Minecraft for PS4 & Xbox One Gameplay Update: Minecraft Exploit May Crash Servers
A Pakistani blogger found a vulnerability in Mojang's latest update of their popular game Minecraft. The update's exploit could allow someone to crash the game's servers. However, Mojang has now updated and fixed the issue.
Ars Technica reported that Pakistani developer and blogger Ammar Askar discovered the bug in the game almost 21 months ago and wrestled with what to do, but he ultimately notified Mojang of the bug.
"On the one hand I don't want to expose thousands of servers to a major vulnerability, yet on the other hand Mojang has failed to act on it," Askar wrote.
The bug was found within the game's networking internals, especially concerning a file format known as Named Binary Tag (NBT), which stores arbitrary metadata. Askar released a type of attack that would use NBT.
"The vulnerability stems from the fact that the client is allowed to send the server information about certain slots. This, coupled with the NBT format's nesting allows us to craft a packet that is incredibly complex for the server to deserialize but trivial for us to generate," he explained in his very technical blog post.
In other words, someone wanting to crash the system can overwhelm it with objects they create. He exemplified this with an object called "rekt."
"The root of the object, rekt, contains 300 lists. Each list has a list with 10 sublists, and each of those sublists has 10 of their own, up until 5 levels of recursion. That's a total of 10^5 * 300 = 30,000,000 lists," he explained. "And this isn't even the theoretical maximum for this attack. Just the NBT data for this payload is 26.6 megabytes. But luckily Minecraft implements a way to compress large packets, lucky us! zlib shrinks down our evil data to a mere 39 kilobytes."
"When the server will decompress our data, it'll have 27 megs in a buffer somewhere in memory, but that isn't the bit that'll kill it," he continued explaining.
"When it attempts to parse it into NBT, it'll create java representations of the objects meaning suddenly, the sever is having to create several million java objects including ArrayLists. This runs the server out of memory and causes tremendous CPU load."
Following the announcement of this bug, Mojang released a blog post saying it had fixed the bug.
"We have released a new version of Minecraft 1.8, called 1.8.4, which is now available for download in your launcher. This release fixes a few reported security issues, in addition to some other minor bug fixes & performance tweaks," the company stated.
Subscribe to Latin Post!
Sign up for our free newsletter for the Latest coverage!