Advisories for Composer/Pocketmine/Pocketmine-Mp package

2024

PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (3rd time)

Impact An attacker could crash the server by sending malformed JWT JSON in LoginPacket due to a security vulnerability in netresearch/jsonmapper, due to attempting to construct objects from scalar types by default without any validation, with unexpected results that caused PocketMine-MP to crash. Due to the relatively high number of security issues arising from this specific dependency, the team is exploring options to replace it. Patches In the meantime, the …

PocketMine-MP BookEditPacket crash when inventory slot in the packet is invalid

Summary If a client sends a BookEditPacket with InventorySlot greater than 35, the server will crash due to an unhandled exception thrown by BaseInventory->getItem(). Details Crashes at https://github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php#L873 PoC Using Gophertunnel, use serverConn.WritePacket(&packet.BookEdit{InventorySlot: 36}) Impact Server crash, all servers Patched versions This issue was fixed by 47f011966092f275cc1b11f8de635e89fd9651a7, and the fix was released in 5.11.2.

2023

PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)

An attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket. This happened due to the particular handling of NULL types in the json mapper which accepts NULL type values in typed arrays which PocketMine-MP did not expect. Code processing arrays in the JSON data could then crash due to unexpected NULL elements.

PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)

Impact An attacker could crash the server by sending malformed JWT JSON in LoginPacket due to a security vulnerability in netresearch/jsonmapper, due to accepting NULL values in arrays whose types do not expect NULL. Patches This problem was fixed in 5.3.1 and 4.23.1 by updating JsonMapper to include the following commit: pmmp/netresearch-jsonmapper@4f90e8dab1c9df331fad7d3d89823404e882668c Workarounds A plugin may handle DataPacketReceiveEvent for LoginPacket and check that none of the input arrays contain NULL …

PocketMine-MP server crash due to incorrect EC curve used for LoginPacket identityPublicKey

Impact The server uses ECDH to calculate a shared secret for the symmetric encryption key used to encrypt network packets after logging in. ECDH requires that the keys used must both belong to the same elliptic curve. In Minecraft: Bedrock Edition, the curve used is secp384r1. Using any other curve (for example secp256r1) to sign the LoginPacket JWTs would lead to successfully verifying the login chain, but would later crash …

PocketMine-MP vulnerable to server crash using badly formatted sign NBT in BlockActorDataPacket

Summary A player sending a packet can cause the server to crash by providing incorrect sign data in NBT in BlockActorDataPacket. Details This vulnerability was discovered using the BlockActorDataPacket, but other packets may also be affected. The player would seem to just need to send an NBT with an incorrect type to throw this error. [Server thread/CRITICAL]: pocketminebt\UnexpectedTagTypeException: "Expected a tag of type pocketminebt\tag\CompoundTag, got pocketminebt\tag\ByteTag" (EXCEPTION) in "pmsrc/vendor/pocketmine/nbt/src/tag/CompoundTag" at …

PocketMine-MP vulnerable to server crash with certain invalid JSON payloads in `LoginPacket` due to vulnerable dependency

Impact An attacker could crash the server by sending malformed JWT JSON in LoginPacket due to a security vulnerability in netresearch/jsonmapper, due to improper checking for mapping JSON arrays and objects onto scalar model properties such as strings. Patches The problem was fixed in a fork of JsonMapper in dktapps/JsonMapper@a31902a31f5b6fdb832f57c0e3a3f16a3b41c012. PocketMine-MP releases 4.20.5 and 4.21.1 have been released with the fix. Workarounds Users of PocketMine-MP source installations may manually install …

PocketMine-MP vulnerable to improperly checked dropped item count leading to server crash

Impact In 4.18.0, the network handling of inventories was completely revamped. Due to this, a bug was introduced which allowed players to request that the server drop more of an item than they had available in their hotbar. This does not lead to any duplication issues, but instead led to a server crash, and is believed to have been exploited in the wild. Patches This was fixed in 58974765a68f63a9968a7ff3a06f584ff2ee08d2, which …

PocketMine MP vulnerable to uncontrolled resource consumption via mismatched type of 'InventoryTransactionPacket'

Impact A "mismatch" type InventoryTransactionPacket is sent by the client to request a resync of all currently open inventories. Since PocketMine-MP does not rate-limit these "mismatch" transactions, and the syncing of inventories is not deferred until, e.g. the end of the current tick, they can be used as a very cheap bandwidth multiplier by making the server send out many MB of data (network serialized inventory items can be very …

PocketMine-MP vulnerable to denial-of-service by sending large modal form responses

Impact Due to a workaround for an old client bug (which has since been fixed), very large JSON payloads in ModalFormResponsePacket were able to cause the server to spend a significant amount of time processing the packet. Large numbers of these packets were able to hog CPU time so as to prevent the server from processing other connections in a timely manner. Patches The problem has been addressed in 3baa5ab71214f96e6e7ab12cb9beef08118473b5 …

PocketMine-MP has improperly handled dye colour IDs in banner NBT, leading to server crash

Impact DyeColorIdMap->fromId() does not account for the possibility that it might be given invalid input. This means that an undefined offset error would occur whenever this happened. This code is indirectly called during Banner->deserializeCompoundTag(), which is invoked when deserializing any item NBT, whether from network or disk. An attacker could use this bug to crash a server by providing NBT with invalid values for pattern colours in an inventory transaction, …

2022

PocketMine-MP invalid skin geometry JSON data leading to server crash

Impact pocketmine\entity\Skin does not correctly handle errors produced by adhocore/json-comment, which throws RuntimeException rather than returning false as PocketMine-MP expects. This leads to a server crash if the skin geometry data is invalid for some reason (e.g. a syntax error). Patches c9626c610b8f6810c8c987559c9197b2a291f0bb Workarounds A plugin could handle LoginPacket and PlayerSkinPacket to verify the skin geometry data can be parsed correctly, so that the error condition in the core code is …

Improperly checked IDs on itemstacks received from the client leading to server crash in PocketMine-MP

Impact Due to a workaround for unmapped network items implemented in 4.0.0-BETA5 (8ac16345a3bc099b62c1f5cfbf3b736e621c3f76), arbitrary item IDs are able to be written into an item's NBT. The intended purpose of this is to make said unmapped network items able to be moved around the inventory without issues. This led to an exploit due to internal limits on the range that item IDs can occupy (-32768 - 32767), while the tag type …

Insufficient type validation in pocketmine/pocketmine-mp

When an inventory interaction is performed (e.g. moving an item around an inventory), the client sends a serialized version of the itemstack to the server, which the server then deserializes and compares against its own copy. If the copies don't match, the transaction is invalid. This involves deserializing item NBT from the client, which allows for bogus data to be provided. Usually, this is harmless, but in this particular case, …

Unhandled exception when decoding form response JSON

Impact When handling form responses from the client (ModalFormResponsePacket), the Minecraft Windows client may send weird JSON that json_decode() can't understand. A workaround for this is implemented in InGamePacketHandler::stupid_json_decode(). An InvalidArgumentException is thrown by this function when it fails to fix an error found in the JSON, which is not caught by the caller. This leads to a server crash. Patches 56fe71d939c38fe14e18a31a673a9331bcc0e4ca Workarounds A plugin may handle DataPacketReceiveEvent, capture ModalFormResponsePacket …

Impersonation of other users (passing XBOX Live authentication) by theft of logins in PocketMine-MP

Impact Minecraft Bedrock authentication and its protocol encryption are inseparably linked. One is not complete without the other. This vulnerability affects servers which are able to be directly connected to via the internet (i.e. not behind a proxy). If you are using a proxy, please check that it supports protocol encryption and that it is enabled. Technical details Basics The client generates a private ECC key clientPriv which it uses …

Unchecked validity of Facing values in PlayerActionPacket

Impact A remote attacker may crash a server by sending PlayerActionPacket with invalid facing values (e.g. negative), specifically with START_BREAK or CRACK_BLOCK actions, or with a UseItemTransactionData (typically in InventoryTransactionPacket). Patches f126479c37ff00a717a828f5271cf8e821d12d6c Workarounds Using a plugin, cancel DataPacketReceiveEvent if the packet is PlayerActionPacket and the facing is outside the range 0-5 when receiving START_BREAK or CRACK_BLOCK actions, or UseItemTransactionData. However, beware that negative values may be legitimate in some cases. …

Uncapped length of skin data fields submitted by players

Impact Some skin data fields (e.g. skinID, geometryName) are not capped in length. These fields are typically saved in the NBT data of a player when the player quits the server, or during an autosave. This is problematic due to the 32767 byte limit on TAG_Strings. If any of these fields exceeds 32767 bytes, an exception will be thrown during data saving, which will cause the server to crash. Other …

Book page text, count, and author/title length is not limited in PocketMine-MP

Impact Players can fill book pages with as many characters as they like; the server does not check this. In addition, the maximum of 50 pages is also not enforced, meaning that players can create "book bombs". This causes a variety of problems: Oversized NBT on the wire costing excess bandwidth for server and client Server crashes when saving region-based worlds due to exceeding maximum chunk size of 1 MB …

2021

Inability to de-op players if listed in ops.txt with non-lowercase letters

Impact Originally reported in iTXTech/Genisys#1188 PotterHarry98 potterharry98 deop PotterHarry98 will remove potterharry98 from the ops.txt but not PotterHarry98. Operator permissions are checked using Config->exists() with lowercase=true, which will result in a match: https://github.com/pmmp/PocketMine-MP/blob/22bb1ce8e03dba57173debf0415390511d68e045/src/utils/Config.php#L449 This means that it's possible to make yourself impossible to de-op (using commands) by adding your name to ops.txt with uppercase letters. Patches 4d37b79ff7f9d9452e988387f97919a9a1c4954e Workarounds This can be easily addressed by removing the offending lines from ops.txt …

2020