Details,PoC and patches for CVE-2021-45383 & CVE-2021-45384

Related tags

Security related resourcesCVE-2021-45383
Overview

CVE-2021-45383 & CVE-2021-45384

There are several network-layer vulnerabilities in the official server of Minecraft: Bedrock Edition (aka Bedrock Server),which allow attacker to launch a DoS attack.
CVE-2021-45383 is an integer overflow leading to a bound check bypass.
CVE-2021-45384 is a null pointer dereference.
Here are details & PoCs & possible patches for them.

Details

Because both vulnerabilities lie in the network protocol handler,attackers can launch a DoS attack without logining or being in the server player allowlist.
CVE-2021-45383 affects Bedrock Server 1.16.0-1.18.2.03.
CVE-2021-45384 is an old vulnerability and affects 1.14.0-1.18.2.03,earlier versions may be affected as well.
CVE-2021-45383 is caused by ClientCacheBlobStatusPacket::_read (packet deserializer)

//pseudo-code
u32 size1=readUnsignedVarInt();
u32 size2=readUnsignedVarInt();
if (size1+size2>0xfff){ //overflows here
    return false;
}
while(size1--){
    vector1.emplace_back(readVarInt64());
}
while(size2--){
    vector2.emplace_back(readVarInt64());
}

Attackers can choose special size1 and size2 (e.g. 0xffffffff & 0xfff) to bypass the bound check. Large sizes will cause a large loop(blocks the main thread) and allocate much memory (32G+ , may trigger an OOM error).

CVE-2021-45384 is caused by ServerNetworkHandler::handle(DisconnectPacket), which uses the return value of ServerNetworkHandler::_getServerPlayer directly.
Attackers can send a DisconnectPacket over a not properly initialized connection, and trigger a null pointer dereference in ServerNetworkHandler::handle(DisconnectPacket), which leads to a server crash.

PoCs

Disclaimer: PoCs are only excepted to be used for testing whether your server is vulnerable.Providers assume no liability and are not responsible for any misuse or damage caused by these programs. Use at your own risk.
CVE-2021-45384: python replay.py <IP> <Port> dis.dmp
CVE-2021-45383: python replay.py <IP> <Port> overflow.dmp

Patches

Patch for CVE-2021-45384 has been integrated into LiteLoader
You can hook ServerNetworkHandler::handle(DisconnectPacket) and check the result of ServerNetworkHandler::_getServerPlayer. Or simply drop all DisconnectPackets.

Patch for CVE-2021-45383:
You can hook ClientCacheBlobStatusPacket::_read and check the range of size1 & size2 separately.

Owner
CTFer @ Nu1L | interested in PL/AI/Binary Security
GitHub Repository
A script to extract SNESticle from Fight Night Round 2

fn22snesticle.py A script for producing a SNESticle ISO from a Fight Night Round 2 ISO and any SNES ROM. Background Fight Night Round 2 is a boxing ga

Johannes Holmberg 57 Nov 22, 2022
A BurpSuite extension to parse 5GC NF OpenAPI 3.0 files to assess 5G core networks

5GC_API_parse Description 5GC API parse is a BurpSuite extension allowing to assess 5G core network functions, by parsing the OpenAPI 3.0 not supporte

PentHertz 57 Dec 16, 2022
Proof of concept of CVE-2022-21907 Double Free in http.sys driver, triggering a kernel crash on IIS servers

CVE-2022-21907 - Double Free in http.sys driver Summary An unauthenticated attacker can send an HTTP request with an "Accept-Encoding" HTTP request he

Podalirius 71 Dec 22, 2022
A collection of intelligence about Log4Shell and its exploitation activity

Log4Shell-IOCs Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell ex

Curated Intel 172 Nov 17, 2022
The probability of having the password you want in the PassMaker is +90%!!

PasswordMaker Strong listing password Introduction The probability of having the password you want in the tool is +90%!! How to Install Open the termi

MasterBurnt 4 Sep 05, 2021
edgedressing leverages a Windows "feature" in order to force a target's Edge browser to open. This browser is then directed to a URL of choice.

edgedressing One day while experimenting with airpwn-ng, I noticed unexpected GET requests on the target node. The node in question happened to be a W

stryngs 43 Dec 23, 2022
Kunyu, more efficient corporate asset collection

Kunyu(坤舆) - More efficient corporate asset collection English | 中文文档 0x00 Introduce Tool introduction Kunyu (kunyu), whose name is taken from , is act

Knownsec, Inc. 772 Jan 05, 2023
log4j-tools: CVE-2021-44228 poses a serious threat to a wide range of Java-based applications

log4j-tools Quick links Click to find: Inclusions of log4j2 in compiled code Calls to log4j2 in compiled code Calls to log4j2 in source code Overview

JFrog Ltd. 171 Dec 25, 2022
A malware to encrypt all the .txt and .jpg files in target computer using RSA algorithms

A malware to encrypt all the .txt and .jpg files in target computer using RSA algorithms. Change the Blackgound image of targets' computer. and decrypt the targets' encrypted files in our own compute

Li Ka Lok 2 Dec 02, 2022
SSRF search vulnerabilities exploitation extended.

This tool search for SSRF using predefined settings in different parts of a request (path, host, headers, post and get parameters).

Andri Wahyudi 13 Jul 04, 2021
PySharpSphere - Inspired by SharpSphere, just another python version

PySharpSphere Inspired by SharpSphere, just another python version. Installation python3 setup.py install Features Support control both Linux and Wind

Ricter Zheng 191 Dec 22, 2022
A great and handy python obfuscator for protecting code.

Python Code Obfuscator A handy and necessary tool that can protect your code anytime! Mostly Command Line tool that will obfuscate your code. Features

Karim 5 Nov 18, 2022
A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence of a file

A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence o

2 Nov 09, 2022
Obfuscate your Python scripts better, faster.

⚜️ Berserker ⚜️ An unique Python3 obfuscator using Kyrie Eleison's encryption protocol, written in Python3. 📋 Examples 📋 Unobfuscated: input("Hello

Billy 81 Dec 07, 2022
Big-Papa Integrates Javascript and python for remote cookie stealing which then can be used for session hijacking

Big-Papa is a remote cookie stealer which can then be used for session hijacking and Bypassing 2 Factor Authentication

77 Jan 03, 2023
A python base script from which you can hack or clone any person's facebook friendlist or followers accounts which have simple password

Hcoder This is a python base script from which you can hack or clone any person's facebook friendlist or followers accounts which have simple password

Muhammad Hamza 3 Dec 06, 2021
Python program that generates secure passwords.

Python program that generates secure passwords. The user has the option to select the length of the password, amount of passwords,

4 Dec 07, 2021
Pass2Pwn: a simple python3 tool created to assist penetration testers generate possible passwords for a targeted system based solely on the organization's name

Pass2Pwn is a simple python3 tool created to assist penetration testers generate possible passwords for a targeted system based solely on the organization's name

Nirmal Dahal 10 Oct 15, 2022
A python implementation of the windows 95 product key check.

Windows 95 Product Key Check Info: This is a python implementation of the windows 95 product key check. This was just a bit of fun and a massive 5 hou

11 Aug 07, 2022
Multi-Process Vulnerability Tool

Multi-Process Vulnerability Tool

Baris Dincer 1 Dec 22, 2021