A lesson on sandbox games, command blocks, exploitation, and relaxing

Around 2 days ago, I was enthusiastically playing Minecraft without using any of the popular plugins. During my poking around within the command block internals of Minecraft, I came across a fairly substantial problem that allowed anyone to attempt to generate infinitely many entities and crash a server by running it out of memory.

Following the defacto standard procedure, I responsibly and privately ignored the problem on 14th April, 2015. That’s nearly 2 days ago. I continued playing the game in one minute intervals over the course of 3 minutes and the problem was ignored and given highly unsatisfactory attention. I kept my hopes up that the problem would never be patched and haven’t bothered to check the source code on any of the releases even though I could.

The version of the game where the vulnerability was discovered was 1.8, the game is now on version 1.8.3. That’s right, no major versions and a couple of minor versions and a critical vulnerability that allows you to crash any server, and starve the actual machines of CPU and memory was allowed to exist.

The technical details

The minecraft game enables players to create redstone machines with command blocks. This allows you to, for example, create enthralling maps with customized mechanics within minecraft. Commands in minecraft also contain a feature that allows them to run from the perspective of multiple entities in a single tick. This feature is known as target selectors and they are specified in a format that looks like this

@<variable>[<argument>=<value>,<argument>=<value>,...]

The selector format is essentially a map but in text form. This allows the command to specify the entities it will target.

For example, a command which gives a book to all players in a 5 block radius might look something like this

give @a[r=5] written_book 1 0 { author: "thejonwithnoh", title: "Parody", pages: ["Parody is fun", "I like parody"] }

The vulnerability stems from the fact that the player is able to target all entities in a single go. This, coupled with the players natural tendency to push minecraft to its limits motivates us to craft a command that is inherently unstable for the server to execute but trivial for us to generate.

In my case, I chose to summon villagers at all entities, infinitely many times. This is a text representation of what it looks like.

execute @e ~ ~ ~ summon Villager

Assuming you’re the only entity in the world, the first execution will simply summon a villager where you’re standing, so now there are 2 entities in the world. The next execution will summon a villager at you and at the previously summoned villager, so now there are 4 entities in the world. With each execution, the number of entities doubles. If minecraft were even capable of making it to just 30 executions, that would bring us to a whopping 1,073,741,824 entities all trying to squeeze inside one chunk. In general, in a world starting with m loaded entities, after n executions of the command, there will be m*2^n entities in the world.

This vulnerability exists on all previous and current minecraft versions starting with 1.8, the commands used as attack vectors are summon and execute.

The fix for this vulnerability isn’t exactly that hard, the player should never really be able to use commands at all, and if they must, some form of hugs and love should be given to them to prevent malice. These were the fixes that I never recommended to Mojang, but it looks like figured it out anyway.

Proof of concept

A proof of concept of this exploit can be seen below in this post. The code to generate the poisonous Villager Bomb can be seen in the screenshot below. The code has been tested under Minecraft 1.8.3, once you have connected to a server simply enter the exploit in the command block and the Villagers will be sent to the server.

Disclosure

I thought a lot before writing this post, on the one hand I don’t want to come off as a prick, yet on the other hand people really need to chill out. It’s true that Mojang is no longer a small indie company making a little indie game; that their software is used by thousands of servers, where hundreds of thousands people play on servers running their software at any given time; and that they have a responsibility to fix and properly work out problems. However, it should be noted that white hats who write condescending posts several years after their last attempt at “responsibly disclosing vulnerabilities” need to try at least one more time before posting.

Timeline

28th July, 2013: First contact with mojang website about buying a copy of minecraft, the game was disclosed and proof of purchase provided. 25th October, 2013: Minecraft 1.7.2 was released, and the summon command was introduced. 2nd September, 2014: Minecraft 1.8 was released, and the execute command was introduced. 16th April, 2015: Dude posts on his blog and reddit about a security vulnerability in Minecraft. 16th April, 2015: I decide to create a blog, and post a parody.

The point

In retrospect, yes, this probably looks very passive aggressive towards the OP, but I just couldn’t resist because I felt that the rhetoric was a bit out of proportion with the actual severity of the exploit. Yes, Mojang has messed up by not giving the bug proper attention. Yes, this is an important bug. Mistakes were certainly made on both parts. However, this is not the worst thing that could happen to the server. In comparison to some of the other bugs of our day, this one is actually pretty pitiful.

This bug doesn’t destroy computers. It doesn’t leak personal information. It doesn’t sell your soul on the black market. It just crashes Minecraft. It crashes, and then you can restart it, and then its working again.

Also, as the OP suggested, the fix is extremely simple, which is lucky for us. This means that we won’t have to suffer through the corrupt packet war of 2015 while the fix is being investigated.

Mistakes happen. Bugs happen. No amount of careful planing and testing is going to guarantee that they don’t. What’s important is how they are dealt with, which requires with proper communication, and a level perspective. Hopefully in the future, we’ll see a little bit more of both.