Mojira Archive
MC-80749

Resource pack disk exhaustion - Exploitable from server

After noticing that all resource packs are cached in %APPDATA%\.minecraft\server-resource-packs, I realized that Minecraft does not seem to limit the amount of files downloaded by the server. After doing some testing, I found that this was indeed the case. After 7 minutes of sending resource packs to the client, roughly 5 GB worth of 45 MB files were downloaded. It's also worth noting that from the user's end, this is very confusing. The screen goes dark and all controls are disabled, as the downloading resource pack screen appears in an infinite loop. This disables all GUI buttons such as disconnect.

Essentially, the caching method used for resource packs allows arbitrary file downloads, which can create immense amount of load and disk consumption for clients. My download speed during this experiment was roughly 700MB per minute. That's likely on the lower end of internet speeds. In a hypothetical situation, a user is idling on a malicious server. After a few hours of idling, the user returns to their computer, and their entire disk is full. Minecraft luckily has some filesize validation, and throws the following error if the resource pack exceeds ~50 MB:

java.io.IOException: Filesize was bigger than maximum allowed (got >= 5.2432116E7, limit was 52428800)
	at nj$1.run(SourceFile:176)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

It is also worth noting that this process takes a very large amount of CPU, and generates a considerable amount of outgoing traffic. Some potential remedies for this attack would be limiting the amount of cached files, deleting duplicate resource packs by md5 or sha1 hash, or rate limiting server resource pack downloads. I was able to download a total of 136 files during the 7 minutes.

Fixed

Dylan

[Mojang] Nathan Adams

2015-05-27, 09:38 AM

2015-08-24, 02:01 AM

2015-06-05, 12:41 PM

0

3

Unconfirmed

Minecraft 1.8.1 - Minecraft 1.8.6Minecraft 1.8.1, Minecraft 1.8.3, Minecraft 1.8.4, Minecraft 1.8.5, Minecraft 1.8.6

Minecraft 1.8.7