place.
Man imagine being gone for a second and everythings gone and everyone has op 😂
this kinda reminds me about a roblox bug naming your character lets say bosscampos, so boss camera position, so the game would get confused cause there are 2 files named the same thing so it would freeze and bug the game
ik this isnt that relevant i just wanted to share some thing cool
The fact that /op is a thing makes situations like this dangerous. It's so straightforward to understand that gets you too many permissions. Why can't server developers just remove it and add a MFA for promoting anyone to moderator or higher level statuses?
Good point, Any permission past basic moderation should require MFA to give out properly, /op can literally be executed at any time.
"Vulcan was good, really good..." meanwhile sending a stop breaking packet every 15 ticks:
This exploit has been known for other plugins for a loong time now... not much of a surprise that it would happen to more popular plugins at some point
I like the glitchy transitions you have
Should have destroyed the hell out of purple prison, and cripple the server ENTIRELY. A once in a decade expliot could have gone to use and destroy this P2W server, and yet you choose to tell the staff of said server. SMH dude
going to assume he didn’t know
@@seazonss1 he mentioned how rare the exploit is, how much damage could be done with console access, and how purple prison is scummy in multiple ways. there wasn't anything he didn't know, he just said he "didn't want to cross that line"
cant believe Vulcan used inventory titles to distinguish inventory GUIs LOL thats so terribly coded
it is NOT difficult AT ALL to use a HashMap which maps the player to the inventory object when the inventory is opened and only handle click events on that GUI
huge shoutout for using lemmino's music
Can't wait for Spoke to destroy lifesteal again!
video starts at 16:04
Thanks bro