<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>PocketMine-MP - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/pocketmine-mp/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/pocketmine-mp/feed.xml" rel="self" type="application/rss+xml"/><item><title>PocketMine-MP LogDoS via Malformed Login Packet</title><link>https://feed.craftedsignal.io/briefs/2024-01-pocketmine-logdos/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-pocketmine-logdos/</guid><description>Attackers can cause a denial-of-service on PocketMine-MP servers by sending a crafted Minecraft LoginPacket containing large or complex structures in the clientData JWT body, leading to excessive logging and potential server crashes.</description><content:encoded><![CDATA[<p>A denial-of-service vulnerability affects PocketMine-MP servers due to insufficient validation of the <code>LoginPacket</code>. An attacker can exploit this by sending a specially crafted packet containing a large or complex JSON structure within the <code>clientData</code> JWT body's unknown properties. The PocketMine-MP server, versions prior to 5.4.1, processes this malformed data, generating excessively long log messages. This excessive logging consumes significant CPU resources and memory, and can ultimately lead to a crash due to the server attempting to serialize the large, offending data structure for logging. The issue stems from the JsonMapper instance being configured to warn instead of reject unexpected properties, which, while intended to accommodate changes from Microsoft, creates an exploitable vulnerability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a custom Minecraft client.</li>
<li>The client generates a <code>LoginPacket</code> to initiate a connection with the PocketMine-MP server.</li>
<li>Within the <code>LoginPacket</code>, the <code>clientData</code> field contains a JWT body.</li>
<li>The attacker injects a custom, unexpected JSON property (e.g., &quot;invalid_key&quot;) into the JWT body of the <code>clientData</code>.</li>
<li>The value of the &quot;invalid_key&quot; is set to a large or complex object, such as a deeply nested array or an array with millions of elements.</li>
<li>The server receives the <code>LoginPacket</code> and processes the <code>clientData</code> JWT.</li>
<li>The server's JsonMapper encounters the unexpected &quot;invalid_key&quot; property.</li>
<li>The server's <code>warnUndefinedJsonPropertyHandler</code> attempts to serialize and log the large object value, leading to excessive resource consumption, and eventually an Out-of-Memory crash.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability results in a denial-of-service condition on the PocketMine-MP server. The excessive logging can rapidly consume disk space and CPU resources, degrading server performance for legitimate users. In severe cases, the server may crash entirely due to memory exhaustion. This vulnerability affects PocketMine-MP servers exposed to public networks where unauthorized actors can send malicious login packets. The number of potential victims is any server running a vulnerable PocketMine-MP version (&lt; 5.4.1) accessible to the public internet.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade PocketMine-MP to version 5.4.1 or later to apply the patch that removes the vulnerable <code>var_export</code> and limits the logged property name length (reference: Patches section).</li>
<li>Implement a plugin that handles the <code>DataPacketReceiveEvent</code> to inspect <code>LoginPacket</code> data and use JsonMapper to reject packets with unusual properties. This will prevent the processing of malicious packets (reference: Workarounds section).</li>
<li>Monitor server logs for unusually long messages or repeated warnings about undefined JSON properties within clientData. This can be an indicator of exploitation attempts.</li>
<li>Deploy the provided Sigma rule to detect connection attempts with unusually large client data in the login packet.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>minecraft</category><category>logdos</category><category>pocketmine-mp</category><category>denial-of-service</category></item><item><title>PocketMine-MP ModalFormResponsePacket Denial-of-Service</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-pocketmine-dos/</link><pubDate>Tue, 02 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-pocketmine-dos/</guid><description>A vulnerability in PocketMine-MP servers allows an attacker to cause a denial-of-service by sending a malformed ModalFormResponsePacket containing an excessively large JSON payload, impacting server performance and availability.</description><content:encoded><![CDATA[<p>PocketMine-MP, a popular server software for Minecraft: Bedrock Edition, is susceptible to a denial-of-service (DoS) vulnerability due to insufficient validation of <code>ModalFormResponsePacket</code> data. An attacker can exploit this by sending a crafted packet containing an extremely large JSON payload within the <code>formData</code> field. This causes the server to consume excessive CPU and memory resources while attempting to parse the oversized JSON, potentially leading to unresponsiveness or complete server failure. The vulnerability affects PocketMine-MP servers running versions prior to 5.39.2. Exploitation requires a player to establish a full session on the server. The issue was patched with size limitations on form responses (cef1088341e40ee7a6fa079bca47a84f3524d877) and preventing decoding of responses with invalid form IDs (f983f4f66d5e72d7a07109c8175799ab0ee771d5).</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker connects to a vulnerable PocketMine-MP server as a legitimate player.</li>
<li>The attacker establishes a full session by spawning into the game world.</li>
<li>The attacker crafts a <code>ModalFormResponsePacket</code> using a modified client or packet-sending script.</li>
<li>The <code>formId</code> field in the packet is set to an invalid or non-existent form ID (e.g., 9999).</li>
<li>The <code>formData</code> field is populated with an extremely large JSON array (e.g., 10+ MB payload, such as <code>[0,0,0,...]</code>).</li>
<li>The attacker sends the crafted <code>ModalFormResponsePacket</code> to the server.</li>
<li>The server receives the packet and attempts to parse the oversized JSON payload in the <code>formData</code> field, despite the invalid <code>formId</code>.</li>
<li>The server consumes excessive CPU and memory resources during JSON parsing, leading to performance degradation or a complete freeze, resulting in a denial-of-service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability results in a denial-of-service condition on the affected PocketMine-MP server. The server becomes unresponsive, preventing legitimate players from connecting or continuing their gameplay. The number of affected users depends on the server's player capacity. Unpatched servers are vulnerable to resource exhaustion attacks that can severely impact the game experience and potentially require a server restart. All sectors relying on public Minecraft: Bedrock Edition servers are potentially at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade PocketMine-MP servers to version 5.39.2 or later to apply the patches that address the vulnerability (cef1088341e40ee7a6fa079bca47a84f3524d877 and f983f4f66d5e72d7a07109c8175799ab0ee771d5).</li>
<li>Implement rate limiting on <code>ModalFormResponsePacket</code> processing to mitigate the impact of large packet floods (network_connection).</li>
<li>Deploy the Sigma rule provided below to detect suspicious <code>ModalFormResponsePacket</code> sizes indicative of exploitation attempts (network_connection).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>pocketmine-mp</category><category>denial-of-service</category><category>minecraft</category></item></channel></rss>