Mojira Archive
MC-227756

Path traversal in player stats file allows an attacker to delete arbitrary JSON files on offline-mode servers

Description

Due to improper sanitization of player name, an attacker is able to delete arbitrary JSON files on offline-mode servers.

 

In net.minecraft.server.management.PlayerList.java, there is a function called getPlayerStats.

This function returns player stats by reading stats/UUID.json of world folder, and if there is no matching files for the UUID, it tries to migrate stats by using stats/PLAYER_NAME.json.

As migration codes don't sanitize player name, it's possible to perform path traversal by adding ../ into player name.

While ../ can't be added to player names normally, it's possible to use crafted name in offline-mode servers, allowing an attacker to exploit this vulnerability.

Steps to reproduce

For 1.16.5

  1. Download server.jar: https://www.minecraft.net/ja-jp/article/minecraft-java-edition-1-16-5
  2. Run server.jar once, and agree to EULA by modifying eula.txt.
  3. Set online-mode to false in server.properties.
  4. Download poc.js from this ticket.
  5. Run "npm install mineflayer" (to install a library used by poc.js)
  6. Run server.jar and wait for startup.
  7. Run "node poc.js".
  8. ops.json will be deleted.

For 1.17 (As mineflayer doesn't support 1.17 yet, you need to run Minecraft client.)

  1. Run Minecraft 1.17 from Minecraft Launcher.
  2. While running Minecraft, open %appdata%/.minecraft/bin
  3. Find newly created directory with random hex characters.
  4. Create a directory named test under %appdata%/.minecraft
  5. Copy files inside the directory you found in step3 into %appdata%/.minecraft/test
  6. Download cmd.txt from this ticket, and open it in text editor.
  7. Replace all RyotaK to your PC's username.
  8. Paste it into command prompt, and execute it.
  9. Download server.jar: https://launcher.mojang.com/v1/objects/0a269b5f2c5b93b1712d0f5dc43b6182b9ab254e/server.jar
  10. Run server.jar once, and agree to EULA by modifying eula.txt.
  11. Set online-mode to false in server.properties.
  12. Run server.jar and wait for startup.
  13. Join the server with Minecraft client that you started in step 8.
  14. ops.json will be deleted.

Fixed

RyotaK

[Mojang] Felix Jones

2021-06-08, 09:29 AM

2021-07-27, 04:49 AM

2021-06-15, 06:03 PM

0

1

Plausible

Important

Networking

1.16.5, 1.17

1.17.1 Pre-release 1