CVE-2021-45383 & CVE-2021-45384

There are several network-layer vulnerabilities in the official server of Minecraft: Bedrock Edition (aka Bedrock Server),which allow attacker to launch a DoS attack.
CVE-2021-45383 is an integer overflow leading to a bound check bypass.
CVE-2021-45384 is a null pointer dereference.
Here are details & PoCs & possible patches for them.

Details

Because both vulnerabilities lie in the network protocol handler,attackers can launch a DoS attack without logining or being in the server player allowlist.
CVE-2021-45383 affects Bedrock Server 1.16.0-1.18.2.03.
CVE-2021-45384 is an old vulnerability and affects 1.14.0-1.18.2.03,earlier versions may be affected as well.
CVE-2021-45383 is caused by ClientCacheBlobStatusPacket::_read (packet deserializer)

//pseudo-code
u32 size1=readUnsignedVarInt();
u32 size2=readUnsignedVarInt();
if (size1+size2>0xfff){ //overflows here
    return false;
}
while(size1--){
    vector1.emplace_back(readVarInt64());
}
while(size2--){
    vector2.emplace_back(readVarInt64());
}

Attackers can choose special size1 and size2 (e.g. 0xffffffff & 0xfff) to bypass the bound check. Large sizes will cause a large loop(blocks the main thread) and allocate much memory (32G+ , may trigger an OOM error).

CVE-2021-45384 is caused by ServerNetworkHandler::handle(DisconnectPacket), which uses the return value of ServerNetworkHandler::_getServerPlayer directly.
Attackers can send a DisconnectPacket over a not properly initialized connection, and trigger a null pointer dereference in ServerNetworkHandler::handle(DisconnectPacket), which leads to a server crash.

PoCs

Disclaimer: PoCs are only excepted to be used for testing whether your server is vulnerable.Providers assume no liability and are not responsible for any misuse or damage caused by these programs. Use at your own risk.
CVE-2021-45384: python replay.py <IP> <Port> dis.dmp
CVE-2021-45383: python replay.py <IP> <Port> overflow.dmp

Patches

Patch for CVE-2021-45384 has been integrated into LiteLoader
You can hook ServerNetworkHandler::handle(DisconnectPacket) and check the result of ServerNetworkHandler::_getServerPlayer. Or simply drop all DisconnectPackets.

Patch for CVE-2021-45383:
You can hook ClientCacheBlobStatusPacket::_read and check the range of size1 & size2 separately.

Details,PoC and patches for CVE-2021-45383 & CVE-2021-45384

Related tags

Overview

CVE-2021-45383 & CVE-2021-45384

Details

PoCs

Patches

Owner

A Proof-of-Concept Layer 2 Denial of Service Attack that disrupts low level operations of Programmable Logic Controllers within industrial environments. Utilizing multithreaded processing, Automator-Terminator delivers a powerful wave of spoofed ethernet packets to a null MAC address.

Lightweight and beneficial Dependency Injection plugin for apscheduler

Seamless deployment and management of cybersecurity solutions 🏗️

A python base script from which you can hack or clone any person's facebook friendlist or followers accounts which have simple password

The ultimate Metasploit apk binder with legit apk written in python3

Tool to scan for RouterOS (Mikrotik) forensic artifacts and vulnerabilities.

This exploit allows to connect to the remote RemoteMouse 3.008 service to virtually press arbitrary keys and execute code on the machine.

Auto Tor Ip Changer

EMBArk - The firmware security scanning environment

A Python application to predict what is cooking

This tool help you to check if your Windows machine has hidden miner.

PwdGen is a Python Tkinter tool for generating secure 16 digit passwords.

Log4jake works by spidering a web application for GET/POST requests

Python program that generates secure passwords.

Python low-interaction honeyclient

This tool allows to automatically test for Content Security Policy bypass payloads.

Security tool to test different bypass of forbidden

IDA Pro Python plugin to analyze and annotate Linux kernel alternatives

Tool To generate Stable Undetected Payload

A proxy for asyncio.AbstractEventLoop for testing purposes