CVE-2021-45383 & CVE-2021-45384

There are several network-layer vulnerabilities in the official server of Minecraft: Bedrock Edition (aka Bedrock Server),which allow attacker to launch a DoS attack.
CVE-2021-45383 is an integer overflow leading to a bound check bypass.
CVE-2021-45384 is a null pointer dereference.
Here are details & PoCs & possible patches for them.

Details

Because both vulnerabilities lie in the network protocol handler,attackers can launch a DoS attack without logining or being in the server player allowlist.
CVE-2021-45383 affects Bedrock Server 1.16.0-1.18.2.03.
CVE-2021-45384 is an old vulnerability and affects 1.14.0-1.18.2.03,earlier versions may be affected as well.
CVE-2021-45383 is caused by ClientCacheBlobStatusPacket::_read (packet deserializer)

//pseudo-code
u32 size1=readUnsignedVarInt();
u32 size2=readUnsignedVarInt();
if (size1+size2>0xfff){ //overflows here
    return false;
}
while(size1--){
    vector1.emplace_back(readVarInt64());
}
while(size2--){
    vector2.emplace_back(readVarInt64());
}

Attackers can choose special size1 and size2 (e.g. 0xffffffff & 0xfff) to bypass the bound check. Large sizes will cause a large loop(blocks the main thread) and allocate much memory (32G+ , may trigger an OOM error).

CVE-2021-45384 is caused by ServerNetworkHandler::handle(DisconnectPacket), which uses the return value of ServerNetworkHandler::_getServerPlayer directly.
Attackers can send a DisconnectPacket over a not properly initialized connection, and trigger a null pointer dereference in ServerNetworkHandler::handle(DisconnectPacket), which leads to a server crash.

PoCs

Disclaimer: PoCs are only excepted to be used for testing whether your server is vulnerable.Providers assume no liability and are not responsible for any misuse or damage caused by these programs. Use at your own risk.
CVE-2021-45384: python replay.py <IP> <Port> dis.dmp
CVE-2021-45383: python replay.py <IP> <Port> overflow.dmp

Patches

Patch for CVE-2021-45384 has been integrated into LiteLoader
You can hook ServerNetworkHandler::handle(DisconnectPacket) and check the result of ServerNetworkHandler::_getServerPlayer. Or simply drop all DisconnectPackets.

Patch for CVE-2021-45383:
You can hook ClientCacheBlobStatusPacket::_read and check the range of size1 & size2 separately.

Details,PoC and patches for CVE-2021-45383 & CVE-2021-45384

Related tags

Overview

CVE-2021-45383 & CVE-2021-45384

Details

PoCs

Patches

Owner

TCP/UDP port scanner on python, usong scapy and multiprocessin

Malware arcane - Scripts and notes on my malware analysis journey

LeLeLe: A tool to simplify the application of Lattice attacks.

IDA Python Script for anti ollvm

Phoenix Framework is an environment for writing, testing and using exploit code.

Separate handling of protected media in Django, with X-Sendfile support

SonicWall SMA-100 Unauth RCE Exploit (CVE-2021-20038)

Brute force attack tool for Azure AD Autologon/Seamless SSO

AnonStress-Stored-XSS-Exploit - An exploit and demonstration on how to exploit a Stored XSS vulnerability in anonstress

CamOver is a camera exploitation tool that allows to disclosure network camera admin password.

A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regarding a specific target.

Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr

A python module for retrieving and parsing WHOIS data

GitLab CE/EE Preauth RCE using ExifTool

Automatically fetch, measure, and merge subscription links on the network, use Github Action

PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager)

This is a simple PoC for the newly found Polkit error names PwnKit

SARA - Simple Android Ransomware Attack

A Telegram Bot to force users to join a specific channel before sending messages in a group.

Python exploit code for CVE-2021-4034 (pwnkit)