PSA: Decompiler Vulnerability

Discussion in 'Community News and Announcements' started by Kaelten, Oct 26, 2014.

Thread Status:
Not open for further replies.
  1. Offline


    Tonight we've been made aware of a decompiler vulnerability that allows people to effectively hide sections of code. This has been reported to both Procyon and Luyten. This may also affect other decompilers.

    Unfortunately due to this we will be not be processing new files until a fixed or replacement decompiler can be found.

    As of right now there is no known malicious code on DBO. However, due to the nature of this decompiler shortcoming we are unable to know conclusively.

    A big thanks to korikisulda for bringing this to our attention.

    Edit by Zeldo:
    Korikisulda has posted a much more detailed post about how this works for those that are wondering. You can find it here:

    Update 10/29/14:

    With Kori's help we're able to start processing files again. We will be working to catch the queue back up, however it may take a few days to get back at 100%.

    We're currently running a large scale scan for this exploit over the last several months of files. It is very time consuming and so far none have been found. If any are discovered we will post an update.

    Thanks to everyone for your patience as we worked through.

    Update 10/30/14 (Zeldo):

    The queue has been caught up thanks to the very hard work by eyamaz

    The file scan was successful at scanning the previous 5000 files for this exploit. With over 500000 classes scanned in total and about 1GB of data. There were 0 instances of this exploit present in these files.

    A big thanks again to korikisulda for providing us with a tool to detect this. With her idea I was able to develop a tool that automatically scans all files for this exploit and will alert us if any become present on the site, hopefully the decompilers can be updated to not be susceptible to this bug and the tool can come down. However until this happens rest assured that it will be detected in the mean time.
  2. Offline


    So no files are being approved currently on DBO?

    Thanks for this fix.
  3. Offline


    Yup. And it isn't so much of a fix as a "Breaking everything"... Sorry D:
    ZeldoKavira and Caprei like this.
  4. Offline


    korikisulda Make the fix, "notification." :p

    Good job on you mate, for finding this.
    ZeldoKavira and korikisulda like this.
  5. Offline


    to bad people do this kind of stuff. let hope a new decompiler/fix is found fast.
  6. Offline


    Last edited by a moderator: Jun 14, 2016
    DamienMine and beeselmane like this.
  7. Kaelten Thanks for telling us, are you aware how many people may already abused this exploit?
    korikisulda likes this.
  8. Offline


    This is unknown at this moment in time. All files checked by luyten could potentially harbour code concealed in this manner. I will hasten to add that it's quite likely that none of them have this.
  9. Offline


    No known, but as Kari was saying, it's impossible to know for sure until we have a valid detection methodology.
    korikisulda likes this.
  10. Kaelten korikisulda Well thanks both of you for your work and working to crackdown on this exploit.
    korikisulda likes this.
  11. Offline


    It's good to see someone trying to work with Curse. ;)
    Zenexer, jthort, coldandtired and 3 others like this.
  12. Offline


    Nice to see Curse working hard with DBO! :D

    Also, I wonder how long this has been around...
  13. Offline


    errr... What would happen to a plugin that was originally about to be approved but if its not in a week then it gets deleted?
  14. Offline


    We have no reason to believe this exploit was widely known. It appears that Kori's heads up to us was before any public knowledge.

    I hope that we'll have a fix in place before anything like hat could be an issue, and if it does happen we'll make it right.
  15. Offline


    So even JD-GUI is affected?
  16. Offline


    To keep it simple, yes.
  17. Offline


    JD-GUI is useless. It's easy (and I mean really easy) to fool it, and it often makes an absolute mess of decompiling. I recommend JAD, Krakatau, and JavaP. Although not necessarily all at the same time.
  18. Offline


    Wouldn't a possible solution be to require source code to be provided, and to have the staff compile and upload the release .jar themselves?
  19. Offline


    Yup, people are trying to hack Bukkit now, I wonder why? *sarcasm*
  20. Offline


    Because files need to be decompiled to be approved, anyways, this could save quite a bit of work if this was a normal process, anyways.

    Send in source, have it looked over, and the released file is one looked over and compiled by the reviewer themselves. Shouldn't take too much work, for the standard project. I second this idea.

    This isn't a deficiency in Bukkit. Or, even, an attempt at hacking. Just a vulnerability that was noticed by someone, and reported. However, despite the slim chance of this vulnerability being capitalized upon by malicious developers, the DBO is shutdown because, well, why take the chance?
    korikisulda likes this.
  21. Offline


  22. Offline


    Dang I know it sounds like I'm trying to steal your thunder but as this was posted I thought the same thing. However, I didn't post because (well, I'd assume) there is a large amount of files sent in a day so it would take a long time.
  23. Offline


    The job that's never started is the one that takes the longest to finish ;)

    Goto_w detection tool

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: Jun 14, 2016
    thomasb454 likes this.
  24. Offline


    This is actually a workflow (more or less) that we're working towards on the new platform.
  25. Offline


    I'm sure lol768 would be happy to help you with workflow, he's great at that stuff.
    FerusGrim and korikisulda like this.
  26. Offline


    So I guess the question is, how much of the current approved do we need to worry about?
  27. Offline


    I highly doubt that anyone before him had done this, however that does not mean we will not be checking. We will let you know as soon as we have more information.
  28. Offline


    None. There's only a few plugins out of those I've tested so far (4000 of roughly 18000) which contain the instruction, and in all cases, it's because they contain class files so long that they need wide gotos. I can't absolutely say for certain, but I don't personally believe it's in any of them.

    *her xD

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: Jun 14, 2016
  29. Offline


    You're insufferable chaseoes.
  30. Offline


    Just so everyone knows Kori's work has made it possible for us to get a tool in place to audit files for the presence of these hidden code snippets. We're doing a retroactive scan currently before we start processing new files again.
Thread Status:
Not open for further replies.

Share This Page