Jump to content

Public exploit crashes Minecraft servers


Reefa

Recommended Posts

The exploit publication comes two years after Askar attempted, through through five 'ignored' emails, to disclose the flaw in version 1.6.2 to Minecraft developer Mojang.

Parent company Microsoft has been contacted for comment.

"... two major versions and dozens of minor versions and a critical vulnerability that allows you to crash any server, and starve the actual machines of CPU and memory was allowed to exist," Askar says.

"Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time.

"... it should be noted that giving condescending responses to white hats (hackers) who are responsibly disclosing vulnerabilities and trying to improve a product they enjoy is a sure fire way to get (sic) developers disinterested the next time they come across a bug like this."

Askar's flaw works in part because clients are allowed to send servers information about certain game item slots. When paired with the NBT JSON-like metadata format allows attackers to easily craft a packet that is "incredibly complex" for the server to deserialise.

Mojang moved to patch the flaw after Askar's exploit drop but failed, leaving it still exposed.

This is despite that the fix "isn’t exactly that hard" according to the hacker who told Mojang two years ago that the Minecraft client should never send a data structure as complex as NBT of arbitrary size without at least implementing recursion and size limits.

http://www.theregister.co.uk/2015/04/17/working_exploit_published_to_crash_minecraft_servers/
Link to comment
Share on other sites


  • Views 902
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...