Developer Ammar Askar has revealed a serious vulnerability in Minecraft that will allow just about anyone to crash a hosting server. The security flaw results from the ability of the client to send information to the server about inventory slots; when used in conjunction with the NBT metadata storage format, users can send packets that are "incredibly complex for the server to deserialize but trivial for us to generate."
The explanation on Askar's blog (via Ars Technica) is fairly technical, but what it boils down to is that Minecraft users can, with relative ease, create objects that simply overwhelm remote servers. As an example, Askar created one called "rekt," a five-level series of lists within lists.
"The root of the object, rekt, contains 300 lists. Each list has a list with 10 sublists, and each of those sublists has 10 of their own, up until 5 levels of recursion. That’s a total of 10^5 * 300 = 30,000,000 lists," he explained. "And this isn’t even the theoretical maximum for this attack. Just the NBT data for this payload is 26.6 megabytes. But luckily Minecraft implements a way to compress large packets, lucky us! zlib shrinks down our evil data to a mere 39 kilobytes."
The killing stroke comes when the server decompresses that data and then tries to digest it. "When it attempts to parse it into NBT, it’ll create java representations of the objects meaning suddenly, the server is having to create several million java objects including ArrayLists," Askar wrote. "This runs the server out of memory and causes tremendous cpu load."
Askar said he was hesitant to reveal the flaw, but decided to go ahead because Mojang hasn't done anything to fix it despite being warned about it almost two full years ago. "Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands [of] people play on servers running their software at any given time. They have a responsibility to fix and properly work out problems like this," he wrote. "In addition, it should be noted that giving condescending responses to white hats who are responsibly disclosing vulnerabilities and trying to improve a product they enjoy is a sure fire way to get developers dis-interested the next time they come across a bug like this."
In an update to his post, he noted that in the wake of his revelation, Mojang has identified the problem and attempted to fix it, but has thus far been unable to do so.
Update: Mojang has released a security update that takes Minecraft to version 1.8.4, which fixes the security vulnerability "in addition to some other minor bug fixes & performance tweaks." The update is fully compatible with all previous 1.8 releases, and Mojang strongly recommends that all players upgrade to the new version as soon as possible.