Improper symbolic link handling in world data allows a malicious world data to overwrite arbitrary files on the machine, which may leads remote code execution (CVE-2023-33245)

Description

Due to improper handling of symbolic links in world data, an attacker can overwrite arbitrary files on the machine by providing specially crafted world data.

In "net.minecraft.nbt.NbtIo.java", there are codes that handle ".dat" files.
Because these codes don't check symlinks properly, it's possible to overwrite arbitrary files on the machine by creating a symbolic link as a ".dat" file in world data.

While .dat files are gzipped and contents are hard to control, strings like "֐㐟ꨊ諺濹듂﬷빾⠚瘔籧햬虘히꩙䳸휲幱縥쒔⾽۲쪞Ǻ짴ἅ⁲䷎対ꈺ禍핑诲쏷؏癔̻⸃膼忓晝ꭆ촖ݪ聿陒╥佰ꛭ孿ᄣ⑧횣䚩꽠;whoami;uname -a;hostname;echo assd" can force gzip algorithm to keep them uncompressed.

As many people shares world data of Minecraft, an attacker may upload a zip file that contains specially crafted world data into world data sharing service.
(Please note that while it affects Windows, it's hard to exploit this vulnerability in Windows as symbolic links can't be created with normal user privilege.)

Steps to reproduce

(Please use Linux/macOS to reproduce it.)
1. Download server.jar
2. Create a directory and put server.jar into it.
3. Run "echo eula=true > eula.txt" in the same directory.
4. Download world.zip, which is attached to this ticket, and put it in the directory created in step 2.
5. Run "unzip world.zip" in the same directory.
6. Run "java -jar server.jar nogui" and wait for the startup.
7. Once the server is up and running, execute "stop" in the console.
8. Run "cat /tmp/mctest" and confirm contents are overwritten.

Explanation about world.zip

world.zip contains world data that is generated by using Minecraft 1.17.1.

As described above, crafted strings can force gzip algorithm to keep them uncompressed.
However, the NBT data format has some extra structures, which may make crafted strings to be compressed.
So I chose "command_storage_minecraft.dat", which has the simplest NBT structure and can insert arbitrary string, as a target.

By replacing "data/command_storage_minecraft.dat" with symlinks, Minecraft will write a gzipped string into the file that is pointed by the symlink.
Since contents of "data/command_storage_minecraft.dat" can be controlled by the "/data" command, I used Functions in datapacks to execute the "/data" command and added it into the "#minecraft:load" tag.

data merge storage test {a:"֐㐟ꨊ諺濹듂﬷빾⠚瘔籧햬虘히꩙䳸휲幱縥쒔⾽۲쪞Ǻ짴ἅ⁲䷎対ꈺ禍핑诲쏷؏癔̻⸃膼忓晝ꭆ촖ݪ聿陒╥佰ꛭ孿ᄣ⑧횣䚩꽠;whoami;uname -a;hostname;echo assd"}