BungeeHack

The exploit known as BungeeHack occurs when a Minecraft network that uses BungeeCord is misconfigured, allowing Attackers directly access backend servers (modalities) without going through the main proxy.

If these servers are not adequately protected by a firewall or security plugins, an attacker can connect directly to the backend, spoofing their identity to gain elevated permissions such as administrator.

"If you wish to use IP forwarding..."

When a player attempts to connect directly to a backend server on a BungeeCord network, the server returns the message "If you want to use IP forwarding, please also enable it in your BungeeCord settings." This occurs because the backend is configured to receive connections only through the BungeeCord proxy, which sends additional information in the handshake that establishes the player's username, UUID, real IP, and other data. By not receiving this information correctly, the server rejects the connection.

How to use the exploit

Attackers can exploit the BungeeHack vulnerability in several ways to bypass the BungeeCord proxy and connect directly to the backend server.

• Modifying the handshake: Use modified clients to replicate the handshake process that the BungeeCord proxy performs. These simulate the additional data that the proxy normally sends, such as the player's username, UUID, and IP address. By mimicking this behavior, attackers can trick the backend server into accepting the connection as if it came through the proxy.
• Creating a local proxy: Another approach involves setting up a local proxy that emulates a legitimate BungeeCord proxy. The attacker configures this proxy to forward connections to the backend server while injecting the necessary handshake data. This local proxy acts as a bridge, enabling the attacker to bypass the main BungeeCord proxy entirely and access the backend server directly.

In MCPTool, the proxy command sets up a local Velocity server that redirects to the specified backend server.