Exploit For Crashing Minecraft Servers Made Public 118
An anonymous reader writes "After nearly two years of waiting for Mojang to fix a security vulnerability that can be used to crash Minecraft servers, programmer Ammar Askar has released a proof of concept exploit for the flaw in the hopes that this will force them to do something about it. "Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time. They have a responsibility to fix and properly work out problems like this," he noted." Here is Askar's own post on the exploit, and his frustration with the response he's gotten to disclosing it to the developers.
And it's already fixed in 1.8.4 (Score:3, Informative)
... hours before this hit /.
Re:And it's already fixed in 1.8.4 (Score:5, Insightful)
Yes, but it took two whole years before the fix came out. And the fix was made within a day of the exploit being released.
Yes, I can understand 90 days being a bit tight if you're talking fundamental software like operating systems (which require a lot of testing, staging, and you lose some to Patch Tuesday), especially since root causing and fixing can require a bit of time. But two years is a bit on the long side.
More like the guy got ignored and once he released the code, the "OH SH*T" came out.
This is one of those struggles between what's right and what's reasonable... 90 days is a bit quick for something big like an operating system where a change can break everything, but it's also on the long side for something that only breaks something really minor, like Minecraft.
Re:And it's already fixed in 1.8.4 (Score:4, Informative)
Re: (Score:1)
From what I've read on the minecraft reddit, it seems like there were 2 approaches to exploit this bug.
They patched one and thought that also covered the other, but it didn't and they weren't aware then fast forward 2 years.
It's not a bug. It's a property of Turing complete languages. You cannot show the server will behave for all inputs. Computer science is a bitch sometimes.
Re: (Score:3)
Someone should invent input sanitization [wikipedia.org] !
You are anthropomorphizing CompSci, and then actually blaming it for your inadequacies.
Re: And it's already fixed in 1.8.4 (Score:1)
Not quite, since the server wasn't accepting a Turing machine but a recursively defined data structure. It's fairly straightforward to prove the properties of parsers.
Re:And it's already fixed in 1.8.4 (Score:5, Funny)
it's also on the long side for something that only breaks something really minor, like Minecraft.
I invite you to spend 5 minutes alone with my 8 year old son at a time when he can't get Minecraft to work. Then tell me if you still think it's minor.
Re:And it's already fixed in 1.8.4 (Score:4, Funny)
Re: (Score:2)
More like the guy got ignored and once he released the code, the "OH SH*T" came out.
Yup. They never gave a shit until it was public.
Re: (Score:1)
On the other hand, maybe this can serve as a new baseline for some of the mods to be updated (or redone) for the newer (1.8.4+) Minecraft versions, especially if most of the server owners update their servers to fix this exploit/bug.
Re: (Score:2)
I like it... (Score:2)
Re: (Score:1)
I've come to realize, much to my dismay, that far too many developers simply aren't' aware of the most basic computer security axiom:
"Treat all input as hostile"
Seriously. This should be day 2 of programming 101
Day 1: Hello world
Day 2: Your users are evil and they will try to paste the earnings report, which they composed in powerpoint, in to "subject" field of your feedback form. (And subsequently complain that email is down)
Re:I like it... (Score:5, Interesting)
I once coded for a game, Eternal Lands, where I discovered a major security bug. The game had a feature where if a person said a URL, it would turn into a clickable link. This was opened via a popen call. No input sanitization. Aka, vulnerable to injection. A person who simply speaks a malicious URL and makes it look like something interesting to click (hiding the insertion command in the path) could run it on anyone's computer who clicks to open the link.
Big problem. Simple fix. But try as I might, I couldn't get them to let me fix it. They were fine with me writing a whole new special effects graphics system for them, but one simple input sanitization, noooo, the popen works, let's not mess with it and possibly "introduce a bug"! Eventually it took me writing a sample command on the forum that would make a file in the user's home directory (which anyone who knows anything about unix commands could make far more malicious) by clicking on the URL. Suddenly they let me patch the system immediately (and deleted the forum thread... I don't blame them).
I didn't want to have to resort to that. But I didn't want a potentially dangerous exploit sitting in the system.
I never got approval to fix all of the other potential exploits in their system. Their networking protocol was terrible. I only ever saw the client code, but there was literally zero authentication that the server was who they said they were and that packets weren't malformed. Their entire security model was "let's initiate a TCP connection to a hard-coded IP and unconditionally trust everything that we receive". I can't imagine what their server code is like. But they wouldn't even let me add in trivial bounds checking to make sure that the packets weren't oversized - the most minimal of sanity checking.
The fear of changes breaking stuff often leads developers to neglect security. Changes to improve gameplay or graphics? Of course, our users will love it! Changes to the protocol? Nonono, the protocol is working, why risk breaking it?
The short of it? Don't have too much faith that that MMORPG you're playing isn't hackable in a way that could be nasty to your system.
Re:Good (Score:5, Funny)
Maybe people will stop playing this waste of bandwidth.
If you can think of a better program with which to spend three hours digging then I'd like to hear it.
Re:Good (Score:4, Insightful)
If you can think of a better program with which to spend three hours digging then I'd like to hear it.
I'm going with Nethack. Although Dig Dug would be an obvious choice too.
Re: (Score:2)
Although Dig Dug would be an obvious choice too.
And Mr. Do. But the open world of Minecraft offers near unmatched digging-based time wasting without the added stress of increasing level difficulty. And the possibility of finding shiny blue diamonds...Oh my, I do believe I'm a tad flush.
Re: (Score:1)
Re: (Score:3)
Boulderdash wasn't bad either for an early C64 game when I experienced it. There was something about the rising sun coming over the horizon in more complicated games than atari2600 could provide that just opened a young kid's mind.
Re: (Score:2)
Hm. That actually was my problem with Angband. Too easy, too farmable. I'll have to give that a shot...though I suspect it's going to be a lot of long, boring running around in circles trying to get that ring of fire resistance before I hit whatever depth will kill me without it. And you thought stair scumming was boring...
Re: (Score:3)
You don't keep running back to town for a ton of arrows and selling stuff. That's just boring. If you're really trying, you might have even tried to check every time the elite object guy was selling. This was boring.
No hovering next to stairs for easy escape which feels like cheating
Identifying potions, equipment and mushrooms becomes a lot more fun. Um, I have no food left! I guess its time to id the mushrooms and scrolls
Rules: Never take up stairs or recall. If you accidentally re
Re: (Score:2)
Re: (Score:2)
Kobalt Digging Shovel and Kobalt Fiberglass Pick Mattock are my favorites for digging.
Is there an Android port available yet?
Re: (Score:2)
Re: (Score:2)
Terraria is a pretty fun digging sim, though not 3D.
Re: (Score:2)
Re: Good (Score:2)
Re: (Score:2)
Re: (Score:1)
Translation:
"I don't like this game therefore everyone else who plays it is wrong and the game should cease to exist ASAP"
If you want to comment, please do so more constructively for everyone's sake.
Re: (Score:2)
Please provide a list of games, the playing of which will please you, oh exalted one.
Re:Good (Score:5, Funny)
Why didn't anyone tell me!??!?!?!
Now that I know that YOU don't like it I will stop playing it and make my kids stop playing it!
I had NO idea it had been judged unworthy by YOU.
I am so sorry. Obviously NO ONE should play a game YOU don't like.
Clearly we both need to be back on our meds.
May finally get servers updated... (Score:2)
There are tons of servers running relatively ancient versions at this point due to massive amounts of custom mods (Herocraft and places like that). It sounds like they're screwed now unless they get caught up to the current version.
Re: (Score:2)
Re:May finally get servers updated... (Score:4, Informative)
Try some of the mods. The gameplay gets better - and the stability gets worse.
Re: (Score:2)
Ah, so you've heard of Skyrimming?
Re: (Score:2)
Re: (Score:2)
Personally, I think that Minecraft needs a lot of work. The gameplay itself is pretty good, but it really needs to be reworked in terms of performance and stability. I was hoping that things would change with MS buying it as they could hire more people to work on it, but I don't think they've actually done anything noteworthy with it yet.
Some anti-aliasing would be nice. I'd like to play it but it does terrible things to my eyes.
Re: (Score:2)
http://www.minecraftforum.net/... [minecraftforum.net]
I'll have to see if I can find some screenshots of that. But its a mod, and isn't that the main reason no one upgrades minecraft servers (because updating mods is so painful)?
Re: (Score:1)
Re: (Score:2)
Personally, I think that Minecraft needs a lot of work. The gameplay itself is pretty good, but it really needs to be reworked in terms of performance and stability. I was hoping that things would change with MS buying it as they could hire more people to work on it, but I don't think they've actually done anything noteworthy with it yet.
I don't know much about game programming, but I know how big corporations work.
1) Buy a company
2) Leave it there doing what it does.
3) Think hard about how to integrate it, use it's technology etc.
4) Do that.
The gap between 2 and 4 can be years.
Re:May finally get servers updated... (Score:5, Insightful)
Modders move quite slow due to the frustrating architecture. 1.6 required a major overhaul to most mods, and 1.8 is being avoided like the plague for the same reason. There's also little incentive to upgrade, since the amount of content in the mods is orders of magnitude higher than vanilla, no ones going to switch off 60 mods in a modpack to get some horses and a biome.
Re: (Score:2)
There's also little incentive to upgrade ...
Maybe their incentive will be that if they don't upgrade, someone will just crash their server.
I deal with the same thought pattern at work on a daily basis. I develop on a very popular e-commerce platform that is notorious for being difficult to update due to poor compatibility with various customizations done to the application code. Clients come to me with problems their store is facing, and I tell them the fix is to update to a newer version. I then tell them that it may cause problems with all the ext
Re: (Score:2)
Not all businesses are doing well enough or have enough capital to have everything broken for a while due to an upgrade.
Also, nowadays, there are so many online stores that if one goes down, people move on to the next.
In any case, in order to have sustainability, you need to survive the day-to-day stuff
Re: (Score:2)
Yeah, the architecture changes screwed the entire modding world. Maybe someday they'll finally have a proper mod API and proper support.
As for incentive, the incentive this time around is to prevent having permanently crashed servers. Until the new loader was released that supported easier management of multiple versions the incentive was you'd lose half your players with every update as they automatically updated. With the new loader that became far less of an issue, so yes, a brief period with less in
Re: (Score:2)
Yeah, the architecture changes screwed the entire modding world. Maybe someday they'll finally have a proper mod API and proper support.
Perhaps someone should write a mod that redundantly reimplements Minecraft on top of Minecraft with as few calls into actual Minecraft code as possible. Still dependent enough to require the actual game but with such little contact area that it's almost completely isolated from changes to the game itself.
Yeah, it'd basically be a fork that attempts to solve the rights issues by requiring the main game. You'd lose anything Mojang adds to the game later (unless it's ported over) but the API could be designe
Re: (Score:1)
The "frustrating architecture" involves decompiling the obfuscated java code and then guessing which method is which to compile a huge lookup table of obfuscated method names to human-readable ones. And the mapping changes every time they do a build. There was supposed to be a mod API but it never happened.
little late (Score:5, Informative)
From TFA:
Update: With the release of this full disclosure I have actually made contact with mojang and they are working to fix the issue. Apparently the initial fix they tried failed which indicates a lack of proper testing.
Update 2: The exact problem that caused this bug to go unpatched has been identified. Mojang attempted to implement a fix for this problem, however they did not test their fix against the proof of concept I provided, which still crashed the server perfectly fine. This, in combination with ignoring me when I asked for status updates twice led me to believe that Mojang had attempted no fix. In retrospect, a final warning before this full disclosure more recently was propbably in order. A combination of mis-communication and lack of testing led to this situation today, hopefully it can be a good learning experience.
Update 3: This problem has been patched as of minecraft version 1.8.4
https://mojang.com/2015/04/minecraft-1-8-4-security-release/
I’m happy to see that multiple other security issues have also been fixed. Once again, I feel better communication would have easily alleviated this problem. Keeping me in the loop and not ignoring me, in addition to proper testing would have easily led to this exploit being fixed long ago.
As usual, by the time news hits slashdot, it's not really news anymore. RIP Martin Lawrence.
Re: (Score:2)
Apparently you don't.
Re: (Score:3, Informative)
The guy has found a way to exploit the server code to cause denial of service via code complexity.
Further to this, depending on how the complexity managed to cause the server to crash (as opposed to just using up all server resources decoding the nested elements), it may also be possible to use his exploit to gain remote code execution (RCE).
But I haven't actually seen anything documenting a server crash -- just an exhaustion of resources, resulting in denial of service. If someone could document what actu
Re: (Score:2)
Running a server out of memory can cause game world corruption if it happens at a bad time.
Quite annoying and could cause rollbacks to backups and such... bleh
Re: (Score:1)
So... it doesn't have the code design to exit gracefully. This means it's not just open to game world corruption, but memory and DB corruption -- which hints at the possibility of an in-memory or on-disk exploit. In order to prep such an exploit, you'd likely have to have a client logged in already and performing a specific function when you hit it with the attack.
And fixed... (Score:2)
Miscommunication (Score:2)
Both parties admit that it could have been handled better.
I specifically asked Nathan Adams (Dinnerbone) about it on Twitter; he said that it would've been handled better if the exploit was logged with the bug tracker to begin with, instead of trying to talk directly to people.
Re: (Score:2)
And I botched up the link to the tweet: https://twitter.com/Dinnerbone... [twitter.com]
Re: (Score:3)
Okay, yeah, this guy is definitely a tool with a massive ego trip. He already seemed like a dick from the way he phrased his press releases, but insisting he's too important to use the bug tracker and instead he needs to talk to the devs personally? No.
Re: (Score:2)
I've heard that arrogance before and it's silly. If people are doing free work for you you don't get to set the terms of how they do it. This guy did free security work for them, they shouldhave been beating a path to his door to make the best use of that work. Or, you know, being entirely free to ignore it at their peril. Which they did.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Log a case, ask them to contact you for the specifics due to the sensitive nature.
Not -that- hard to do...
Re: (Score:2)
Typical bug trackers allow you to classify something as a security issue, which automatically hide the bug from public. Some automatically do that to crash reports.
Re: (Score:2)
It's not like the existence of this bugtracker is a secret from anybody, not for 2+ years. It's even referenced in every release announcement.
I am completely unsurprised. (Score:4, Interesting)
I spent four damn years trying to have a dialog with Mojang and Bukkit about how to write good code and have a community that wants good code. The MC community literally does not want anybody participating if they have any sense of QA or planning for the future.
Remember, these are people that wrote their own cryptographic transport *three times* and called it good after nobody could post an exploit for it within a week. MC is not even willing to use standard things like TLS.
Re: (Score:1)
Then again, this approach means that any attacks will have to target MC directly, as they can't just target something like Heartbleed and expect it to work here too.
But they really do seem to suffer from NIH syndrome; those writing hacks for MC are having to code around the outside of it, degrading performance and introducing security issues.
Anyone know of a modular open source alternative to MC?
Re: (Score:2)
MC is not even willing to use standard things like TLS.
I'm a cryptographic security architect (their name, not mine) for a large techy corporation and I am not willing to use the steaming pile of poo that is TLS. This was a good call on the part of the Minecraft developers. They might not be able to write a good security protocol, but they sure avoided a bad one.
If I succeed in destroying TLS, X.509 and all that goes along with it, replacing it with something sane, I will have succeeded and I can die content.
Turing complete protocols (Score:2)
Friends don't let friends put Turing complete languages in communication protocols.
This cannot be fixed in general. The behavior of a Turing complete language executor is formally undecidable over all inputs.
Minecraft (and X.509 certs and HTML 5.0 and SQL and, and, and...) all need to switch to non Turing complete languages if they are to have the option of secureable implementations.
Re: (Score:2)
if (took too long) { throw TookTooLongException(); }
Problem solved. Undecidability is only an issue when "running forever" is actually possible.
Defining what "too long" is may be difficult in some scenarios to be sure, but when you're dealing with something like a game that inherently requires responsiveness, "too long" can be defined fairly strictly without too much negative impact -- anything (even completely legitimate) routines that take more than a few fractions of a second per game loop is going to "
Re: (Score:2)
You solved one problem. Now solve all the other problems without knowing what they are. The problem space is undecidably large.
>Also, being Turning-complete is sufficient but not necessary to have this problem
Yes. No argument there. Once free of Turing you can hedge with the simplest possible design. Formal methods may help.
Re: (Score:2)
Now solve all the other problems without knowing what they are.
Sandboxing solves pretty much all other problems. Sure there are situations where a sandbox isn't a practical solution, but again that's not really limited to being Turing-complete. Any language that allows a client to modify data risks the ability to modify it in unfortunate ways.
Certainly more complex languages will have more possible avenues of attack but they also provide more (legitimate) capabilities and sometimes the benefits outweigh the risks, especially in these days where patching a previously-
Re: (Score:2)
>Sandboxing solves pretty much all other problems.
Like Java and ActiveX?
Re: (Score:2)
Just because you don't know what they are doesn't mean that they aren't well known and understood.
Re: (Score:2)
Do you not realize that you are running an Operating System, written in a Turing Complete language, and that it is only possible because the other problems can (and have) been addressed? Also:
Just because you don't know what they are doesn't mean that they aren't well known and understood.
An operating system has a API through which you communicate with it. Much like a protocol. Of course the compute environment the programs, both kernel and application are turing complete and operating systems and applications have vulnerabilities.
Re: (Score:2)
You are joking, right? Out of curiosity, as you are communicating with your OS, do you use Pascal or C calling conventions as you type?
Considering that "protocol" allows me to type 'sudo rm -rf /' Turing doesn't actually give an fsck at that point now, then, does he?
Re: (Score:2)
No but he determined the limits of decidability. Keep up please.
Re: (Score:2)
Your statement "An operating system has a API through which you communicate with it" broadcasted to the world that you had no idea what you were even saying.
Then this beauty: "Much like a protocol"The fact that you don't evidently know that protocols and APIs are virtually completely disparate is almost sad.
You wrap it up in a way that wouldn't make
Not such a big deal (Score:3)
Developer arrogance (Score:1)