diff options
Diffstat (limited to 'test/test-pages/ars-1/expected.html')
| -rw-r--r-- | test/test-pages/ars-1/expected.html | 56 |
1 files changed, 28 insertions, 28 deletions
diff --git a/test/test-pages/ars-1/expected.html b/test/test-pages/ars-1/expected.html index a00aa37..0aecf6e 100644 --- a/test/test-pages/ars-1/expected.html +++ b/test/test-pages/ars-1/expected.html @@ -1,37 +1,37 @@ -<div class="article-content clearfix" itemprop="articleBody"> - <figure class="intro-image image center full-width"><img height="331" src="http://cdn.arstechnica.net/wp-content/uploads/2015/04/server-crash-640x426.jpg" width="640"></img><figcaption class="caption"> +<div itemprop="articleBody"> + <figure><img height="331" src="http://cdn.arstechnica.net/wp-content/uploads/2015/04/server-crash-640x426.jpg" width="640"></img><figcaption> </figcaption></figure><p>A flaw in the wildly popular online game <em>Minecraft</em> makes it easy for just about anyone to crash the server hosting the game, according to a computer programmer who has released proof-of-concept code that exploits the vulnerability.</p> <p>"I thought a lot before writing this post," Pakistan-based developer Ammar Askar wrote in a <a href="http://blog.ammaraskar.com/minecraft-vulnerability-advisory">blog post published Thursday</a>, 21 months, he said, after privately reporting the bug to <em>Minecraft</em> developer Mojang. "On the one hand I don't want to expose thousands of servers to a major vulnerability, yet on the other hand Mojang has failed to act on it."</p> <p>The bug resides in the <a href="https://github.com/ammaraskar/pyCraft">networking internals of the <em>Minecraft </em>protocol</a>. It allows the contents of inventory slots to be exchanged, so that, among other things, items in players' hotbars are displayed automatically after logging in. <em>Minecraft</em> items can also store arbitrary metadata in a file format known as <a href="http://wiki.vg/NBT">Named Binary Tag (NBT)</a>, which allows complex data structures to be kept in hierarchical nests. Askar has released <a href="https://github.com/ammaraskar/pyCraft/tree/nbt_exploit">proof-of-concept attack code</a> he said exploits the vulnerability to crash any server hosting the game. Here's how it works.</p> <blockquote> <p>The vulnerability stems from the fact that the client is allowed to send the server information about certain slots. This, coupled with the NBT format’s nesting allows us to <em>craft</em> a packet that is incredibly complex for the server to deserialize but trivial for us to generate.</p> <p>In my case, I chose to create lists within lists, down to five levels. This is a json representation of what it looks like.</p> - <div class="highlight"> <pre><code class="language-javascript" data-lang="javascript"><span class="nx">rekt</span><span class="o">:</span> <span class="p">{</span> - <span class="nx">list</span><span class="o">:</span> <span class="p">[</span> - <span class="nx">list</span><span class="o">:</span> <span class="p">[</span> - <span class="nx">list</span><span class="o">:</span> <span class="p">[</span> - <span class="nx">list</span><span class="o">:</span> <span class="p">[</span> - <span class="nx">list</span><span class="o">:</span> <span class="p">[</span> - <span class="nx">list</span><span class="o">:</span> <span class="p">[</span> - <span class="p">]</span> - <span class="nx">list</span><span class="o">:</span> <span class="p">[</span> - <span class="p">]</span> - <span class="nx">list</span><span class="o">:</span> <span class="p">[</span> - <span class="p">]</span> - <span class="nx">list</span><span class="o">:</span> <span class="p">[</span> - <span class="p">]</span> - <span class="p">...</span> - <span class="p">]</span> - <span class="p">...</span> - <span class="p">]</span> - <span class="p">...</span> - <span class="p">]</span> - <span class="p">...</span> - <span class="p">]</span> - <span class="p">...</span> - <span class="p">]</span> - <span class="p">...</span> -<span class="p">}</span></code></pre> </div> + <div> <pre><code data-lang="javascript"><span>rekt</span><span>:</span> <span>{</span> + <span>list</span><span>:</span> <span>[</span> + <span>list</span><span>:</span> <span>[</span> + <span>list</span><span>:</span> <span>[</span> + <span>list</span><span>:</span> <span>[</span> + <span>list</span><span>:</span> <span>[</span> + <span>list</span><span>:</span> <span>[</span> + <span>]</span> + <span>list</span><span>:</span> <span>[</span> + <span>]</span> + <span>list</span><span>:</span> <span>[</span> + <span>]</span> + <span>list</span><span>:</span> <span>[</span> + <span>]</span> + <span>...</span> + <span>]</span> + <span>...</span> + <span>]</span> + <span>...</span> + <span>]</span> + <span>...</span> + <span>]</span> + <span>...</span> + <span>]</span> + <span>...</span> +<span>}</span></code></pre> </div> <p>The root of the object, <code>rekt</code>, contains 300 lists. Each list has a list with 10 sublists, and each of those sublists has 10 of their own, up until 5 levels of recursion. That’s a total of <code>10^5 * 300 = 30,000,000</code> lists.</p> <p>And this isn’t even the theoretical maximum for this attack. Just the nbt data for this payload is 26.6 megabytes. But luckily Minecraft implements a way to compress large packets, lucky us! zlib shrinks down our evil data to a mere 39 kilobytes.</p> <p>Note: in previous versions of Minecraft, there was no protocol wide compression for big packets. Previously, NBT was sent compressed with gzip and prefixed with a signed short of its length, which reduced our maximum payload size to <code>2^15 - 1</code>. Now that the length is a varint capable of storing integers up to <code>2^28</code>, our potential for attack has increased significantly.</p> |