Share This article
It turns out that for the past two years, you could crash a Minecraft server pretty easily. A security researcher published the exploit Thursday and said he first discovered it in version 1.6.2 back in July 2013, which is almost two years ago. He claims Mojang ignored him and did nothing to fix the problem, despite his repeated attempts at following standard protocol and contacting the company in private.
“This vulnerability exists on almost all previous and current minecraft versions as of 1.8.3; the packets used as attack vectors are the 0x08: Block Placement Packet and 0x10: Creative Inventory Action,” Ammar Askar wrote. The exploit takes advantage of the way a Minecraft server decompresses and parses data, and causes it to generate “several million Java objects including ArrayLists,” running out of memory and pegging CPU load in the process.
“The fix for this vulnerability isn’t exactly that hard, [as] the client should never really send a data structure as complex as NBT of arbitrary size and if it must, some form of recursion and size limits should be implemented. These were the fixes that I recommended to Mojang 2 years ago.” Askar posted a proof of concept of the exploit to GitHub that he says has been tested with Python 2.7. Askar has since updated his blog post twice after finally making contact with Mojang. What he says essentially confirms that the company either didn’t test a claimed fix against his proof of concept, or lied about having one in the first place.
Today, it looks like Mojang has responded (at least indirectly) to the post with a patch. The company announced today that it is releasing version 1.8.4: “This release fixes a few reported security issues, in addition to some other minor bug fixes & performance tweaks.”
The release notes make no direct mention of the exploit Askar wrote about, and comments are closed on the post. But notably, two of the fixes listed are Bug MC-79079, “Malicious clients can force a server to freeze,” and Bug MC-79612, “Malicious clients can force a server to go out memory [sic]:”
At the time of this writing, Askar has yet to update his blog post a third time acknowledging the patch and/or commenting on whether it fixes the exploit.
Back in September, Microsoft announced it was buying Mojang for $2.5 billion, with company founder Notch moving on something new. The game is available on all major platforms, including PC, Mac, PS3, PS4, Xbox 360, Xbox One, iOS, Android, Windows Phone, and Amazon Kindle Fire.