PocketMine-MP BookEditPacket crash when inventory slot in the packet is invalid

Summary

If a client sends a BookEditPacket with InventorySlot greater than 35, the server will crash due to an unhandled exception thrown by BaseInventory->getItem().

Details

Crashes at https://github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php#L873

PoC

Using Gophertunnel, use serverConn.WritePacket(&packet.BookEdit{InventorySlot: 36})

Impact

Server crash, all servers

Patched versions

This issue was fixed by 47f011966092f275cc1b11f8de635e89fd9651a7, and the fix was released in 5.11.2.

Published: Mar 6, 2024
Updated: Mar 7, 2024
GHSA: GHSA-xc7j-wj36-qjfr
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
pocketmine / pocketmine-mp	-	5.11.2

https://github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php#L873
https://github.com/pmmp/PocketMine-MP/commit/47f011966092f275cc1b11f8de635e89fd9651a7
https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-xc7j-wj36-qjfr

Vulnerability Database

PocketMine-MP BookEditPacket crash when inventory slot in the packet is invalid

Summary

Details

PoC

Impact

Patched versions

Deep Security Visibility Without the Complexity