Someone claims to be able to hack a server with computercraft

I've been playing on a server with ComputerCraft. Someone keeps saying they are able to run commands without op permissions using computercraft. I'm no expert and I have no clue if what they are claiming would work. I just want to know if it's at all possible that someone could run admin commands using ComputerCraft. Also, is it possible to install mods to the server using this? They apparently can do that too.

I'm very skeptical, but I wanted an expert opinion.

These things have been claimed quite a few times, but none of the claimants have ever provided substantial proof. The architecture of Minecraft and ComputerCraft make such claims unlikely to be true.

Command computers can do everything command blocks can do, but players must already have Op permissions to access their interface.

it is possible its a creative server (im sure what server it is and its enabled on there) and it has the config option for command block wrapping on. Some things will work but usually commands such as /ban,/kick etc. Doesnt work on there (also permission plugins dont allow it) But thats pretty much the only way. What server are you on?

You must be an Op to get command blocks, even in creative mode.

Lyqyd, on 16 November 2016 - 06:59 PM said:

You must be an Op to get command blocks, even in creative mode.

An attacker would surely use some kind of mod which allows you to spawn any items with any nbt data, which could include spawning an item with the ID, this kind of attack allowed a force-op in vanilla MC 1.8 by spawning a sign or book with a specific nbt tag.

The only attack of the sort I've seen was in OpenComputers, where you could change a disk drive's nbt to point where on the physical file system this drive is located, by putting "..", someone can do a directory traversal and access the host's filesystem from an OC computer.

I believe the only nbt tag on CC's computers is for storing it's label, and even though you could spawn and place a command computer, you can't write code in it without being op in the first place.

If you have a creative server, someone could place a normal computer, and cheat in a command-blocks beside the computer, wrap it and execute op commands, easy fix: Don't enable command-blocks to be wrappable in CC's config, which is disabled by default.

Anavrins, on 17 November 2016 - 12:51 AM said:

Lyqyd, on 16 November 2016 - 06:59 PM said:

You must be an Op to get command blocks, even in creative mode.

An attacker would surely use some kind of mod which allows you to spawn any items with any nbt data, which could include spawning an item with the ID, this kind of attack allowed a force-op in vanilla MC 1.8 by spawning a sign or book with a specific nbt tag.

The only attack of the sort I've seen was in OpenComputers, where you could change a disk drive's nbt to point where on the physical file system this drive is located, by putting "..", someone can do a directory traversal and access the host's filesystem from an OC computer.

I believe the only nbt tag on CC's computers is for storing it's label, and even though you could spawn and place a command computer, you can't write code in it without being op in the first place.

If you have a creative server, someone could place a normal computer, and cheat in a command-blocks beside the computer, wrap it and execute op commands, easy fix: Don't enable command-blocks to be wrappable in CC's config, which is disabled by default.

How exactly would you cheat in command blocks? Command blocks are not allowed in the Creative menu, but instead, they require a command to spawn in, requiring certain permissions from the server/permission plugin.

Additionally, command blocks are by default disabled. The probability overall of the owner of the server to enable it is quite low. If it does, however, happen that they are enabled, most of the time sensitive commands will not be allowed in a Command Block, whether it be intentionally blocked or blocked because of insufficient permissions.

Twijn, on 17 November 2016 - 01:57 AM said:

How exactly would you cheat in command blocks? Command blocks are not allowed in the Creative menu, but instead, they require a command to spawn in, requiring certain permissions from the server/permission plugin.
Additionally, command blocks are by default disabled. The probability overall of the owner of the server to enable it is quite low. If it does, however, happen that they are enabled, most of the time sensitive commands will not be allowed in a Command Block, whether it be intentionally blocked or blocked because of insufficient permissions.

As I said, there are mods that can achieve that by exploiting a mechanism in the game's protocol, I believe there's no protection against this server-side until vanilla MC 1.8.5.

http://wiki.vg/Protocol#Creative_Inventory_Action

Clicking in the creative inventory menu is quite different from non-creative inventory management. Picking up an item with the mouse actually deletes the item from the server, and placing an item into a slot or dropping it out of the inventory actually tells the server to create the item from scratch.

This means that you can have a mod that simulate having any item ID on your cursor, then once replaced in the inventory, will send a packet saying you have that item in your inventory.

Anavrins, on 17 November 2016 - 12:51 AM said:

Lyqyd, on 16 November 2016 - 06:59 PM said:

You must be an Op to get command blocks, even in creative mode.

I believe the only nbt tag on CC's computers is for storing it's label, and even though you could spawn and place a command computer, you can't write code in it without being op in the first place.
If you have a creative server, someone could place a normal computer, and cheat in a command-blocks beside the computer, wrap it and execute op commands, easy fix: Don't enable command-blocks to be wrappable in CC's config, which is disabled by default.

Nbt is used to store id on pocket computers, so it would be fairly trivial to get a pocket comp and command comp with the same id. Also, if you were to spawn in a command computer block (in your inventory) with a damage value, then the damage value will directly relate to the id the computer has when placed. Don't actually know if damage value can be adjusted by mod in creative, though I'd be surprised if it couldn't be.

Honestly the only way to be safe on a creative CC server is to not have command blocks enabled at all. Once you get a computer with the same id as a command computer it is fairly simple to run anything you want on it.

I did extensive research into this at one time and the answer is MAYBE. At the time I was able to load malicious bitcode in and crash and even corrupt a server however since this isn't true Lua(Java Lua is completely different in terms of bitcode) I was unable to actually run malicious code that would've allowed me to break outside the Lua environment. Meaning he can destroy the server but not run admin commands or access files. The admins/mods/developer didn't really care about my segfault exploit so I doubt it ever got patched. This all being said there is another exploit which can rear it's head depending on your computercraft version/mods/or how the CC Rom files have been changed. This exploit allows running any code on any other given computer with the only limit being that your exploit ran before their computer turned on. If this was used to remote access a command computer then he can access admin commands and depending on plugins installed that could include server files as well. Also as people have mentioned previously if they have a way to spawn items or change NBT data on items then that's another way they can exploit into command computers. Beyond all of this I would say doubtful at best. If there was some other way to break Computercraft I swear I probably would've found it :P/>/>

Regarding the wrapping of command blocks as a peripheral; the trick there is that you don't even need to be able to generate a command block to do it - if a server op places one somewhere a regular player can reach it, that's enough to allow that player to run their own commands through it (though as has been mentioned, this is assuming command blocks are enabled as CC peripherals in the server config - and by default they're not).

Command Computers are trickier. Players with direct access can shut them down, start them up, or reboot them, but unless they have some manner with which to generate blocks with custom NBT tags they can't change the code that's on them.

It is possible to control Command Computers via certain peripherals, though this hinges on the computer being programmed to accept the input from them. For example, these two scripts are designed to allow regular users to use Command Computers to generate custom books / banners via external monitors.