PocketMine-MP versions prior to 4.18.1 contain an improper input validation vulnerability in inventory transaction handling. A remote attacker with a valid player session can request that the server drop more items than are available in the player's hotbar, triggering a server crash and resulting in denial of service.
PocketMine-MP servers are vulnerable to a denial-of-service (DoS) attack. By manipulating inventory transactions, attackers can force the server to drop an excessive number of items, leading to a server crash and disruption of service for all players. This vulnerability requires a valid player session to exploit.
Step 1: Player Session Establishment: The attacker establishes a valid player session on the PocketMine-MP server.
Step 2: Inventory Inspection: The attacker examines their in-game hotbar to determine the types and quantities of items present.
Step 3: Malicious Transaction Crafting: The attacker crafts a malicious inventory transaction request. This request specifies a drop operation for an item type present in their hotbar, but with a quantity significantly larger than the actual number of items the player possesses.
Step 4: Transaction Submission: The attacker submits the crafted transaction request to the server.
Step 5: Server Processing and Crash: The server processes the invalid transaction. Due to the lack of proper input validation, the server attempts to drop the requested excessive quantity. This leads to an error, likely a memory access violation or other critical error, causing the server to crash and become unavailable.
The vulnerability stems from improper input validation within the inventory transaction handling logic of PocketMine-MP. Specifically, the server fails to adequately check the quantity of items a player attempts to drop against the actual number of items present in their hotbar. This allows an attacker to craft a malicious transaction request specifying a drop quantity exceeding the available items. When the server attempts to process this invalid request, it likely triggers an error condition, potentially leading to a null pointer dereference, integer overflow, or other memory corruption issues, ultimately causing the server to crash. The lack of proper bounds checking on the item drop quantity is the root cause.