Listen to this Post
The vulnerability exists in the `STATUS_SEND_PACKS` case of the `ResourcePackClientResponsePacket` handler. The code processes the `packIds` array from the client packet directly without first checking for duplicate entries. A malicious client can send a packet containing thousands of identical, valid resource pack UUIDs. For each UUID in the array, the server retrieves the corresponding pack and sends a `ResourcePackDataInfoPacket` back to the client. This causes the server to generate and send a massive amount of redundant data for the same pack, leading to excessive memory consumption and ultimately a denial-of-service condition as the server runs out of memory and crashes.
Platform: PocketMine-MP
Version: < 4.0.0
Vulnerability : DoS
Severity: High
date: 2021
Prediction: 2021-10-20
What Undercode Say:
npm install bedrock-protocol node poc.js
client.queue('resource_pack_client_response', {
response_status: 'send_packs',
resourcepackids: Array(1000).fill('UUID')
});
How Exploit:
Malicious client sends packet with duplicated UUIDs.
Protection from this CVE:
Apply update, implement array_unique.
Impact:
Server memory exhaustion, crash.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
