BungeeCord Vulnerabilities
One of the most dangerous bungeecord vulnerabilities is the exploit
known as BungeeHack. It occurs when a Minecraft network using
BungeeCord is misconfigured, allowing attackers to directly access the
backend servers (modalities) without going through the main proxy.
If these servers are not adequately protected by a firewall or security
plugins, an attacker can connect directly to the backend, spoofing their
identity to gain elevated permissions such as administrator.
"If you wish to use IP forwarding..."
When a player attempts to connect directly to a backend server on a
BungeeCord network, the server returns the message "If you want to use
IP forwarding, please also enable it in your BungeeCord settings."
This occurs because the backend is configured to receive connections
only through the BungeeCord proxy, which sends additional information
in the handshake that establishes the player's username, UUID, real
IP, and other data. By not receiving this information correctly, the
server rejects the connection. But if there are no more security measures, this can be easily
avoided.
How to use the "BungeeHack" exploit
Attackers can exploit the BungeeHack vulnerability in several ways to
bypass the BungeeCord proxy and connect directly to the backend
server.
- Modifying the handshake:
Use modified clients to replicate the handshake process that the
BungeeCord proxy performs. These simulate the additional data that
the proxy normally sends, such as the player's username, UUID, and
IP address. By mimicking this behavior, attackers can trick the
backend server into accepting the connection as if it came through
the proxy.
- Creating a local proxy:
Another approach involves setting up a local proxy that emulates a
legitimate BungeeCord proxy. The attacker configures this proxy to
forward connections to the backend server while injecting the
necessary handshake data. This local proxy acts as a bridge,
enabling the attacker to bypass the main BungeeCord proxy entirely
and access the backend server directly. In MCPTool, the proxy command sets up a local Velocity server
that redirects to the specified backend server.
UUID Spoofing
On servers with IP forwarding, player data is obtained during the
connection process. This allows the player's UUID (unique identifier)
to be manipulated and the server accessed with a modified UUID, which
can be used for spoofing.
You can do this using the proxy command and within Minecraft
using the /uuid command.
Server Command
The /server command is enabled by default in BungeeCord's
configuration, which can pose a significant security risk. Attackers can
join the server using administrator names and, once inside, use the /server command to bypass the authentication system and switch to another server
mode, effectively evading the login process.
You can do this using the proxy command and within Minecraft
using the /uuid command.
How to protect servers
To protect the servers, it is crucial to close the ports of the
backend servers so they are not directly accessible through the
IP:port. This prevents attackers from accessing the
servers directly. On Linux systems, tools like ufw or
iptables can be used to close these ports and ensure that
they can only be accessed through the proxy port (25565). If your server
is not on a machine where you can control the ports, such as on a VPS,
you can use plugins on the backend servers, like SafeNET, to limit access
and protect them from unauthorized connections.
It is also essential to remove permissions for the /server command in the proxy configuration.