<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Logdos - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/logdos/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/logdos/feed.xml" rel="self" type="application/rss+xml"/><item><title>PocketMine-MP LogDoS via Malformed Login Packet</title><link>https://feed.craftedsignal.io/briefs/2024-01-pocketmine-logdos/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-pocketmine-logdos/</guid><description>Attackers can cause a denial-of-service on PocketMine-MP servers by sending a crafted Minecraft LoginPacket containing large or complex structures in the clientData JWT body, leading to excessive logging and potential server crashes.</description><content:encoded><![CDATA[<p>A denial-of-service vulnerability affects PocketMine-MP servers due to insufficient validation of the <code>LoginPacket</code>. An attacker can exploit this by sending a specially crafted packet containing a large or complex JSON structure within the <code>clientData</code> JWT body's unknown properties. The PocketMine-MP server, versions prior to 5.4.1, processes this malformed data, generating excessively long log messages. This excessive logging consumes significant CPU resources and memory, and can ultimately lead to a crash due to the server attempting to serialize the large, offending data structure for logging. The issue stems from the JsonMapper instance being configured to warn instead of reject unexpected properties, which, while intended to accommodate changes from Microsoft, creates an exploitable vulnerability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a custom Minecraft client.</li>
<li>The client generates a <code>LoginPacket</code> to initiate a connection with the PocketMine-MP server.</li>
<li>Within the <code>LoginPacket</code>, the <code>clientData</code> field contains a JWT body.</li>
<li>The attacker injects a custom, unexpected JSON property (e.g., &quot;invalid_key&quot;) into the JWT body of the <code>clientData</code>.</li>
<li>The value of the &quot;invalid_key&quot; is set to a large or complex object, such as a deeply nested array or an array with millions of elements.</li>
<li>The server receives the <code>LoginPacket</code> and processes the <code>clientData</code> JWT.</li>
<li>The server's JsonMapper encounters the unexpected &quot;invalid_key&quot; property.</li>
<li>The server's <code>warnUndefinedJsonPropertyHandler</code> attempts to serialize and log the large object value, leading to excessive resource consumption, and eventually an Out-of-Memory crash.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability results in a denial-of-service condition on the PocketMine-MP server. The excessive logging can rapidly consume disk space and CPU resources, degrading server performance for legitimate users. In severe cases, the server may crash entirely due to memory exhaustion. This vulnerability affects PocketMine-MP servers exposed to public networks where unauthorized actors can send malicious login packets. The number of potential victims is any server running a vulnerable PocketMine-MP version (&lt; 5.4.1) accessible to the public internet.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade PocketMine-MP to version 5.4.1 or later to apply the patch that removes the vulnerable <code>var_export</code> and limits the logged property name length (reference: Patches section).</li>
<li>Implement a plugin that handles the <code>DataPacketReceiveEvent</code> to inspect <code>LoginPacket</code> data and use JsonMapper to reject packets with unusual properties. This will prevent the processing of malicious packets (reference: Workarounds section).</li>
<li>Monitor server logs for unusually long messages or repeated warnings about undefined JSON properties within clientData. This can be an indicator of exploitation attempts.</li>
<li>Deploy the provided Sigma rule to detect connection attempts with unusually large client data in the login packet.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>minecraft</category><category>logdos</category><category>pocketmine-mp</category><category>denial-of-service</category></item></channel></rss>