Mojira Archive
MC-239594

CVE-2021-42715: A malicious server can stall a client.

Minecraft uses the stb_image library (Included in lwjgl-stb) for decoding PNGs on the client. Recently there have been 2 published CVE's against this library:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42715
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42716

A github issue was opened here: https://github.com/nothings/stb/issues/1224 detailing the issue. I was able to reproduce this by using the proof of concept file included on that issue.

This file could be included in a resource pack or a modified server can send it as the server icon to a client. Upon decoding the image the client will stall. This makes the multiplayer server list unusable without manually removing the server entry from the game files, or removing the server entry with the network disconnected.

I have not explored trying to reproduce either of these bugs via a custom in-game skin. If a user is able to create a malicious skin targeting the above bugs they would then be able to stall the clients of all players around them.

I was able to build a small POC fabric mod to reproduce this issue (Yarn names, let me know if mojmap is required)

 

@Mixin(MinecraftServer.class)
public class ExampleMixin {
   @Inject(at = @At("HEAD"), method = "setFavicon", cancellable = true)
   private void setFavicon(ServerMetadata metadata, CallbackInfo info) throws IOException {
    byte[] bytes = Base64.getEncoder().encode(Files.readAllBytes(Paths.get("server-icon.png")));
    String data = new String(bytes, StandardCharsets.UTF_8).substring(0, 2500); // Trim it so it fits in the packet limit
    metadata.setFavicon("data:image/png;base64," + data);
    info.cancel();
  }
}

 

The main change here is to remove the BufferedImage/ImageIO calls that are used to re-encode the image. (It fails to decode the image gracefully) The data is also trimmed to fit inside the packet size limit.

https://github.com/nothings/stb/pull/1223 offers a fix for this issue, however it has not been merged, and not been included with an updated version of LWJGL. A custom build could of course be used to fix the issue sooner, if desired.

I have tested on 1.17.1 and 21w42a, I believe this affects all versions of Minecraft. I am unsure on the level of severity of this issue. If its possible to create and upload a malicious player skin then this should be fixed with the upper most urgency.

Please don't hesitate to reach out to me if you need any more info.

Fixed

modmuss50

2021-10-22, 03:47 PM

2023-09-12, 07:03 AM

2023-09-12, 07:03 AM

2

5

Plausible

Important

Platform

Networking

1.17.1, 21w42a

23w35a