...and why it matters.
You might have seen my HiveCorruptor plugin on Poggit. To be clear, I don't have a vendetta against The Hive or anything like that, the plugin was more so a comedic demonstration of how the blob cache can be exploited to crash clients. The next thing you're probably thinking is "how the hell does this work?" - and this is what this article will go over.
When implementing the newly introduced sub chunk request system for Dragonfly, I had the chance to play around with the client blob cache as it required adjustments for the new system too. As the cache system is now quite old being introduced back in 2019, I imagine most major 3rd party software developers for the game don't really have much reason to mess around with it if they haven't already, which is likely how this went under the radar for as long as it did.
One thing led to another when implementing the new system and I accidentally send the wrong byte slice under a completely different hash, crashing my client. Which was at first disappointing, but then it hit me: how the f*ck did that happen? I mean - surely they validate the hash the server provided to make sure it isn't BS?
When the Blob Cache was first introduced in this gist by Tommaso Checchi, it was designed exactly against such attacks:
The Client enforces the correctness of all BlobIds by verifying that its independently computed hash matches with what the server is sending, so other 3rd party servers cannot corrupt your content.
I imagine this was actually the case for a while, but this precaution likely got removed by some Mojang intern in the name of optimization, because after some more testing I confirmed my original suspicions.
The next big fuck up they did was not checking that the data was, well, actual valid chunk data. Because I was able to give the client a bunch of garbage data and it took it perfectly fine... until the target server sent the associated hash and tried loading the corrupted data.
Overall, I was able to:
- Flood the client's blob cache with junk data, at speeds upwards of gigabytes per second
- Corrupt other server's chunks via a proxy such as Gophertunnel, collecting & corrupting unique hashes on the server
- Quite literally update other server's chunks with my own chunks
- The list goes on...
Unfortunately, there isn't a good patch for this. If you as a player are affected with this exploit, you can't just clear the blob cache from the app itself. The button that resets the cache in the game itself seems to not touch the blob cache at all.
If you're on Windows, then you can just delete %LocalAppData%\Packages\Microsoft.MinecraftUWP_8wekyb3d8bbwe\LocalCache\minecraftpe\blob_cache
,
but mobile and console players are basically out of luck here.
If you're a 3rd party server owner, you are likely fine. PocketMine-MP, the biggest third-party server software, does not support the client blob cache anyway as of 5.0. Dragonfly ironically is probably the only third-party server software to be affected.
If you own/maintain your own server software and feel that you could be affected, I highly recommend that you disable the blob cache, even temporarily. There is not really any better clear-cut solution.
If you work at Mojang and somehow see this, for the love of god, just add back the validation! It's as easy as computing the hash of the provided data client-side before applying the updates to the cache. You'll save the server owners a headache, and your players.
Most featured servers, especially the Hive, will probably not be affected by this, at least to a major extent. The main risk here comes from a decently sized server (say NetherGames, Zeqa, any server in the PvP community...) exploiting this, or god forbid, a featured server. The most vulnerable clients, console users, will probably not be affected by this significantly given the restrictions on playing on 3rd party servers.
I discovered this exploit a little over a year ago and have gone through various sources to try and get this to the attention of Mojang and patched. It was not my intention to release this publicly, but unfortunately, it seems that Mojang has done little to nothing to try and resolve it or prevent it. My aim with releasing this information is not fallout, but rather as an attempt to get their attention.
doubt