Discussion Attacking PocketMine-MP servers remotely with query vulnerability

Warning: If you abuse this code or vulnerability, you probably be prohibited by law and DON'T USE THIS CODE WITHOUT VICTIM SERVER'S PERMISSION

Disclaimer:

In https://github.com/PocketMine/Pocke...pocketmine/network/query/QueryHandler.php#L79, QueryHandler gets Session ID with unpacking 4 int data from packet. (And do something, like establishing handshake or sending statistics.)
But, in https://github.com/PocketMine/PocketMine-MP/blob/master/src/pocketmine/utils/Binary.php#L326, there's no error handling in unpack(), so remote clients can cause error like

, WITHOUT GENERAL MCPE SERVER CONNECTION. This means not only attackers can make this kind of error messages without connected MCPE client but also server managers cannot ban or kick the attacker. This attack does not depend on Raknet!

You could think printing error messages is not a serious problem, but I've found creating massive errors could cause servers not sending any packets to clients, then all clients will be disconnected because clients can't get any pong signal from server.

Sorry for my bad English, but this example script may tell you what I said:



PS: PocketMine-MP saves all server log to server.log, so this attack could affect the server's disk.

Moderator: Removed the codes.

i wonder why my server frequently freezes and gets a lot of this type of error.

is there a patch on this?

Same here...

Are you sure that this vulnerability is from jammed UDP send buffer?
Well, I was thinking this vulnerability is caused by logger's big consumption of server resources or ticks.
QueryHandler does not reply invalid handshake packet, just prints yellow exception message.

I succeeded to attack the remote server with only one computer, with wifi connection.

Keep getting
2014-12-26 07:01:26 [WARNING] RuntimeException: "unpack(): Type N: not enough input, need 4, have 0" (E_WARNING) in "/src/pocketmine/network/query/QueryHandler" at line 92
Also I've found each morning i've woken up the whole console has frozen.
I hope to see this is patched as everyone's really pissed

Thanks for fix. Can I ask is it still possible to attack the server with source IP address spoofing?

Awesome. Now we can ban any ip for 10 minutes by sending 1 malicious query packet with spoofed ip

Hahahaha, seems like Mojang gave multiplayer for PE no thought at all. One fix introduces another problem, lack of authentication system = insecure servers and no way of tracking bad players.

Can PHP send raw packets with spoofed IP header?

Wow, I haven't think that problem. But attackers cannot get all clients' address easily if he doesn't have control of console.

I don't think this vulnerability is related to mojang. This bug is from QueryHandler, which is new feature of PocketMine-MP.
Maybe https://github.com/PocketMine/PocketMine-MP/issues/2350 is more similar to Raknet problem, but it also happens in PHP Raklib, not original MCPE. (Also this problem is fixed now)

It might not be directly related, but seeing as we can ban any ip now, we can ban the only identifier that people rely on. Now if only we had a proper authentication system.