Skip to main content

Minecraft vulnerability allows users to crash servers remotely [UPDATE]

A security flaw discovered in Minecraft's code that could give perpetrators the ability to crash servers remotely has been fixed via a patch by Mojang.


Update: Mojang has released an update to Minecraft patch 1.8, listed as version 1.8.4, and it is available now. It fixes reported security issues, in addition to some other minor bug fixes and performance tweaks.

The update is fully compatible with all previous 1.8 versions, and the developer "highly recommends" users update to 1.8.4 as soon as possible.

Original Story

The vulnerability exploits the client's privilege to send data to the server about the game's inventory slots. The client then overloads the server with complex packets. The flaw was discovered by programmer Ammar Askar.

His blog post goes over the details of how he discovered it and shows a simple proof of concept. The process is relatively easy for users to replicate. In this case, he created a list and named it "rekt". This list has five levels of lists within lists.

"The root of the object, rekt, contains 300 lists. Each list has a list with 10 sublists, and each of those sublists has 10 of their own, up until 5 levels of recursion. That’s a total of 10^5 * 300 = 30,000,000 lists," said Askar. "And this isn't even the theoretical maximum for this attack. Just the nbt data for this payload is 26.6 megabytes. But luckily Minecraft implements a way to compress large packets, lucky us! zlib shrinks down our evil data to a mere 39 kilobytes."

The server will then try to parse that information into NBT - a Minecraft format designed to save data within files - and will have to create "several million java objects including ArrayLists" which consumes its memory, increases CPU load, and eventually crash it.

Askar adds that the vulnerability can be found in the most recent Minecraft version and almost all previous ones.

"Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands [of] people play on servers running their software at any given time.

"They have a responsibility to fix and properly work out problems like this. In addition, it should be noted that giving condescending responses to white hats who are responsibly disclosing vulnerabilities and trying to improve a product they enjoy is a sure fire way to get developers dis-interested the next time they come across a bug like this."

Mojang told Askar following the revelation that it's working on a fix.

Thanks, Ars Technica.

Read this next