BOOK THIS SPACE FOR AD
ARTICLE AD
## https://sploitus.com/exploit?id=42B827C0-0885-5514-AD77-FF57D534ABA2
# CVE-2021-45383 & CVE-2021-45384
There are several network-layer vulnerabilities in the official server of Minecraft: Bedrock Edition (aka Bedrock Server),which allow attacker to launch a DoS attack.
`CVE-2021-45383` is an integer overflow leading to a bound check bypass.
`CVE-2021-45384` is a null pointer dereference.
Here are details & PoCs & possible patches for them.
# Details
**Because both vulnerabilities lie in the network protocol handler,attackers can launch a DoS attack without logining or being in the server player allowlist.**
`CVE-2021-45383` affects Bedrock Server 1.16.0-1.18.2.03.
`CVE-2021-45384` is an old vulnerability and affects 1.14.0-1.18.2.03,earlier versions may be affected as well.
`CVE-2021-45383` is caused by `ClientCacheBlobStatusPacket::_read` (packet deserializer)
```C++
//pseudo-code
u32 size1=readUnsignedVarInt();
u32 size2=readUnsignedVarInt();
if (size1+size2>0xfff){ //overflows here
return false;
}
while(size1--){
vector1.emplace_back(readVarInt64());
}
while(size2--){
vector2.emplace_back(readVarInt64());
}
```
Attackers can choose special size1 and size2 (e.g. `0xffffffff` & `0xfff`) to bypass the bound check. Large sizes will cause a large loop(blocks the main thread) and allocate much memory (32G+ , may trigger an OOM error).
---
`CVE-2021-45384` is caused by `ServerNetworkHandler::handle(DisconnectPacket)`, which uses the return value of `ServerNetworkHandler::_getServerPlayer` directly.
Attackers can send a DisconnectPacket over a not properly initialized connection, and trigger a null pointer dereference in `ServerNetworkHandler::handle(DisconnectPacket)`, which leads to a server crash.
# PoCs
**Disclaimer: PoCs are only excepted to be used for testing whether your server is vulnerable.Providers assume no liability and are not responsible for any misuse or damage caused by these programs. Use at your own risk.**
CVE-2021-45384: `python replay.py <IP> <Port> dis.dmp`
CVE-2021-45383: `python replay.py <IP> <Port> overflow.dmp`
# Patches
Latest Bedrock Server(1.18.2.03) does not include patches for CVE-2021-45383 & CVE-2021-45384. There are third-party patches.
---
Patch for `CVE-2021-45384` has been integrated into [LiteLoader](https://github.com/LiteLDev/LiteLoaderBDS) since 1.2.2
You can hook `ServerNetworkHandler::handle(DisconnectPacket)` and check the result of `ServerNetworkHandler::_getServerPlayer`. Or simply drop all DisconnectPackets.
---
Patch for `CVE-2021-45383`:
You can hook `ClientCacheBlobStatusPacket::_read` and check the range of size1 & size2 separately.
This [commit](https://github.com/LiteLDev/LiteLoaderBDS/commit/40d6380e44a875b5d91aa5ba0023e03a1cb03793) in LiteLoader fixed `CVE-2021-45383`.
Update to the latest beta version of LiteLoader to use the patch, or you can wait until LiteLoader 2.0.5 releases.