Advertisement
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Discussion Attacking PocketMine-MP servers remotely with query vulnerability

Comments in 'General Discussion' started by L3m0nte4_, Dec 25, 2014.

?

Is this post helpful?

  1. Yes

    85.7%
  2. No

    14.3%
Thread Status:
Not open for further replies.
  1. L3m0nte4_
    Offline

    L3m0nte4_ New Member

    Joined:
    Dec 25, 2014
    Posts:
    12
    Minecraft User:
    lem0ntea_
    Warning: If you abuse this code or vulnerability, you probably be prohibited by law and DON'T USE THIS CODE WITHOUT VICTIM SERVER'S PERMISSION

    Disclaimer:
    In https://github.com/PocketMine/Pocke...pocketmine/network/query/QueryHandler.php#L79, QueryHandler gets Session ID with unpacking 4 int data from packet. (And do something, like establishing handshake or sending statistics.)
    But, in https://github.com/PocketMine/PocketMine-MP/blob/master/src/pocketmine/utils/Binary.php#L326, there's no error handling in unpack(), so remote clients can cause error like
    , WITHOUT GENERAL MCPE SERVER CONNECTION. This means not only attackers can make this kind of error messages without connected MCPE client but also server managers cannot ban or kick the attacker. This attack does not depend on Raknet!

    You could think printing error messages is not a serious problem, but I've found creating massive errors could cause servers not sending any packets to clients, then all clients will be disconnected because clients can't get any pong signal from server.

    Sorry for my bad English, but this example script may tell you what I said:



    PS: PocketMine-MP saves all server log to server.log, so this attack could affect the server's disk.

    Moderator: Removed the codes.
    Last edited by a moderator: Dec 25, 2014
    Smarticles101 likes this.
  2. shoghicp
    Offline

    shoghicp Staff Member PocketMine Team

    Joined:
    Aug 22, 2013
    Posts:
    433
    Plugins:
    14
    Minecraft User:
    shoghicp
    Remember that just sending a stream of packets will cause the same behavior as this attack, filling the socket-level UDP buffer.
  3. iJoshuaHD
    Offline

    iJoshuaHD Notable Member Plugin Developer

    Joined:
    Nov 7, 2013
    Posts:
    1,167
    Plugins:
    4
    Minecraft User:
    iJoshuaHD
    i wonder why my server frequently freezes and gets a lot of this type of error.
    RekkuzaRage likes this.
  4. sekjun9878
    Offline

    sekjun9878 Staff Member PocketMine Team

    Joined:
    Aug 22, 2013
    Posts:
    108
    Plugins:
    1
    Minecraft User:
    sekjun9878
    This "vulnerability" has been confirmed by myself (not officially, just casually by myself). On being attacked, all players are kicked within 2 - 5 seconds. The console then becomes unresponsive to all commands. Any attempt to reconnect to the server will be met with a "Locating Server" message loop on the client.

    This is from a 5mbps residential upstream.
  5. iJoshuaHD
    Offline

    iJoshuaHD Notable Member Plugin Developer

    Joined:
    Nov 7, 2013
    Posts:
    1,167
    Plugins:
    4
    Minecraft User:
    iJoshuaHD
    is there a patch on this?
    xFlare and RekkuzaRage like this.
  6. RekkuzaRage
    Offline

    RekkuzaRage Active Member

    Joined:
    Apr 15, 2014
    Posts:
    251
    Minecraft User:
    RekkuzaRage
    Same here...
    xFlare likes this.
  7. L3m0nte4_
    Offline

    L3m0nte4_ New Member

    Joined:
    Dec 25, 2014
    Posts:
    12
    Minecraft User:
    lem0ntea_
    Are you sure that this vulnerability is from jammed UDP send buffer?
    Well, I was thinking this vulnerability is caused by logger's big consumption of server resources or ticks.
    QueryHandler does not reply invalid handshake packet, just prints yellow exception message.

    I succeeded to attack the remote server with only one computer, with wifi connection.
  8. sekjun9878
    Offline

    sekjun9878 Staff Member PocketMine Team

    Joined:
    Aug 22, 2013
    Posts:
    108
    Plugins:
    1
    Minecraft User:
    sekjun9878
    @L3m0nte4_ I thought that too, so I tested it with warnings supressed on unpack(). The vulnerability still occured.
  9. codmadnesspro
    Offline

    codmadnesspro Notable Member Plugin Developer

    Joined:
    Sep 11, 2013
    Posts:
    551
    Plugins:
    1
    Minecraft User:
    Codmadnesspro
    Keep getting
    2014-12-26 07:01:26 [WARNING] RuntimeException: "unpack(): Type N: not enough input, need 4, have 0" (E_WARNING) in "/src/pocketmine/network/query/QueryHandler" at line 92
    Also I've found each morning i've woken up the whole console has frozen.
    I hope to see this is patched as everyone's really pissed :p
  10. shoghicp
    Offline

    shoghicp Staff Member PocketMine Team

    Joined:
    Aug 22, 2013
    Posts:
    433
    Plugins:
    14
    Minecraft User:
    shoghicp
    New builds include several filters at the RakLib level.
    • More than 5000 packets per tick (20 ticks per second) will block that address for 300s
    • Error on a Minecraft: PE packet will block that address for 5s
    • Error on a external packet (like Query) will block that address for 600s
    Falk likes this.
  11. L3m0nte4_
    Offline

    L3m0nte4_ New Member

    Joined:
    Dec 25, 2014
    Posts:
    12
    Minecraft User:
    lem0ntea_
    Thanks for fix. Can I ask is it still possible to attack the server with source IP address spoofing?
  12. Falk
    Offline

    Falk Staff Member Global Moderator

    Joined:
    Sep 2, 2013
    Posts:
    1,706
    Plugins:
    22
    Minecraft User:
    Falkirknh
    I believe so, UDP is connectionless, so there really is no way to enforce the IP thing.
  13. wies
    Offline

    wies Notable Member

    Joined:
    Aug 23, 2013
    Posts:
    390
    Awesome. Now we can ban any ip for 10 minutes by sending 1 malicious query packet with spoofed ip :p
    Smarticles101, sekjun9878 and Falk like this.
  14. Falk
    Offline

    Falk Staff Member Global Moderator

    Joined:
    Sep 2, 2013
    Posts:
    1,706
    Plugins:
    22
    Minecraft User:
    Falkirknh
    I have an idea. A website were you enter the server ip and the ip you want to ban and it will send packets every 10 minutes to refresh the ban. Why limit the banip feature to owners of the server?
    iksaku and wies like this.
  15. ProjectInfinity
    Offline

    ProjectInfinity Active Member Plugin Developer

    Joined:
    Sep 7, 2014
    Posts:
    112
    Plugins:
    3
    Minecraft User:
    ProjectInfinity
    Hahahaha, seems like Mojang gave multiplayer for PE no thought at all. One fix introduces another problem, lack of authentication system = insecure servers and no way of tracking bad players.
  16. L3m0nte4_
    Offline

    L3m0nte4_ New Member

    Joined:
    Dec 25, 2014
    Posts:
    12
    Minecraft User:
    lem0ntea_
    Can PHP send raw packets with spoofed IP header?
  17. L3m0nte4_
    Offline

    L3m0nte4_ New Member

    Joined:
    Dec 25, 2014
    Posts:
    12
    Minecraft User:
    lem0ntea_
    Wow, I haven't think that problem. But attackers cannot get all clients' address easily if he doesn't have control of console.
  18. L3m0nte4_
    Offline

    L3m0nte4_ New Member

    Joined:
    Dec 25, 2014
    Posts:
    12
    Minecraft User:
    lem0ntea_
    I don't think this vulnerability is related to mojang. This bug is from QueryHandler, which is new feature of PocketMine-MP.
    Maybe https://github.com/PocketMine/PocketMine-MP/issues/2350 is more similar to Raknet problem, but it also happens in PHP Raklib, not original MCPE. (Also this problem is fixed now)
  19. ProjectInfinity
    Offline

    ProjectInfinity Active Member Plugin Developer

    Joined:
    Sep 7, 2014
    Posts:
    112
    Plugins:
    3
    Minecraft User:
    ProjectInfinity
    It might not be directly related, but seeing as we can ban any ip now, we can ban the only identifier that people rely on. Now if only we had a proper authentication system.
  20. sekjun9878
    Offline

    sekjun9878 Staff Member PocketMine Team

    Joined:
    Aug 22, 2013
    Posts:
    108
    Plugins:
    1
    Minecraft User:
    sekjun9878
    Good luck sending malformed spoofed UDP packets and getting any router to accept it :) But there are some out there, that's for sure.
Thread Status:
Not open for further replies.

Share This Page

Advertisement