PSA: Magix Plugin

Discussion in 'Community News and Announcements' started by Jadedcat, Oct 21, 2014.

Thread Status:
Not open for further replies.
  1. Offline


    Recently a plugin named Magix was uploaded to the site. This plugin had an exploit in it wherein an image file was used to add extra javascript beyond the code in the plugin itself. That could allow for arbitrary opping on a server. Multiple reviews of the project by our staff failed to catch it, and for that mistake we're very sorry.

    We have adapted our review process to look for this kind of exploit in the future. Unfortunately no matter how well we review plugins people will try and find new creative ways to add malicious content.

    The plugin has been removed and the author banned.

    If you downloaded and are using Magix, please remove it from your server.

    Again we apologize for missing the exploit when checking the code.
  2. Offline


    Understandable, you guys can't catch everything. But thank you for removing the plugin.
    exalented, Skyost and Jadedcat like this.
  3. Offline


  4. Offline



  5. Offline


    thanks for the info
  6. Offline


    Good thing everyone is already transitioning away from Bukkit so this can only happen for a little while longer.
  7. Offline


    Being a human powered process it's inherently prone to failures. I'm glad you understand that these things are mistakes and have been made in the past, and I'd honestly be surprised if it will be the last time.

    All we can do is learn and improve by it, and try to ensure that people know of the miss so they can take action to protect themselves.
    DHLF, DrPyroCupcake and frogman6102 like this.
  8. Offline


    I'm sure this will happen again at some point, in a different form. Nonetheless, good catch!

    Alright, I'm sleep deprived, bear with me on this horrible post below.

    I recently found that plugins can act in some strange ways.
    One of which I made, was a python interpreter, that, with some commands, would let the user edit and run python directly in the server through the chat, which was fun to test and play with. I was going to add in an API for minecraft, but gave up before 1.3.2 came out. Anyway, hopefully I gave you guys some ideas on how quirky plugins can be with exploits.

    Disclaimer: I will not release my code, publicly or privately. I do not intend to be the cause of a catastrophe.
  9. Offline


    Truth to be told, while I did appreciate the speed at which the new curse administration was approving plugins, I had my doubts about the quality. But I'm glad to see that it's been improved.

    I also think it's quite silly for people to say "ono BukkitDev isn't save anymore everyone delete your accounts." Personally I think that it's fueled by the lack of faith in general in anything to do with Minecraft that many players have. Think about it. Every time some big change has happened to anything to do with Minecraft, people have been hitting their gongs, foretelling the doom of the game altogether.

    All I'm saying is take what people say about this with a grain of salt.
    Kaelten likes this.
  10. Offline


    Is there any update on this? It seems fairly obvious that this was simply a test for security, and not meant in any actual malicious way. To be honest, did this plugin even need a PSA? It was just uploaded today, and as far as I'm aware, didn't have very many downloads.
    korikisulda likes this.
  11. Offline


    I wasn't aware of that at the time. The security test, part. He stays banned. If we had requested a security test he wouldn't, but we didn't.

    And yes, if we find we have let through a plugin with a major issue like this we are going to announce it regardless of amount of time.
    FerusGrim likes this.
  12. Offline


    Thanks for the clarification. :)
  13. Offline


    Please don’t make it out as if this is action Curse has taken to protect the community. Staff had to be informed by the author that the plugin was malicious, should be deleted and that the account should be banned before any action was taken. Even then, the plugin remained available for a good few hours despite staff being told by the *author* that it was malicious:


    Server admins and Curse staff are very fortunate that the author who uploaded this did so only to see whether it could be done before informing Curse of the mistake that had been made and server admins the risks associated with using the platform. It seems incredibly likely that if the author hadn't informed Curse himself or posted about the issue on reddit, the plugin would still be being downloaded.

    And these creative ways of writing malicious code always come with warning signs. Warning signs that should've been looked into further.

    Make no mistake: this is damage control because the author posted about the issue on reddit.
  14. Offline


    I wasn't aware of the reddit post until it was posted here, but its hard to prove a negative. I am sorry you feel its damage control.

    I didn't realize until I saw the reddit post that it was the author reporting his own project. The team discussed the report, but we don't really pay attention to who makes the report, just the contents of the report and if the report can be verified. He did not mention he was the author. I for one have too much to do to stalk reddit. I pop into the FTB one from time to time, but that's about it.

    If we didn't pull it and announce it people would claim we were hiding stuff. Because we did pull it once we located the reported issue and we apologized and announced it its "damage control". Thats a "catch 22" *shrug*

    It is very easy to say "I would have seen the issue", when 1.) You know there's an issue and 2.) The author told you what the issue is. You weren't given the code without warning and expected to find the exploit. You were given the code on reddit and told "There's an exploit, right here".

    Short of having found an obscure and well hidden exploit that was apparently created with the sole intent of hiding from staff review, there's really not much we can do except apologize, learn from the mistake and move on. Nothing we say is going to convince you we are human and doing the best we can.
    DHLF and Inscrutable like this.
  15. Offline


    Clearly, you need more attentive and conscious "humans".

    Maybe you should pay more attention, given you are the "staff" of Bukkit. Some staff alright.... Not even looking into reports or saying you have too much to do than to actually do your job.

    Nice one Jadedcat....Maybe the retired staff left for a reason.

  16. Offline


    Why should WHO makes the report matter? Every report is equally important and who makes it doesn't have anything to do with the content of the report. The content is my job. Not the who.
    The point is, without us comparing the report author name to the mod author name found on a different page it is not immediately obvious the author is the one that made the report.

    And sorry, unfortunately I don't get paid to browse reddit . You seem to not understand what the job is. I am not too busy to do my job. My job keeps me too busy to have time for Reddit.
    DrPyroCupcake and Skyost like this.
  17. Offline


    If I had requested a security audit, I'd have gotten one. "But wait, they're mandatory in real society!", you might say. Well, you're damn right. This was mandatory. ;)
    Novustorious, korikisulda and rbrick like this.
  18. Offline


    Personally, I would've made him honorary member of the website for (hopefully) waking you up, and asked him to teach you a few tips and tricks.

    If he really did upload it four times and you missed it, it sounds like you need it.
    No excessive amounts of criticism or offense towards you.
  19. Offline


    Apologies - that was unnecessarily harsh. I'm glad this is being discussed publicly.

    You're correct in saying the code has been handed to us as an example of something malicious. Would I look at it and know it contained a backdoor if the author hadn't told me first? Absolutely not. I don't think anyone would realize that after looking at it for the first time.

    But I do think parts of the code would've concerned me. Most plugins are a lot simpler - I'd be asking myself some of the questions I talked about here. I feel pretty confident that I'd have dug deeper and asked for an opinion from another staff member if I couldn't see the issue myself.

    Malicious developers are going to design their plugins specifically to try and avoid staff detection. They'll want their plugin on as many servers as possible in order to maximize their attack. I completely agree that this is an opportunity to learn from the issue but my concern right now is that a team of 3 (sorry, not sure if you yourself review files/which of the Curse staff do) or at least a team substantially smaller than the old team are able to provide much faster approvals. It suggests to me that files aren't being reviewed as thoroughly and this incident only supports this belief.

    I'd suggest looking into in order to try and help anyone who has managed to download the plugin and not seen this announcement.
    korikisulda, DSH105, rbrick and 8 others like this.
  20. Offline


    Regardless of the argument above, this seems well reasoned enough to me. I think that we may all be placing a bit more of our ire on Curse than is deserved. In this whole situation that's put the Bukkit project where it is today, Curse has done nothing more than step in and try to fill a role that was abandoned (whether that abandonment was for good cause, or not).

    If anyone is to blame for this situation, Curse is the least likely to receive the honor.

    EDIT: Regardless of whether or not the issue should have been caught, Curse is not trying to hide the fact that they made a mistake. It's obvious they did. Whether or not this is damage control, I'm not sure how else they could have handled the situation. It makes more sense to just let them learn from this mistake, and move on.
  21. Offline


    We appreciate it. There's a lot of expectations placed on the team here, and many of the times we're left with multiple bad choices. We just do what we believe is best.

    We're not trying to excuse ourselves for missing it, but we did. Now we're again, just trying to do what we think is best after the fact on it.

    Every file is reviewed by a person. We could be disingenuous by injecting artificial wait times before we process files. I've thought that over, and while it'd make some people feel better I feel it'd be a disservice in other ways.

    This is a learning process, and we're constantly improving.
  22. Offline

    timtower Administrator Administrator Moderator

    Kaelten I am already glad that somebody is trying to catch the malicious plugins. That you let a couple ones slip is just more prove that you are also just human, can't blame you for that :p
    The best thing of this all ( in my opinion at least ) is that you guys aren't trying to hide it that you made a mistake.
    jthort, MisterErwin, Jadedcat and 2 others like this.
  23. Offline


    I'm not trying to dispute whether or not files are checked by humans - my concern is more so how they are checked, how thoroughly they are checked and to what extent a much faster approval time compromises the safety of the review process. Can you at least see where I'm coming from?

    Artificial delays do nothing to improve the reliability and safety of the review process and instead contribute to a false sense of security. More time checking files by investigating potentially concerning code (such as strange use of reflection, execution of code retrieved from an image file), discussing code amongst staff should it appear suspicious, thoroughly investigating reports and the authors of reports relating to potentially malicious projects all mean an increase in approval times but I am confident will improve the security of the process.

    With regards to the Server Mods API ( still returning items despite the project deletion), is this something that can be looked into? It seems like a simple action that could be taken to protect users who have inadvertently downloaded the plugin since the actual payload of the plugin tries to disable itself if it detects the project's files have been removed.
  24. Offline


    I completely understand your concerns and where you're are coming from. I agree about the artificial delays doing nothing in reality. Which is why we don't do them even though it'd save us a lot of headaches in discussions.

    As far as the api returning values for the file, I'm talking to the engineers to get a patch for that.
    lol768 likes this.
  25. Offline


    This does appear to be fixed now, thanks.
    Kaelten and CaptainBern like this.
  26. Jadedcat I have the feeling that you are claiming that you guys "discovered" it and saved the day. Also, as for claiming to have no knowledge about the Reddit post, well, you guys surely don't communicate then. I honestly just have the feeling that after the reddit post was created and you guys noticed that it had/has quite an impact that you just decided to quickly create your own PSA. Don't get me wrong, it's good that you guys communicated this to the community but this whole thread has been handled wrong.

    First of all, the message; this guy (RocooTheRocoo or something?) has put more work in creating his PSA and providing the required evidence (without him owing the community anything) and you guys basically just went with a response written in less than 5 minutes, with less than 1 minute of research.

    It's basically his word against yours but he has proof where you don't have anything but a poorly written message.
    korikisulda, DSH105, Anrza and 3 others like this.
  27. Offline


    I said I wasn't aware of it. I didn't see the report until after the author was banned, at which point I admit I did not read the whole thing, just marked it as resolved since the situation had been taken care of. Edit: Went back and checked and I couldn't have seen it, because the ban system apparently removed the further comments.

    He has proof he created a malicious plugin that slipped past the code review. That's proving a positive. Its proving something exists. Proving a negative, that I don't spend time on reddit and wasn't aware of the thread is much harder to do. I can't even prove whether or not a staff member saw the rest of the authors comments on the report before or after the problem was found or if they saw them at all. And even if I had absolute proof people would still say its a cover up.

    Covering up what? We made a mistake. We admitted the mistake. We learned from the mistake. Even if a member of the team had seen the reddit thread, me wanting to warn the community still wouldn't be anything more than our responsibility. The fact that this PSA is less informative than the one on reddit should tell you I didn't see it, or I would have just copied the info. And if you search twitter, and the FTB forums you will find I have a history of taking responsibility for mistakes and making PSA's and apologizing. I personally believe mistakes require acknowledgment when they affect other people. I told the team I was going to make the announcement. Do we communicate? Yes. Do we share every detail of everything? No. All I needed to know was a major exploit was found, and what the exploit was. How it was discovered, and how the mistake was made are a manager's job. The manager then figures out what we need to do to prevent it happening again and tells the team.

    Maybe its the military background, but I never understood sticking my nose in other people's job responsibilities unless I'm the manager. (Which I am not) In the future I'll try and make sure I know more about what's been going on when I am asleep.
    DHLF and Acharige like this.
  28. Offline


    69/69 will read again ;3.
  29. Offline


    Shouldn't this only occur if the "remove all comments" checkbox is explicitly ticked on the page by the staff member placing the ban?

    Edit: I only ask since I'm not sure as to the reasoning behind the use of said option - did the author spam the site or something?
  30. Offline


    Yes. And no one will be using that option in the future for anything other than spam. I've used the system a lot and I didn't realize it deleted report comments too. (I didn't handle this one) Then again I can't think of anytime where the author was the reporter either.
Thread Status:
Not open for further replies.

Share This Page