Clients no longer able to freeze or crash servers

Apr 18, 2015 07:27 GMT  ·  By

Game developer Mojang updated Minecraft to version 1.8.4, including a fix for a vulnerability that allowed clients to bring down the game server by sending a packet whose processing exhausted the machine’s resources.

The flaw was initially reported on July 28, 2013 by researcher Ammar Askar from Pakistan, but Mojang failed to release a proper patch because it was not tested against a provided proof of concept.

Askar reported that exploiting the glitch was a matter of crafting a packet that included a complex data structure. Delivering it to the server was done via protocol used by the game to contact the server and update the list of items in the client’s inventory.

Complex data structure eats up server's memory

The researcher found that items in Minecraft could be appended arbitrary metadata stored in a format called NBT (Named Binary Tag), which is similar to JSON.

By adding a packet difficult to parse, such as a nested structure, the server would employ all its resources and eventually stop working. The researcher generated a structure of lists that amounted to 30 million objects, which would cause the server to run out of memory during processing.

“When it attempts to parse it into NBT, it’ll create Java representations of the objects meaning suddenly, the server is having to create several million Java objects including ArrayLists. This runs the server out of memory and causes tremendous CPU load,” he said in the blog post with technical details on the attack.

Issue could have been solved earlier with better communication

On Thursday, Askar disclosed the vulnerability publicly without prior notification of the game developer, a course of action that may have lowered the risks of exploitation from ill-intended users.

Following the public report, Mojang released on Friday a security update for Minecraft that prevents a client from causing the server to freeze or to go out of memory due to intensive processing of a complex data structure.

Persistence of the issue for almost two years could have been avoided, had communication between the two parties been better.

On one hand, Askar stopped contacting Mojang past October 27, 2013, while the game developer failed to inform the researcher that a fix, albeit an ineffective one, had been deployed.