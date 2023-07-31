Minecraft players and server operators are facing new security risks following the discovery of a vulnerability in certain mods and subsequent mod packs that allows remote code execution if exploited. Patches are rolling out and vulnerability management is actively happening, but players could still be at risk if their mods are outdated.

Earlier in July, a post was made to the Minecraft Forge forums showing what appeared to be a zero-day exploit on a Minecraft 1.12.2 Enigmatica 2 server. The exploit seemingly executed code on the client PCs connected to the server, allowing the attacker to steal browser sessions, Discord tokens, and Steam sessions. This exploitation sparked an investigation, resulting in a blog post from MMPA, who dubbed this attack “BleedingPipe.”

MMPA explained that this attack is a Java deserialization attack, wherein a service insecurely converts a stream of bytes that can be user-controlled into an object. The blog post further notes that there is no way to detect the exploit, but it is known that “a bad actor scanned all Minecraft servers on the IPv4 address space to mass-exploit vulnerable servers.” This exploit is also purportedly tied to the mods EnderCore, LogisticsPipes, 1.7-1.12 version of BDLib, Smart Moving 1.12, Brazier, DankNull, and Gadomancy. However, this is not the end of the story.

GitHub user dogboy21 posted a project to GitHub titled serializationisbad, wherein they explain that the actual use of the exploit in the wild is low. However, anyone who plays on a server or owns a server with unpatched mods is at risk, and dogboy21 lists three dozen mods (below) that are affected by the vulnerability.

AetherCraft

Advent of Ascension (Nevermine) (Only affects versions for Minecraft 1.12.2)

Arrows Plus

Astral Sorcery (affected versions: <=1.9.1)

BdLib (Only affects versions for Minecraft 1.7.10-1.12.2)

Carbonization

CreativeCore (Only affects versions for Minecraft 1.7.10)

Custom Friends Capes

CustomOreGen

DankNull

Energy Manipulation

EnderCore (Fixed introduced in 1.7.10-0.2.0.40_beta, 1.10-0.4.0.36-beta, 1.10.2-0.4.1.67-beta and 1.12.2-0.5.77. See #36)

EndermanEvolution

Extrafirma

Gadomancy

Giacomo’s Bookshelf

Immersive Armors (Fixed in version 1.5.6 for Minecraft 1.18.2, 1.19.2-1.19.4, 1.20, versions for 1.16.5, 1.17.1, 1.18.1, 1.19.0, 1.19.1 remain affected, relevant commit)

Immersive Aircraft

Immersive Paintings

JourneyMap (Issue introduced in 1.16.5-5.7.1 and fixed in 1.16.5-5.7.2 No other versions were effected)

LanteaCraft / SGCraft

LogisticsPipes (Only affects versions for Minecraft 1.4.7-1.7.10. Fixed in version 0.10.0.71 for MC 1.7.10, relevant security advisory)

Minecraft Comes Alive (MCA) (Only affects versions for Minecraft 1.5.2-1.6.4)

MattDahEpic Core (MDECore) (Only affects versions for Minecraft 1.8.8-1.12.2)

mxTune (Only affects versions for Minecraft 1.12-1.16.5)

p455w0rd’s Things

Project Blue

RadixCore

RebornCore (affected versions: >= 3.13.8, <4.7.3, relevant security advisory)

SimpleAchievements

SmartMoving

Strange

SuperMartijn642’s Config Lib (Fixed in version 1.0.9, relevant security advisory)

Thaumic Tinkerer (Fixed in version 2.3-138 for Minecraft 1.7.2, versions for 1.6-1.6.4 remain affected, relevant commit)

Tough Expansion

ttCore (Only affects versions for Minecraft 1.7.10)

Dogboy21 also explains that they and other contributors “were trying to investigate the whole issue privately and responsible so we can publish an extensive writeup and fix about the whole situation but since a group named MMPA just published a blog post about the issue, completely missing many important factors about the issue, we were forced to release a statement and attempt to fix the issue immediately since at the current time they’re literally putting millions of modded Minecraft users at risk.”

Regardless of how the vulnerability was disclosed, there is still a significant risk to many modded Minecraft players. Thus, mod authors need to work on patching their mods either by hand or with dogboy21’s tool, and players should perhaps hold off on joining servers if they believe they might be at risk, as you cannot be exploited offline. Alternatively, there is a mod that purportedly protects players against exploitation using deserialization, but exercise caution when taking this on.