The bug

When the server responds to a GS4 query with the challenge request, it can incorrectly convert the session ID.
This might be intended, based on what the four bytes sent for every request actually mean. wiki.vg calls them "session ID", the UnrealWikiAdmin "timestamp" and the Mojang mappings "ident".

The problem is that the server creates the challenge request data in the following way (with this.identBytes being the "session ID"):

this.ident = new String(this.identBytes, StandardCharsets.UTF_8);
this.challenge = new Random().nextInt(0x1000000);
this.challengeBytes = String.format("\t%s%d\u0000", this.ident, this.challenge).getBytes(StandardCharsets.UTF_8);

Since the "session ID" could be any arbitrary 4 bytes, they may not be valid UTF-8 encoded chars and therefore this.ident can lose information (all malformed input bytes or unmappable characters become the same replacement string). And encoding them using UTF-8 again when creating this.challengeBytes could therefore create more than the initial 4 bytes (replacement \uFFFD takes 3 bytes encoded using UTF-8).

How to reproduce

1. Start a local server with the following server.properties settings:

   enable-query=true
   query.port=25565
   

2. Run the attached Java code MalformedSessionId.java
   Java 11(+)

   java .\MalformedSessionId.java
   

   Pre Java 11

   javac .\MalformedSessionId.java
   java MalformedSessionId
   

   You will see the output: "Received session id: efbfbdefbfbdefbfbd1f"