{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/logdos/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PocketMine-MP"],"_cs_severities":["high"],"_cs_tags":["minecraft","logdos","pocketmine-mp","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["PocketMine"],"content_html":"\u003cp\u003eA denial-of-service vulnerability affects PocketMine-MP servers due to insufficient validation of the \u003ccode\u003eLoginPacket\u003c/code\u003e. An attacker can exploit this by sending a specially crafted packet containing a large or complex JSON structure within the \u003ccode\u003eclientData\u003c/code\u003e JWT body's unknown properties. The PocketMine-MP server, versions prior to 5.4.1, processes this malformed data, generating excessively long log messages. This excessive logging consumes significant CPU resources and memory, and can ultimately lead to a crash due to the server attempting to serialize the large, offending data structure for logging. The issue stems from the JsonMapper instance being configured to warn instead of reject unexpected properties, which, while intended to accommodate changes from Microsoft, creates an exploitable vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a custom Minecraft client.\u003c/li\u003e\n\u003cli\u003eThe client generates a \u003ccode\u003eLoginPacket\u003c/code\u003e to initiate a connection with the PocketMine-MP server.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003eLoginPacket\u003c/code\u003e, the \u003ccode\u003eclientData\u003c/code\u003e field contains a JWT body.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a custom, unexpected JSON property (e.g., \u0026quot;invalid_key\u0026quot;) into the JWT body of the \u003ccode\u003eclientData\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe value of the \u0026quot;invalid_key\u0026quot; is set to a large or complex object, such as a deeply nested array or an array with millions of elements.\u003c/li\u003e\n\u003cli\u003eThe server receives the \u003ccode\u003eLoginPacket\u003c/code\u003e and processes the \u003ccode\u003eclientData\u003c/code\u003e JWT.\u003c/li\u003e\n\u003cli\u003eThe server's JsonMapper encounters the unexpected \u0026quot;invalid_key\u0026quot; property.\u003c/li\u003e\n\u003cli\u003eThe server's \u003ccode\u003ewarnUndefinedJsonPropertyHandler\u003c/code\u003e attempts to serialize and log the large object value, leading to excessive resource consumption, and eventually an Out-of-Memory crash.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition on the PocketMine-MP server. The excessive logging can rapidly consume disk space and CPU resources, degrading server performance for legitimate users. In severe cases, the server may crash entirely due to memory exhaustion. This vulnerability affects PocketMine-MP servers exposed to public networks where unauthorized actors can send malicious login packets. The number of potential victims is any server running a vulnerable PocketMine-MP version (\u0026lt; 5.4.1) accessible to the public internet.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PocketMine-MP to version 5.4.1 or later to apply the patch that removes the vulnerable \u003ccode\u003evar_export\u003c/code\u003e and limits the logged property name length (reference: Patches section).\u003c/li\u003e\n\u003cli\u003eImplement a plugin that handles the \u003ccode\u003eDataPacketReceiveEvent\u003c/code\u003e to inspect \u003ccode\u003eLoginPacket\u003c/code\u003e data and use JsonMapper to reject packets with unusual properties. This will prevent the processing of malicious packets (reference: Workarounds section).\u003c/li\u003e\n\u003cli\u003eMonitor server logs for unusually long messages or repeated warnings about undefined JSON properties within clientData. This can be an indicator of exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect connection attempts with unusually large client data in the login packet.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-pocketmine-logdos/","summary":"Attackers can cause a denial-of-service on PocketMine-MP servers by sending a crafted Minecraft LoginPacket containing large or complex structures in the clientData JWT body, leading to excessive logging and potential server crashes.","title":"PocketMine-MP LogDoS via Malformed Login Packet","url":"https://feed.craftedsignal.io/briefs/2024-01-pocketmine-logdos/"}],"language":"en","title":"CraftedSignal Threat Feed - Logdos","version":"https://jsonfeed.org/version/1.1"}