Crafting a Minecraft Server Killer

Here’s a fun one!

For the past two years, there’s been a vulnerability in most Minecraft servers that would cause them to run out of memory if a malformed packet was sent to them!

Internally, Minecraft exchanges some data with the Named Binary Tag (NBT) format, basically JSON in binary form. On the server, there was no bounds checking and no maximum size, so a malicious client could send a blob of NBT up to 2^28 bytes, or something like 268 MB, luckily it’s sent compressed 😉 When the server receives data in the NBT format it parses it and then creates the corresponding Java objects.

The author and creator of the exploit created an object that recursively created 30,000,000 lists (the compressed size of this data was only 39KB! Uncompressed it was 27MB). When sent to the server, it was able to accept the NBT data just fine, but when it went to parse it the CPU load would spike and the JVM would run out of memory and crash, whoops!

The author disclosed this vulnerability to Mojang two years ago, but they never acted on it. Within a day of them releasing the article announcing the exploit Mojang released Minecraft 1.8.4, which had proper bounds checking to prevent it from happening.


Matt Smicinski