-
Bug
-
Resolution: Unresolved
-
None
-
1.16.5, 1.19.3, 23w03a
-
None
-
OS: Manjaro Linux
Java: OpenJDK Runtime Environment (build 15.0.2+7)
-
Community Consensus
-
Networking
-
Low
-
Platform
Strings in the Minecraft Query Protocol are null-terminated. By adding null-bytes (\u0000) to a server's MOTD in the server.properties file, other values in the query Response can be overwritten. This problem only exists for query responses, server list pings are not affected.
Example:
test\u0000numplayers\u00001\u0000\u0000\u0001player_\u0000\u0000Test\u0000\u0000
When using this MOTD, all full-stat query responses will show that the player 'Test' is online. It overwrites the numplayers with 1 and player_ (player list).
Depending on the query client implementation, parsing the response packet might also fail entirely because unused bytes are remaining after the end of the packet. While this behavior mostly prevents injections like this, but it still can't parse the packet correctly and therefore is not a real solution for the issue.
The expected behavior would be that the Minecraft server filters (or somehow escapes) null bytes in null-terminated string values.
Edit: To test this with Dinnerbone's mcstatus python package (https://github.com/Dinnerbone/mcstatus), more values than the ones in my original example need to be replaced, since some missing values can cause errors. To fully reproduce this issue using mcstatus, use the following MOTD:
\u0000gametype\u0000SMP\u0000game_id\u0000MINECRAFT\u0000version\u00001.16.5\u0000plugins\u0000\u0000map\u0000w\u0000numplayers\u00001\u0000maxplayers\u000020\u0000hostport\u000025565\u0000hostip\u0000127.0.0.1\u0000\u0000\u0001player_\u0000\u0000test\u0000\u0000
You can then use the mcstatus cli to see the 'fake' player:
mcstatus <yourServerAddress> query
host: 127.0.0.1:25565
software: v1.16.5 vanilla
plugins: []
motd: ""
players: 1/20 ['test']
- relates to
-
MC-231035 2-byte-characters in MOTD can break query responses
- Open