Minecraft Mods Expose Gamers To Alarming BleedingPipe Exploit, What You Need To Know
Minecraft players and server operators are facing new security risks following the discovery of a vulnerability in certain mods and subsequent mod packs that allows remote code execution if exploited. Patches are rolling out and vulnerability management is actively happening, but players could still be at risk if their mods are outdated.
Earlier in July, a post was made to the Minecraft Forge forums showing what appeared to be a zero-day exploit on a Minecraft 1.12.2 Enigmatica 2 server. The exploit seemingly executed code on the client PCs connected to the server, allowing the attacker to steal browser sessions, Discord tokens, and Steam sessions. This exploitation sparked an investigation, resulting in a blog post from MMPA, who dubbed this attack “BleedingPipe.”
MMPA explained that this attack is a Java deserialization attack, wherein a service insecurely converts a stream of bytes that can be user-controlled into an object. The blog post further notes that there is no way to detect the exploit, but it is known that “a bad actor scanned all Minecraft servers on the IPv4 address space to mass-exploit vulnerable servers.” This exploit is also purportedly tied to the mods EnderCore, LogisticsPipes, 1.7-1.12 version of BDLib, Smart Moving 1.12, Brazier, DankNull, and Gadomancy. However, this is not the end of the story.
GitHub user dogboy21 posted a project to GitHub titled serializationisbad, wherein they explain that the actual use of the exploit in the wild is low. However, anyone who plays on a server or owns a server with unpatched mods is at risk, and dogboy21 lists three dozen mods (below) that are affected by the vulnerability.
- Advent of Ascension (Nevermine) (Only affects versions for Minecraft 1.12.2)
- Arrows Plus
- Astral Sorcery (affected versions: <=1.9.1)
- BdLib (Only affects versions for Minecraft 1.7.10-1.12.2)
- CreativeCore (Only affects versions for Minecraft 1.7.10)
- Custom Friends Capes
- Energy Manipulation
- EnderCore (Fixed introduced in 1.7.10-0.2.0.40_beta, 1.10-0.4.0.36-beta, 1.10.2-0.4.1.67-beta and 1.12.2-0.5.77. See #36)
- Giacomo's Bookshelf
- Immersive Armors (Fixed in version 1.5.6 for Minecraft 1.18.2, 1.19.2-1.19.4, 1.20, versions for 1.16.5, 1.17.1, 1.18.1, 1.19.0, 1.19.1 remain affected, relevant commit)
- Immersive Aircraft
- Immersive Paintings
- JourneyMap (Issue introduced in 1.16.5-5.7.1 and fixed in 1.16.5-5.7.2 No other versions were effected)
- LanteaCraft / SGCraft
- LogisticsPipes (Only affects versions for Minecraft 1.4.7-1.7.10. Fixed in version 0.10.0.71 for MC 1.7.10, relevant security advisory)
- Minecraft Comes Alive (MCA) (Only affects versions for Minecraft 1.5.2-1.6.4)
- MattDahEpic Core (MDECore) (Only affects versions for Minecraft 1.8.8-1.12.2)
- mxTune (Only affects versions for Minecraft 1.12-1.16.5)
- p455w0rd's Things
- Project Blue
- RebornCore (affected versions: >= 3.13.8, <4.7.3, relevant security advisory)
- SuperMartijn642's Config Lib (Fixed in version 1.0.9, relevant security advisory)
- Thaumic Tinkerer (Fixed in version 2.3-138 for Minecraft 1.7.2, versions for 1.6-1.6.4 remain affected, relevant commit)
- Tough Expansion
- ttCore (Only affects versions for Minecraft 1.7.10)
Regardless of how the vulnerability was disclosed, there is still a significant risk to many modded Minecraft players. Thus, mod authors need to work on patching their mods either by hand or with dogboy21's tool, and players should perhaps hold off on joining servers if they believe they might be at risk, as you cannot be exploited offline. Alternatively, there is a mod that purportedly protects players against exploitation using deserialization, but exercise caution when taking this on.