This is a read-only snapshot of the ComputerCraft forums, taken in April 2020.
Colorado's profile picture

My server was hacked via ComputerCraft

Started by Colorado, 18 July 2014 - 10:15 PM
Colorado #1
Posted 19 July 2014 - 12:15 AM
Once upon a time, I came online to discover that my spawn was in ruins with lava and resonant energy everywhere. I noticed that someone had become an operator.

I soon sat this person down and asked them exactly how they achieved getting op on my server and they answered: ComputerCraft.

This seems like a legitimate reason, afterall. I am afraid there is some kind of exploit, but I cannot slap the information out of the griefer anymore.



Does anyone know exactly how he has done this?
Do you also know how to prevent it?


Thank you for considering answering my questions. :]
Lyqyd #2
Posted 19 July 2014 - 01:04 AM
As far as I know, your griefer is full of crap. There's no way I can think of or know of that would allow that to happen. Unless you can get reproduction instructions out of him, you can count ComputerCraft off the list of things that would give someone op.

I'd be very interested to hear how he did it if that's actually what happened, though.
zacekjakub #3
Posted 19 July 2014 - 01:17 AM
What user is the server running on? If you run the server under root, we have the answer. :)/>
Lyqyd #4
Posted 19 July 2014 - 01:19 AM
Um, no. You'd still need a way to break out of the sandbox of ComputerCraft. The server being run as root (or not) would have no effect.
Cranium #5
Posted 19 July 2014 - 01:48 AM
If there was a command block connected to a computer, and the config was enabled in cc to allow command blocks, then - and only then - computercraft could give op to someone.
Lyqyd #6
Posted 19 July 2014 - 01:50 AM
That is still not possible, as command blocks cannot use the op command.
Cranium #7
Posted 19 July 2014 - 01:50 AM
I stand corrected then.
ds84182 #8
Posted 19 July 2014 - 01:51 AM
As far as I know, ComputerCraft has no access to the running Java Virtual Machine. Even the BIOS (which is supposed to be "trusted" code) is not presented with a full Lua environment for this very reason. I would suggest you tell us what ComputerCraft version you are using, and if possible, tell us the sha1 hash of your ComputerCraft jar. Even though it doesn't happen much, Minecraft mods downloaded from unofficial sources have been known to have modifications that do those types of things.
Anyways, I hope you find out how and why this greifer got OP and put a stop to it.
Imred Gemu #9
Posted 19 July 2014 - 05:13 AM
I agree with Lyqyd, I think your griefer is full of crap. Access to Java's reflection system via the Luaj api in Luaj is removed prior even to the bios being started. Either someone on your server with op gave op to the guy, or you have an unofficial copy of Computercraft. In either case I would recomend following suit with your server's policy on griefing; then delete the Computercraft mod on your server, and download and install the version of Computercraft that matches your server's Minecraft version from www.computercraft.info/.
zacekjakub #10
Posted 20 July 2014 - 04:42 AM
I didn't try this, but Unix and Linux administration is my job and I could say all life and I am pretty sure there are many ways how to get out of the CC sandbox in system… If I got some time, I will try this and let you know if I will be successfull or not. :)/>


Um, no. You'd still need a way to break out of the sandbox of ComputerCraft. The server being run as root (or not) would have no effect.
Lyqyd #11
Posted 20 July 2014 - 05:17 AM
Go for it. I doubt it will work, but would definitely be interested in reliable reproduction instructions if you succeed.
Colorado #12
Posted 26 July 2014 - 01:26 AM
Hey guys, sorry for such a delay, I was gone a long while. This little dude told me after a long time that he used some special packets that he crafted himself. Apparently, when you right click and open CraftOS on a computer, that opens the doors to unleash lots of special commands onto the command line or what have you.

Perhaps it would be possible to get this looked into?
theoriginalbit #13
Posted 26 July 2014 - 01:51 AM
The only packets that I could think of that would be sent is Minecraft's server/client sync packets for the redstone and door, as well as ComputerCraft's client/server sync packets for the computer input; however neither of these interact with the server console, nor does ComputerCraft ever output to the console. This still seems like he's messing with you.
Lyqyd #14
Posted 26 July 2014 - 01:52 AM
We'd love to look into it, but we'd still need reliable reproduction instructions, including packet dumps. This sounds an awful lot like a cockamamie story I heard a while back. What was the user's IGN, if you remember it?

To the best of my knowledge, there is nothing in the Java side of ComputerCraft (and I know there is nothing on the Lua side) that would be intended to support the existence of "special commands".
ardera #15
Posted 28 July 2014 - 04:00 PM
A long time ago a friend told there are many bugs/exploits in CC, he also told me some of them, and some of them I experienced myself, so I wouldn't call ComputerCraft bug & exploit free. The mod maker is just a human too and it's completely normal that there are some bugs/exploits in ComputerCraft.
Lyqyd #16
Posted 28 July 2014 - 04:47 PM
If there are exploitable bugs, please provide reproduction instructions so that they may be fixed.
hilburn #17
Posted 28 July 2014 - 05:44 PM
Why not post them in the Bugs section then or give specifics rather than vaguely alluding to them?
Also - anything found "A long time ago" is likely long out of date, given the nature of updates to y'know, fix bugs.