{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/minecraft/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PocketMine-MP"],"_cs_severities":["high"],"_cs_tags":["minecraft","logdos","pocketmine-mp","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["PocketMine"],"content_html":"\u003cp\u003eA denial-of-service vulnerability affects PocketMine-MP servers due to insufficient validation of the \u003ccode\u003eLoginPacket\u003c/code\u003e. An attacker can exploit this by sending a specially crafted packet containing a large or complex JSON structure within the \u003ccode\u003eclientData\u003c/code\u003e JWT body's unknown properties. The PocketMine-MP server, versions prior to 5.4.1, processes this malformed data, generating excessively long log messages. This excessive logging consumes significant CPU resources and memory, and can ultimately lead to a crash due to the server attempting to serialize the large, offending data structure for logging. The issue stems from the JsonMapper instance being configured to warn instead of reject unexpected properties, which, while intended to accommodate changes from Microsoft, creates an exploitable vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a custom Minecraft client.\u003c/li\u003e\n\u003cli\u003eThe client generates a \u003ccode\u003eLoginPacket\u003c/code\u003e to initiate a connection with the PocketMine-MP server.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003eLoginPacket\u003c/code\u003e, the \u003ccode\u003eclientData\u003c/code\u003e field contains a JWT body.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a custom, unexpected JSON property (e.g., \u0026quot;invalid_key\u0026quot;) into the JWT body of the \u003ccode\u003eclientData\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe value of the \u0026quot;invalid_key\u0026quot; is set to a large or complex object, such as a deeply nested array or an array with millions of elements.\u003c/li\u003e\n\u003cli\u003eThe server receives the \u003ccode\u003eLoginPacket\u003c/code\u003e and processes the \u003ccode\u003eclientData\u003c/code\u003e JWT.\u003c/li\u003e\n\u003cli\u003eThe server's JsonMapper encounters the unexpected \u0026quot;invalid_key\u0026quot; property.\u003c/li\u003e\n\u003cli\u003eThe server's \u003ccode\u003ewarnUndefinedJsonPropertyHandler\u003c/code\u003e attempts to serialize and log the large object value, leading to excessive resource consumption, and eventually an Out-of-Memory crash.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition on the PocketMine-MP server. The excessive logging can rapidly consume disk space and CPU resources, degrading server performance for legitimate users. In severe cases, the server may crash entirely due to memory exhaustion. This vulnerability affects PocketMine-MP servers exposed to public networks where unauthorized actors can send malicious login packets. The number of potential victims is any server running a vulnerable PocketMine-MP version (\u0026lt; 5.4.1) accessible to the public internet.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PocketMine-MP to version 5.4.1 or later to apply the patch that removes the vulnerable \u003ccode\u003evar_export\u003c/code\u003e and limits the logged property name length (reference: Patches section).\u003c/li\u003e\n\u003cli\u003eImplement a plugin that handles the \u003ccode\u003eDataPacketReceiveEvent\u003c/code\u003e to inspect \u003ccode\u003eLoginPacket\u003c/code\u003e data and use JsonMapper to reject packets with unusual properties. This will prevent the processing of malicious packets (reference: Workarounds section).\u003c/li\u003e\n\u003cli\u003eMonitor server logs for unusually long messages or repeated warnings about undefined JSON properties within clientData. This can be an indicator of exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect connection attempts with unusually large client data in the login packet.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-pocketmine-logdos/","summary":"Attackers can cause a denial-of-service on PocketMine-MP servers by sending a crafted Minecraft LoginPacket containing large or complex structures in the clientData JWT body, leading to excessive logging and potential server crashes.","title":"PocketMine-MP LogDoS via Malformed Login Packet","url":"https://feed.craftedsignal.io/briefs/2024-01-pocketmine-logdos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PocketMine-MP"],"_cs_severities":["high"],"_cs_tags":["pocketmine-mp","denial-of-service","minecraft"],"_cs_type":"advisory","_cs_vendors":["PocketMine"],"content_html":"\u003cp\u003ePocketMine-MP, a popular server software for Minecraft: Bedrock Edition, is susceptible to a denial-of-service (DoS) vulnerability due to insufficient validation of \u003ccode\u003eModalFormResponsePacket\u003c/code\u003e data. An attacker can exploit this by sending a crafted packet containing an extremely large JSON payload within the \u003ccode\u003eformData\u003c/code\u003e field. This causes the server to consume excessive CPU and memory resources while attempting to parse the oversized JSON, potentially leading to unresponsiveness or complete server failure. The vulnerability affects PocketMine-MP servers running versions prior to 5.39.2. Exploitation requires a player to establish a full session on the server. The issue was patched with size limitations on form responses (cef1088341e40ee7a6fa079bca47a84f3524d877) and preventing decoding of responses with invalid form IDs (f983f4f66d5e72d7a07109c8175799ab0ee771d5).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker connects to a vulnerable PocketMine-MP server as a legitimate player.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a full session by spawning into the game world.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003eModalFormResponsePacket\u003c/code\u003e using a modified client or packet-sending script.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eformId\u003c/code\u003e field in the packet is set to an invalid or non-existent form ID (e.g., 9999).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eformData\u003c/code\u003e field is populated with an extremely large JSON array (e.g., 10+ MB payload, such as \u003ccode\u003e[0,0,0,...]\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted \u003ccode\u003eModalFormResponsePacket\u003c/code\u003e to the server.\u003c/li\u003e\n\u003cli\u003eThe server receives the packet and attempts to parse the oversized JSON payload in the \u003ccode\u003eformData\u003c/code\u003e field, despite the invalid \u003ccode\u003eformId\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server consumes excessive CPU and memory resources during JSON parsing, leading to performance degradation or a complete freeze, resulting in a denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition on the affected PocketMine-MP server. The server becomes unresponsive, preventing legitimate players from connecting or continuing their gameplay. The number of affected users depends on the server's player capacity. Unpatched servers are vulnerable to resource exhaustion attacks that can severely impact the game experience and potentially require a server restart. All sectors relying on public Minecraft: Bedrock Edition servers are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PocketMine-MP servers to version 5.39.2 or later to apply the patches that address the vulnerability (cef1088341e40ee7a6fa079bca47a84f3524d877 and f983f4f66d5e72d7a07109c8175799ab0ee771d5).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on \u003ccode\u003eModalFormResponsePacket\u003c/code\u003e processing to mitigate the impact of large packet floods (network_connection).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect suspicious \u003ccode\u003eModalFormResponsePacket\u003c/code\u003e sizes indicative of exploitation attempts (network_connection).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-pocketmine-dos/","summary":"A vulnerability in PocketMine-MP servers allows an attacker to cause a denial-of-service by sending a malformed ModalFormResponsePacket containing an excessively large JSON payload, impacting server performance and availability.","title":"PocketMine-MP ModalFormResponsePacket Denial-of-Service","url":"https://feed.craftedsignal.io/briefs/2024-01-02-pocketmine-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Minecraft","version":"https://jsonfeed.org/version/1.1"}