Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exploit For Crashing Minecraft Servers Made Public

Posted by timothy on from the hey-fellas-door's-unlocked dept.

An anonymous reader writes "After nearly two years of waiting for Mojang to fix a security vulnerability that can be used to crash Minecraft servers, programmer Ammar Askar has released a proof of concept exploit for the flaw in the hopes that this will force them to do something about it. "Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time. They have a responsibility to fix and properly work out problems like this," he noted." Here is Askar's own post on the exploit, and his frustration with the response he's gotten to disclosing it to the developers.

20 of 118 comments (clear)

  1. And it's already fixed in 1.8.4 by Anonymous Coward · · Score: 3, Informative

    ... hours before this hit /.

    1. Re:And it's already fixed in 1.8.4 by tlhIngan · · Score: 4, Insightful

      Yes, but it took two whole years before the fix came out. And the fix was made within a day of the exploit being released.

      Yes, I can understand 90 days being a bit tight if you're talking fundamental software like operating systems (which require a lot of testing, staging, and you lose some to Patch Tuesday), especially since root causing and fixing can require a bit of time. But two years is a bit on the long side.

      More like the guy got ignored and once he released the code, the "OH SH*T" came out.

      This is one of those struggles between what's right and what's reasonable... 90 days is a bit quick for something big like an operating system where a change can break everything, but it's also on the long side for something that only breaks something really minor, like Minecraft.

    2. Re:And it's already fixed in 1.8.4 by cfc-12 · · Score: 5, Funny

      it's also on the long side for something that only breaks something really minor, like Minecraft.

      I invite you to spend 5 minutes alone with my 8 year old son at a time when he can't get Minecraft to work. Then tell me if you still think it's minor.

    3. Re:And it's already fixed in 1.8.4 by F.Ultra · · Score: 3, Funny

      He is 8, he is definitely a minor :)

    4. Re:And it's already fixed in 1.8.4 by 0bject · · Score: 4, Informative

      They can't really say they "weren't aware" when the original bug submitter's proof of concept exploit (that was provided to them) was not fixed by the "patch". That is at best extremely lazy testing.

    5. Re:And it's already fixed in 1.8.4 by Zero__Kelvin · · Score: 2

      "You cannot show the server will behave for all inputs."

      Someone should invent input sanitization !

      "Computer science is a bitch sometimes."

      You are anthropomorphizing CompSci, and then actually blaming it for your inadequacies.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  2. little late by Anonymous Coward · · Score: 5, Informative

    From TFA:
    Update: With the release of this full disclosure I have actually made contact with mojang and they are working to fix the issue. Apparently the initial fix they tried failed which indicates a lack of proper testing.

    Update 2: The exact problem that caused this bug to go unpatched has been identified. Mojang attempted to implement a fix for this problem, however they did not test their fix against the proof of concept I provided, which still crashed the server perfectly fine. This, in combination with ignoring me when I asked for status updates twice led me to believe that Mojang had attempted no fix. In retrospect, a final warning before this full disclosure more recently was propbably in order. A combination of mis-communication and lack of testing led to this situation today, hopefully it can be a good learning experience.

    Update 3: This problem has been patched as of minecraft version 1.8.4

    https://mojang.com/2015/04/minecraft-1-8-4-security-release/

    I’m happy to see that multiple other security issues have also been fixed. Once again, I feel better communication would have easily alleviated this problem. Keeping me in the loop and not ignoring me, in addition to proper testing would have easily led to this exploit being fixed long ago.

    As usual, by the time news hits slashdot, it's not really news anymore. RIP Martin Lawrence.

  3. And fixed... by Wulfson · · Score: 2

    Addressed in vanilla by the 1.8.4 update: https://mojang.com/2015/04/min... And for the modded community, here's the Forge discussion: https://github.com/MinecraftFo...

  4. Re:Good by thedonger · · Score: 4, Funny

    Maybe people will stop playing this waste of bandwidth.

    If you can think of a better program with which to spend three hours digging then I'd like to hear it.

    --
    Help fight poverty: Punch a poor person.
  5. Re:Good by aardvarkjoe · · Score: 3, Insightful

    If you can think of a better program with which to spend three hours digging then I'd like to hear it.

    I'm going with Nethack. Although Dig Dug would be an obvious choice too.

    --

    How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  6. Re:May finally get servers updated... by PPalmgren · · Score: 4, Insightful

    Modders move quite slow due to the frustrating architecture. 1.6 required a major overhaul to most mods, and 1.8 is being avoided like the plague for the same reason. There's also little incentive to upgrade, since the amount of content in the mods is orders of magnitude higher than vanilla, no ones going to switch off 60 mods in a modpack to get some horses and a biome.

  7. Re:May finally get servers updated... by SuricouRaven · · Score: 3, Informative

    Try some of the mods. The gameplay gets better - and the stability gets worse.

  8. Re:Good by MrTester · · Score: 4, Funny

    YOU don't like Minecraft?
    Why didn't anyone tell me!??!?!?!
    Now that I know that YOU don't like it I will stop playing it and make my kids stop playing it!
    I had NO idea it had been judged unworthy by YOU.
    I am so sorry. Obviously NO ONE should play a game YOU don't like.

    Clearly we both need to be back on our meds.

  9. I am completely unsurprised. by MostAwesomeDude · · Score: 3, Interesting

    I spent four damn years trying to have a dialog with Mojang and Bukkit about how to write good code and have a community that wants good code. The MC community literally does not want anybody participating if they have any sense of QA or planning for the future.

    Remember, these are people that wrote their own cryptographic transport *three times* and called it good after nobody could post an exploit for it within a week. MC is not even willing to use standard things like TLS.

    --
    ~ C.
  10. Re:Good by GoodNewsJimDotCom · · Score: 2

    Nethack? Angband is the superior choice for digging. If you think its too easy, don't ever take upstairs again, the game is beatable(and adds a whole new couple levels of fun and strategies).

    Boulderdash wasn't bad either for an early C64 game when I experienced it. There was something about the rising sun coming over the horizon in more complicated games than atari2600 could provide that just opened a young kid's mind.

    --
    God spoke to me
  11. Re:"exploit" by Em+Adespoton · · Score: 3, Informative

    The guy has found a way to exploit the server code to cause denial of service via code complexity.

    Further to this, depending on how the complexity managed to cause the server to crash (as opposed to just using up all server resources decoding the nested elements), it may also be possible to use his exploit to gain remote code execution (RCE).

    But I haven't actually seen anything documenting a server crash -- just an exhaustion of resources, resulting in denial of service. If someone could document what actually happens on the server when this is run, that'd be useful for indicating if there's a possible RCE here or just a case of the server software using up all resources and grinding to a halt, with a possible out of resources exception thrown at the end, causing the server to exit gracefully.

  12. Re:Miscommunication by Sowelu · · Score: 2

    Okay, yeah, this guy is definitely a tool with a massive ego trip. He already seemed like a dick from the way he phrased his press releases, but insisting he's too important to use the bug tracker and instead he needs to talk to the devs personally? No.

  13. Re:Good by GoodNewsJimDotCom · · Score: 2

    Positive:

    You don't keep running back to town for a ton of arrows and selling stuff. That's just boring. If you're really trying, you might have even tried to check every time the elite object guy was selling. This was boring.

    No hovering next to stairs for easy escape which feels like cheating

    Identifying potions, equipment and mushrooms becomes a lot more fun. Um, I have no food left! I guess its time to id the mushrooms and scrolls

    Rules: Never take up stairs or recall. If you accidentally recall from id by reading, don't use the store or stairs, just recall back to where you were by buying a scroll( you should have enough gold). If you find down stairs, you don't need to take them until you're ready.

    Spoiler strategy:

    The only sane approach is Half Troll warrior. It sounds far fetched since they need to eat twice as mutch, but you need the brute strength for extra attacks to fight orcs and trolls before you have: Phial and enough food.



    Sell everything you have to buy food/light. You may want to keep your weapon. You may want to add to the challenge by saying no town even to start.

    You will want to clear the first 5-10 levels and just go down stairs without resting for wandering monsters.
    Once you're about 10-20, you need to figure out if you want to rest or go down in stairs.

    I go down in stairs if:
    I'm getting low on food, fresh levels are more likely to have food.
    There's a boss critter I can't handle. But going down in stairs makes it more challenging, so you might end up spiraling downstairs to a death condition because monsters are too tough.
    When light is low, I dive for more light. Remember to make your rest macro remove your light before you rest. If you're really detail oriented, have a light removal macro when you enter rooms with light, but I find you don't need this. Light isn't as big as a problem as food(but is a possible loss condition)
    The results is sometimes you dive further than you want to just to get food/light or avoid a boss or situation. Then you need to be aware of monsters that paralyze or breath you can't resist. It feels great when you get a Phial, or pile up satisfy hunger scrolls.

    Now other classes can win! I especially started with the cleric/priest/druid or whatever gets a book of satisfy hunger, but I find that Morgoth needs to be whacked in melee, and the best melee is a fighter to do damage quickest. Also there's nothing more annoying than getting belted with a bunch of flames and your spell books all disappear and can't easily be restored. Play around, see what you can do.

    No up stairs Angband is a whole new game, one which actually has challenges you can't exploit your way around. I'd say its one of the best games of all time, but few people even know about it. Make sure you get a version with autosquelch so the end levels don't slow you down sorting through trash on the floor.

    --
    God spoke to me
  14. Re:I like it... by Rei · · Score: 4, Interesting

    I once coded for a game, Eternal Lands, where I discovered a major security bug. The game had a feature where if a person said a URL, it would turn into a clickable link. This was opened via a popen call. No input sanitization. Aka, vulnerable to injection. A person who simply speaks a malicious URL and makes it look like something interesting to click (hiding the insertion command in the path) could run it on anyone's computer who clicks to open the link.

    Big problem. Simple fix. But try as I might, I couldn't get them to let me fix it. They were fine with me writing a whole new special effects graphics system for them, but one simple input sanitization, noooo, the popen works, let's not mess with it and possibly "introduce a bug"! Eventually it took me writing a sample command on the forum that would make a file in the user's home directory (which anyone who knows anything about unix commands could make far more malicious) by clicking on the URL. Suddenly they let me patch the system immediately (and deleted the forum thread... I don't blame them).

    I didn't want to have to resort to that. But I didn't want a potentially dangerous exploit sitting in the system.

    I never got approval to fix all of the other potential exploits in their system. Their networking protocol was terrible. I only ever saw the client code, but there was literally zero authentication that the server was who they said they were and that packets weren't malformed. Their entire security model was "let's initiate a TCP connection to a hard-coded IP and unconditionally trust everything that we receive". I can't imagine what their server code is like. But they wouldn't even let me add in trivial bounds checking to make sure that the packets weren't oversized - the most minimal of sanity checking.

    The fear of changes breaking stuff often leads developers to neglect security. Changes to improve gameplay or graphics? Of course, our users will love it! Changes to the protocol? Nonono, the protocol is working, why risk breaking it?

    The short of it? Don't have too much faith that that MMORPG you're playing isn't hackable in a way that could be nasty to your system.

    --
    *Kid Rock runs for Senate* Democrats: We must run Kid Scissors.
  15. Not such a big deal by Time_Ngler · · Score: 2

    It's just a DOS attack. Shouldn't really even be called an exploit, no information is gathered, nothing is lost.