Advisories for Composer/Pocketmine/Pocketmine-Mp package

Impact An attacker could crash the server by sending malformed JWT JSON in LoginPacket due to a security vulnerability in netresearch/jsonmapper, due to attempting to construct objects from scalar types by default without any validation, with unexpected results that caused PocketMine-MP to crash. Due to the relatively high number of security issues arising from this specific dependency, the team is exploring options to replace it. Patches In the meantime, the …

Summary If a client sends a BookEditPacket with InventorySlot greater than 35, the server will crash due to an unhandled exception thrown by BaseInventory->getItem(). Details Crashes at https://github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php#L873 PoC Using Gophertunnel, use serverConn.WritePacket(&packet.BookEdit{InventorySlot: 36}) Impact Server crash, all servers Patched versions This issue was fixed by 47f011966092f275cc1b11f8de635e89fd9651a7, and the fix was released in 5.11.2.

An attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket. This happened due to the particular handling of NULL types in the json mapper which accepts NULL type values in typed arrays which PocketMine-MP did not expect. Code processing arrays in the JSON data could then crash due to unexpected NULL elements.

Impact An attacker could crash the server by sending malformed JWT JSON in LoginPacket due to a security vulnerability in netresearch/jsonmapper, due to accepting NULL values in arrays whose types do not expect NULL. Patches This problem was fixed in 5.3.1 and 4.23.1 by updating JsonMapper to include the following commit: pmmp/netresearch-jsonmapper@4f90e8dab1c9df331fad7d3d89823404e882668c Workarounds A plugin may handle DataPacketReceiveEvent for LoginPacket and check that none of the input arrays contain NULL …

Impact The server uses ECDH to calculate a shared secret for the symmetric encryption key used to encrypt network packets after logging in. ECDH requires that the keys used must both belong to the same elliptic curve. In Minecraft: Bedrock Edition, the curve used is secp384r1. Using any other curve (for example secp256r1) to sign the LoginPacket JWTs would lead to successfully verifying the login chain, but would later crash …

Summary A player sending a packet can cause the server to crash by providing incorrect sign data in NBT in BlockActorDataPacket. Details This vulnerability was discovered using the BlockActorDataPacket, but other packets may also be affected. The player would seem to just need to send an NBT with an incorrect type to throw this error. [Server thread/CRITICAL]: pocketminebt\UnexpectedTagTypeException: "Expected a tag of type pocketminebt\tag\CompoundTag, got pocketminebt\tag\ByteTag" (EXCEPTION) in "pmsrc/vendor/pocketmine/nbt/src/tag/CompoundTag" at …

An attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket. This happened due to a bug in netresearch/jsonmapper. The library wasn't doing proper checks when mapping JSON arrays and objects onto scalar model properties such as strings.

Impact An attacker could crash the server by sending malformed JWT JSON in LoginPacket due to a security vulnerability in netresearch/jsonmapper, due to improper checking for mapping JSON arrays and objects onto scalar model properties such as strings. Patches The problem was fixed in a fork of JsonMapper in dktapps/JsonMapper@a31902a31f5b6fdb832f57c0e3a3f16a3b41c012. PocketMine-MP releases 4.20.5 and 4.21.1 have been released with the fix. Workarounds Users of PocketMine-MP source installations may manually install …

Impact In 4.18.0, the network handling of inventories was completely revamped. Due to this, a bug was introduced which allowed players to request that the server drop more of an item than they had available in their hotbar. This does not lead to any duplication issues, but instead led to a server crash, and is believed to have been exploited in the wild. Patches This was fixed in 58974765a68f63a9968a7ff3a06f584ff2ee08d2, which …

Impact A "mismatch" type InventoryTransactionPacket is sent by the client to request a resync of all currently open inventories. Since PocketMine-MP does not rate-limit these "mismatch" transactions, and the syncing of inventories is not deferred until, e.g. the end of the current tick, they can be used as a very cheap bandwidth multiplier by making the server send out many MB of data (network serialized inventory items can be very …

Impact Due to a workaround for an old client bug (which has since been fixed), very large JSON payloads in ModalFormResponsePacket were able to cause the server to spend a significant amount of time processing the packet. Large numbers of these packets were able to hog CPU time so as to prevent the server from processing other connections in a timely manner. Patches The problem has been addressed in 3baa5ab71214f96e6e7ab12cb9beef08118473b5 …

Impact DyeColorIdMap->fromId() does not account for the possibility that it might be given invalid input. This means that an undefined offset error would occur whenever this happened. This code is indirectly called during Banner->deserializeCompoundTag(), which is invoked when deserializing any item NBT, whether from network or disk. An attacker could use this bug to crash a server by providing NBT with invalid values for pattern colours in an inventory transaction, …

Impact pocketmine\entity\Skin does not correctly handle errors produced by adhocore/json-comment, which throws RuntimeException rather than returning false as PocketMine-MP expects. This leads to a server crash if the skin geometry data is invalid for some reason (e.g. a syntax error). Patches c9626c610b8f6810c8c987559c9197b2a291f0bb Workarounds A plugin could handle LoginPacket and PlayerSkinPacket to verify the skin geometry data can be parsed correctly, so that the error condition in the core code is …

Impact Due to a workaround for unmapped network items implemented in 4.0.0-BETA5 (8ac16345a3bc099b62c1f5cfbf3b736e621c3f76), arbitrary item IDs are able to be written into an item's NBT. The intended purpose of this is to make said unmapped network items able to be moved around the inventory without issues. This led to an exploit due to internal limits on the range that item IDs can occupy (-32768 - 32767), while the tag type …

Impact PocketMine-MP caps maximum chat message length at 512 Unicode characters, or about 2048 bytes. No more than 2 chat messages may be sent per tick. However, due to legacy reasons, incoming chat message blobs are split by ``, and each part is treated as a separate message, the length of each part is individually checked.

When an inventory interaction is performed (e.g. moving an item around an inventory), the client sends a serialized version of the itemstack to the server, which the server then deserializes and compares against its own copy. If the copies don't match, the transaction is invalid. This involves deserializing item NBT from the client, which allows for bogus data to be provided. Usually, this is harmless, but in this particular case, …

A malicious client may send a MovePlayerPacket to the server whose position or rotation contains NaN or INF. Since neither the server nor vanilla client handles this properly, a number of interesting side effects come into play.

Due to a workaround applied in 1.13, an attacker may send a negative damage/meta value in a tool or armour item's NBT, which TypeConverter then blindly uses as if it was valid without being checked. When this invalid metadata value reaches Durable->setDamage(), an exception is thrown because the metadata is not within the expected range for damage values.

Impact When handling form responses from the client (ModalFormResponsePacket), the Minecraft Windows client may send weird JSON that json_decode() can't understand. A workaround for this is implemented in InGamePacketHandler::stupid_json_decode(). An InvalidArgumentException is thrown by this function when it fails to fix an error found in the JSON, which is not caught by the caller. This leads to a server crash. Patches 56fe71d939c38fe14e18a31a673a9331bcc0e4ca Workarounds A plugin may handle DataPacketReceiveEvent, capture ModalFormResponsePacket …

Impact Minecraft Bedrock authentication and its protocol encryption are inseparably linked. One is not complete without the other. This vulnerability affects servers which are able to be directly connected to via the internet (i.e. not behind a proxy). If you are using a proxy, please check that it supports protocol encryption and that it is enabled. Technical details Basics The client generates a private ECC key clientPriv which it uses …

Impact A remote attacker may crash a server by sending PlayerActionPacket with invalid facing values (e.g. negative), specifically with START_BREAK or CRACK_BLOCK actions, or with a UseItemTransactionData (typically in InventoryTransactionPacket). Patches f126479c37ff00a717a828f5271cf8e821d12d6c Workarounds Using a plugin, cancel DataPacketReceiveEvent if the packet is PlayerActionPacket and the facing is outside the range 0-5 when receiving START_BREAK or CRACK_BLOCK actions, or UseItemTransactionData. However, beware that negative values may be legitimate in some cases. …

Impact Some skin data fields (e.g. skinID, geometryName) are not capped in length. These fields are typically saved in the NBT data of a player when the player quits the server, or during an autosave. This is problematic due to the 32767 byte limit on TAG_Strings. If any of these fields exceeds 32767 bytes, an exception will be thrown during data saving, which will cause the server to crash. Other …

Impact Players can fill book pages with as many characters as they like; the server does not check this. In addition, the maximum of 50 pages is also not enforced, meaning that players can create "book bombs". This causes a variety of problems: Oversized NBT on the wire costing excess bandwidth for server and client Server crashes when saving region-based worlds due to exceeding maximum chunk size of 1 MB …

Impact Originally reported in iTXTech/Genisys#1188 PotterHarry98 potterharry98 deop PotterHarry98 will remove potterharry98 from the ops.txt but not PotterHarry98. Operator permissions are checked using Config->exists() with lowercase=true, which will result in a match: https://github.com/pmmp/PocketMine-MP/blob/22bb1ce8e03dba57173debf0415390511d68e045/src/utils/Config.php#L449 This means that it's possible to make yourself impossible to de-op (using commands) by adding your name to ops.txt with uppercase letters. Patches 4d37b79ff7f9d9452e988387f97919a9a1c4954e Workarounds This can be easily addressed by removing the offending lines from ops.txt …

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pocketmine/pocketmine-mp.