Cuberite ForumCuberiteDiscussion
Security issue in Java based server

Linear Mode
Security issue in Java based server
worktycho Offline
Cuberite Developer
******
Posts: 783
Threads: 12
Joined: Jan 2014
Thanks: 2
Given 73 thank(s) in 61 post(s)
#10
04-19-2015, 12:12 AM
I think we need to do to things to mitigate this attack. First limit the size of uncompressed packets. This also helps mitigate against compression bombs. Then we need to add limits to the recursion depth of the NBT parser as it can cause a stack-overflow as it is a recursive descent parser. I think we've avoided a code execution vulnerability because we don't create large stack based buffers to store the data, but I still think this is a potentially very dangerous attack.
Find
Reply
Thanks given by:


Messages In This Thread
Security issue in Java based server - by Jammet - 04-17-2015, 09:48 PM
RE: Security issue in Java based server - by xoft - 04-17-2015, 10:10 PM
RE: Security issue in Java based server - by xoft - 04-17-2015, 10:32 PM
RE: Security issue in Java based server - by xoft - 04-17-2015, 10:59 PM
RE: Security issue in Java based server - by xoft - 04-17-2015, 11:05 PM
RE: Security issue in Java based server - by xoft - 04-18-2015, 10:09 PM
RE: Security issue in Java based server - by worktycho - 04-19-2015, 12:12 AM
RE: Security issue in Java based server - by xoft - 04-19-2015, 02:33 AM



Users browsing this thread: 1 Guest(s)