Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exploit For Crashing Minecraft Servers Made Public

Posted by timothy on from the hey-fellas-door's-unlocked dept.

An anonymous reader writes "After nearly two years of waiting for Mojang to fix a security vulnerability that can be used to crash Minecraft servers, programmer Ammar Askar has released a proof of concept exploit for the flaw in the hopes that this will force them to do something about it. "Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time. They have a responsibility to fix and properly work out problems like this," he noted." Here is Askar's own post on the exploit, and his frustration with the response he's gotten to disclosing it to the developers.

5 of 118 comments (clear)

  1. And it's already fixed in 1.8.4 by Anonymous Coward · · Score: 3, Informative

    ... hours before this hit /.

    1. Re:And it's already fixed in 1.8.4 by 0bject · · Score: 4, Informative

      They can't really say they "weren't aware" when the original bug submitter's proof of concept exploit (that was provided to them) was not fixed by the "patch". That is at best extremely lazy testing.

  2. little late by Anonymous Coward · · Score: 5, Informative

    From TFA:
    Update: With the release of this full disclosure I have actually made contact with mojang and they are working to fix the issue. Apparently the initial fix they tried failed which indicates a lack of proper testing.

    Update 2: The exact problem that caused this bug to go unpatched has been identified. Mojang attempted to implement a fix for this problem, however they did not test their fix against the proof of concept I provided, which still crashed the server perfectly fine. This, in combination with ignoring me when I asked for status updates twice led me to believe that Mojang had attempted no fix. In retrospect, a final warning before this full disclosure more recently was propbably in order. A combination of mis-communication and lack of testing led to this situation today, hopefully it can be a good learning experience.

    Update 3: This problem has been patched as of minecraft version 1.8.4

    https://mojang.com/2015/04/minecraft-1-8-4-security-release/

    I’m happy to see that multiple other security issues have also been fixed. Once again, I feel better communication would have easily alleviated this problem. Keeping me in the loop and not ignoring me, in addition to proper testing would have easily led to this exploit being fixed long ago.

    As usual, by the time news hits slashdot, it's not really news anymore. RIP Martin Lawrence.

  3. Re:May finally get servers updated... by SuricouRaven · · Score: 3, Informative

    Try some of the mods. The gameplay gets better - and the stability gets worse.

  4. Re:"exploit" by Em+Adespoton · · Score: 3, Informative

    The guy has found a way to exploit the server code to cause denial of service via code complexity.

    Further to this, depending on how the complexity managed to cause the server to crash (as opposed to just using up all server resources decoding the nested elements), it may also be possible to use his exploit to gain remote code execution (RCE).

    But I haven't actually seen anything documenting a server crash -- just an exhaustion of resources, resulting in denial of service. If someone could document what actually happens on the server when this is run, that'd be useful for indicating if there's a possible RCE here or just a case of the server software using up all resources and grinding to a halt, with a possible out of resources exception thrown at the end, causing the server to exit gracefully.