Mojira Archive
MC-12350

Server Texture Directory Traversal Exploit

=====================
Description
=====================

Hello, I am a Computer Science Student from the University of Calgary. This bug report is part of the an assignment, your response to this bug report may be used as part of the assignment. (With permission of course).

There is a security flaw in the parsing Minecraft's server texture URL's which allows clients connecting to malicious servers to have arbitrary zips overwritten on their system. This is a directory traversal flaw that may have some security implications on clients connecting to these malicious servers.

=====================
Reproduction Steps:
=====================

Download fresh minecraft_server.jar from Minecraft's main website.
Run the server and allow the server to generate a world and property files.
Close the server, and open the server.property file in a editor.
Modify the texture-pack= line to a crafted string that will cause the bug. (Described below).
Run the server, the bug is now in-effect.

Connect to the server using a Minecraft client.
You will receive a prompt (would you like to use the server's texture pack (yes / no)).
Upon selecting "Yes" Minecraft will download a .zip.
Once the download is complete, no texture will be applied to minecraft.
However a zip specified in the server's path has been overwritten by a arbitrary zip.

=======================
The string causing the issue:
=======================

For my example I used:

texture-pack=http\://www.phengame.com/a/a/a/a/a/a/a/a/a/a/..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\test.zip

The NetClient handler will parse the filename like this:

\texturepacks-mp-cache\..\..\..\..\..\..\..\..\..\..\test.zip

This will cause test.zip to be downloaded into your local C:\ drive if there are enough escapes (or whatever drive Minecraft is on ).

However a malicious server could construct something like:

http://validserver/somedirectory/someotherdirectory/importantzip.zip

which will cause a similar change to happen on the clients computer:

C:\somedirectory\someotherdirectory\importantzip.zip

================
Workarounds:
================

One should also consider the '\' character in parsing string to prevent directory traversals, as only the '/' character is considered.

Based off the decompiled forge Minecraft client: minecraftforge-src-1.5-7.7.0.582.

Affected function: "void net.minecraft.client.texturepacks.TexturePackList.requestDownloadOfTexture"
Line: 101

String s1 = par1Str.substring(par1Str.lastIndexOf("/") + 1);

Change to:

String s1 = par1Str.substring(par1Str.lastIndexOf("/") + 1);
s1 = s1.substring(s1.lastIndexOf("\\") + 1);

A better fix would be having a check for the file-name, such that texture zip files should only be written to the .\texturepacks-mp-cache\ folder. There are many approaches to this.

My approach would be to cull all invalid characters from the texture pack file-name such as: \ / ? * : " < >.

Incomplete

Stephen Ma

2013-03-19, 09:23 AM

2015-08-04, 08:17 PM

2014-01-11, 06:02 PM

0

4

Unconfirmed

exploit, security, server

Minecraft 1.5

-