Slashdot Mirror
Exploit For Crashing Minecraft Servers Made Public
An anonymous reader writes "After nearly two years of waiting for Mojang to fix a security vulnerability that can be used to crash Minecraft servers, programmer Ammar Askar has released a proof of concept exploit for the flaw in the hopes that this will force them to do something about it. "Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time. They have a responsibility to fix and properly work out problems like this," he noted." Here is Askar's own post on the exploit, and his frustration with the response he's gotten to disclosing it to the developers.
... hours before this hit /.
It's like the beloved classic '42.zip'; but can be delivered directly over the minecraft server protocol and will be naively parsed by the server, no social engineering required... Never trust the client.
There are tons of servers running relatively ancient versions at this point due to massive amounts of custom mods (Herocraft and places like that). It sounds like they're screwed now unless they get caught up to the current version.
From TFA:
Update: With the release of this full disclosure I have actually made contact with mojang and they are working to fix the issue. Apparently the initial fix they tried failed which indicates a lack of proper testing.
Update 2: The exact problem that caused this bug to go unpatched has been identified. Mojang attempted to implement a fix for this problem, however they did not test their fix against the proof of concept I provided, which still crashed the server perfectly fine. This, in combination with ignoring me when I asked for status updates twice led me to believe that Mojang had attempted no fix. In retrospect, a final warning before this full disclosure more recently was propbably in order. A combination of mis-communication and lack of testing led to this situation today, hopefully it can be a good learning experience.
Update 3: This problem has been patched as of minecraft version 1.8.4
https://mojang.com/2015/04/minecraft-1-8-4-security-release/
I’m happy to see that multiple other security issues have also been fixed. Once again, I feel better communication would have easily alleviated this problem. Keeping me in the loop and not ignoring me, in addition to proper testing would have easily led to this exploit being fixed long ago.
As usual, by the time news hits slashdot, it's not really news anymore. RIP Martin Lawrence.
Addressed in vanilla by the 1.8.4 update: https://mojang.com/2015/04/min... And for the modded community, here's the Forge discussion: https://github.com/MinecraftFo...
Maybe people will stop playing this waste of bandwidth.
If you can think of a better program with which to spend three hours digging then I'd like to hear it.
Help fight poverty: Punch a poor person.
No worries about that. Slashdot will be around for quite a while.
If you can think of a better program with which to spend three hours digging then I'd like to hear it.
I'm going with Nethack. Although Dig Dug would be an obvious choice too.
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
Translation:
"I don't like this game therefore everyone else who plays it is wrong and the game should cease to exist ASAP"
If you want to comment, please do so more constructively for everyone's sake.
Please provide a list of games, the playing of which will please you, oh exalted one.
systemd is Roko's Basilisk.
YOU don't like Minecraft?
Why didn't anyone tell me!??!?!?!
Now that I know that YOU don't like it I will stop playing it and make my kids stop playing it!
I had NO idea it had been judged unworthy by YOU.
I am so sorry. Obviously NO ONE should play a game YOU don't like.
Clearly we both need to be back on our meds.
Apparently you don't.
Kobalt Digging Shovel and Kobalt Fiberglass Pick Mattock are my favorites for digging.
Support my political activism on Patreon.
Both parties admit that it could have been handled better.
I specifically asked Nathan Adams (Dinnerbone) about it on Twitter; he said that it would've been handled better if the exploit was logged with the bug tracker to begin with, instead of trying to talk directly to people.
Kobalt Digging Shovel and Kobalt Fiberglass Pick Mattock are my favorites for digging.
Is there an Android port available yet?
Help fight poverty: Punch a poor person.
I spent four damn years trying to have a dialog with Mojang and Bukkit about how to write good code and have a community that wants good code. The MC community literally does not want anybody participating if they have any sense of QA or planning for the future.
Remember, these are people that wrote their own cryptographic transport *three times* and called it good after nobody could post an exploit for it within a week. MC is not even willing to use standard things like TLS.
~ C.
Although Dig Dug would be an obvious choice too.
And Mr. Do. But the open world of Minecraft offers near unmatched digging-based time wasting without the added stress of increasing level difficulty. And the possibility of finding shiny blue diamonds...Oh my, I do believe I'm a tad flush.
Help fight poverty: Punch a poor person.
Nethack? Angband is the superior choice for digging. If you think its too easy, don't ever take upstairs again, the game is beatable(and adds a whole new couple levels of fun and strategies).
Boulderdash wasn't bad either for an early C64 game when I experienced it. There was something about the rising sun coming over the horizon in more complicated games than atari2600 could provide that just opened a young kid's mind.
God spoke to me
Duct tape your phone to the shovel.
Support my political activism on Patreon.
The guy has found a way to exploit the server code to cause denial of service via code complexity.
Further to this, depending on how the complexity managed to cause the server to crash (as opposed to just using up all server resources decoding the nested elements), it may also be possible to use his exploit to gain remote code execution (RCE).
But I haven't actually seen anything documenting a server crash -- just an exhaustion of resources, resulting in denial of service. If someone could document what actually happens on the server when this is run, that'd be useful for indicating if there's a possible RCE here or just a case of the server software using up all resources and grinding to a halt, with a possible out of resources exception thrown at the end, causing the server to exit gracefully.
Hm. That actually was my problem with Angband. Too easy, too farmable. I'll have to give that a shot...though I suspect it's going to be a lot of long, boring running around in circles trying to get that ring of fire resistance before I hit whatever depth will kill me without it. And you thought stair scumming was boring...
Terraria is a pretty fun digging sim, though not 3D.
Friends don't let friends put Turing complete languages in communication protocols.
This cannot be fixed in general. The behavior of a Turing complete language executor is formally undecidable over all inputs.
Minecraft (and X.509 certs and HTML 5.0 and SQL and, and, and...) all need to switch to non Turing complete languages if they are to have the option of secureable implementations.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Positive:
You don't keep running back to town for a ton of arrows and selling stuff. That's just boring. If you're really trying, you might have even tried to check every time the elite object guy was selling. This was boring.
No hovering next to stairs for easy escape which feels like cheating
Identifying potions, equipment and mushrooms becomes a lot more fun. Um, I have no food left! I guess its time to id the mushrooms and scrolls
Rules: Never take up stairs or recall. If you accidentally recall from id by reading, don't use the store or stairs, just recall back to where you were by buying a scroll( you should have enough gold). If you find down stairs, you don't need to take them until you're ready.
Spoiler strategy:
The only sane approach is Half Troll warrior. It sounds far fetched since they need to eat twice as mutch, but you need the brute strength for extra attacks to fight orcs and trolls before you have: Phial and enough food.
Sell everything you have to buy food/light. You may want to keep your weapon. You may want to add to the challenge by saying no town even to start.
You will want to clear the first 5-10 levels and just go down stairs without resting for wandering monsters.
Once you're about 10-20, you need to figure out if you want to rest or go down in stairs.
I go down in stairs if:
I'm getting low on food, fresh levels are more likely to have food.
There's a boss critter I can't handle. But going down in stairs makes it more challenging, so you might end up spiraling downstairs to a death condition because monsters are too tough.
When light is low, I dive for more light. Remember to make your rest macro remove your light before you rest. If you're really detail oriented, have a light removal macro when you enter rooms with light, but I find you don't need this. Light isn't as big as a problem as food(but is a possible loss condition)
The results is sometimes you dive further than you want to just to get food/light or avoid a boss or situation. Then you need to be aware of monsters that paralyze or breath you can't resist. It feels great when you get a Phial, or pile up satisfy hunger scrolls.
Now other classes can win! I especially started with the cleric/priest/druid or whatever gets a book of satisfy hunger, but I find that Morgoth needs to be whacked in melee, and the best melee is a fighter to do damage quickest. Also there's nothing more annoying than getting belted with a bunch of flames and your spell books all disappear and can't easily be restored. Play around, see what you can do.
No up stairs Angband is a whole new game, one which actually has challenges you can't exploit your way around. I'd say its one of the best games of all time, but few people even know about it. Make sure you get a version with autosquelch so the end levels don't slow you down sorting through trash on the floor.
God spoke to me
But Mr. Do! has shiny blue diamonds too!
Eclipse. Visual Studio. Code Blocks. Dev-C++. BlueFish. NASM. gdb. Vi(m). Emacs. Pico/Nano. cat & sed... need more?
Running a server out of memory can cause game world corruption if it happens at a bad time.
Quite annoying and could cause rollbacks to backups and such... bleh
It's just a DOS attack. Shouldn't really even be called an exploit, no information is gathered, nothing is lost.
+1 agree ;)
"A mind reader? That sounds like sci fi." "Honey, we live on a space ship"
I count this under developer arrogance. There we, the quality and security minded people, hand developers all the information they need to fix a flaw and they outright reject it. The Mojangs could not even be bothered testing their 'fix' just ONCE using the example provided to them!! Sadly, they are not alone. How many times did I report bugs, get the note that it was 'fixed', then find out that absolutely nothing changed (best case) or that it is now worse than before? Way too many times. Dear developers, we, the QA folks, are there to have your back. We are there to keep you from pulling all nighters to fix that important issue that crept up in the release branch. In 90% of the cases we pointed you to that very same flaw during development, but you poo-pooed it as a non-issue and marked it as 'won't fix'. Dear developers, give the QA and security folks more credit. We do know what we are talking about, many of us do this stuff for decades having one ear on the customer's side and one ear on the design and development side. We know what is going to work out for users. Stop ignoring us!
So... it doesn't have the code design to exit gracefully. This means it's not just open to game world corruption, but memory and DB corruption -- which hints at the possibility of an in-memory or on-disk exploit. In order to prep such an exploit, you'd likely have to have a client logged in already and performing a specific function when you hit it with the attack.