In June/July 2021, I created an exploit in Minecraft's component handler that allowed someone to effectively crash another user's client by having them hold or even hover over an item in their inventory. In the interest of protecting the community, I had kept it a secret for quite a while, with only a few admins knowing about it. I intended to document it sometime after, but then I ended up getting suspended for unrelated reasons so I couldn't.
When I tried to report the exploit to Paper sometime later, they refused to patch it. Frustrated, I reported the exploit to Mojang directly very soon after 1.18 was officially released. It was officially patched in 1.18.1, alongside the Log4Shell exploit. To protect admins from the exploit before it was patched officially, I wrote a patch in W95 myself which granted complete immunity to the exploit. This is the patch I wrote. Enjoy.
/**
* <b>HoverEventEntityPatch</b>
* <p>Patches an exploit that causes clients to crash trying to process malicious text.</p>
*/
@Mixin(HoverEvent.EntityContent.class)
public class HoverEventEntityPatch
{
private static final String REPLACEMENT_UUID = "DEADBEEF-DEAD-DEAD-DEAD-DEADDEADDEAD";
@ModifyArg(method = "parse(Lnet/minecraft/text/Text;)Lnet/minecraft/text/HoverEvent$EntityContent;",
at = @At(value = "INVOKE", target = "Ljava/util/UUID;fromString(Ljava/lang/String;)Ljava/util/UUID;"))
private static String injectParseText(String uuid)
{
try
{
return UUID.fromString(uuid).toString();
}
catch (Exception ex)
{
return REPLACEMENT_UUID;
}
}
@ModifyArg(method = "parse(Lcom/google/gson/JsonElement;)Lnet/minecraft/text/HoverEvent$EntityContent;",
at = @At(value = "INVOKE", target = "Ljava/util/UUID;fromString(Ljava/lang/String;)Ljava/util/UUID;"))
private static String injectParseJson(String uuid)
{
try
{
return UUID.fromString(uuid).toString();
}
catch (Exception ex)
{
return REPLACEMENT_UUID;
}
}
} 