NEW YORK: Programmer Ammar Askar reveals a proof of concept exploit for the flaw in the hopes that this will force Mojang to do something about it. “Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time. They have a responsibility to fix and properly work out problems like this,” he noted.
“In addition, it should be noted that giving condescending responses to white hats who are responsibly disclosing vulnerabilities and trying to improve a product they enjoy is a sure fire way to get developers dis-interested the next time they come across a bug like this.”
He apparently tried to get the company to react a number of times, and they responded that at one time during this period they implemented a fix, but Askar says the exploit code still works, and that this makes him think that they didn’t actually attempted to fix the problem.
“The vulnerability stems from the fact that the client is allowed to send the server information about certain slots. This, coupled with the NBT format’s nesting allows us to craft a packet that is incredibly complex for the server to desterilize but trivial for us to generate,” he explained.
He initially spotted the flaw in version 1.6.2 of the game.
Mojang, the company behind popular sandbox game Minecraft, has been bought by Microsoft in November 2014.
