Public exploit crashes Minecraft servers

Hacker claims Mojang ignored disclosures for two years

8 Reg comments Got Tips?

A huffy hacker has published detailed steps for anyone to pull off an 'easy' Minecraft exploit capable of causing servers to crash.

Developer Ammar Askar dropped the hack which allows attackers to send malformed packets that can crash Minecraft servers by exhausting its memory.

The exploit publication comes two years after Askar attempted, through through five 'ignored' emails, to disclose the flaw in version 1.6.2 to Minecraft developer Mojang.

Parent company Microsoft has been contacted for comment.

"... two major versions and dozens of minor versions and a critical vulnerability that allows you to crash any server, and starve the actual machines of CPU and memory was allowed to exist," Askar says.

"Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time.

"... it should be noted that giving condescending responses to white hats (hackers) who are responsibly disclosing vulnerabilities and trying to improve a product they enjoy is a sure fire way to get (sic) developers disinterested the next time they come across a bug like this."

Askar's flaw works in part because clients are allowed to send servers information about certain game item slots. When paired with the NBT JSON-like metadata format allows attackers to easily craft a packet that is "incredibly complex" for the server to deserialise.

Mojang moved to patch the flaw after Askar's exploit drop but failed, leaving it still exposed.

This is despite that the fix "isn’t exactly that hard" according to the hacker who told Mojang two years ago that the Minecraft client should never send a data structure as complex as NBT of arbitrary size without at least implementing recursion and size limits. ®


Biting the hand that feeds IT © 1998–2020