Image: Quinton Coetzee (unsplash)
Unscrupulous individuals are vigorously taking advantage of a ‘BleedingPipe’ remote code execution vulnerability found in Minecraft modifications to launch malicious commands on servers and clients, thereby enabling them to seize control of these devices.
The BleedingPipe vulnerability is present in a multitude of Minecraft modifications and stems from the improper application of deserialization in Java’s ‘ObjectInputStream’ class for the transfer of network packets between servers and clients.
To put it simply, the malefactors transmit specifically designed network packets to vulnerable Minecraft modification servers to gain supremacy over them.
Upon successful infiltration, these threat actors can utilize the compromised servers to expose the glitches in the same Minecraft modifications employed by gamers connected to these servers. This allows them to install harmful software on the gamers’ devices too.
A recent investigation conducted by a community committed to Minecraft’s security, known as MMPA, discovered that the vulnerability affects numerous Minecraft modifications operating on 1.7.10/1.12.2 Forge, notorious for utilizing insecure deserialization code.
This flaw was first seen exploited in March 2022 but was promptly corrected by the mod developers. However, warnings of large-scale active exploitation began earlier this month, utilizing an unknown zero-day RCE to pilfer players’ Discord and Steam session cookies.
It was noted by the MMPA that “A Forge forum post was created on July 9, 2023, regarding a live RCE infiltration on a server that successfully sabotaged the server and divulged the discord credentials of the clients, hinting at the spread to clients.”
It was identified that the issue was traced back to 3 modifications – EnderCore, BDLib, and LogisticsPipes. Despite this revelation, it didn’t gain widespread attention, and many remained uninformed.
Further analysis by the MMPA unveiled that the BleedingPipe vulnerability also extends to the following Minecraft modifications:
- LogisticsPipes versions preceding 0.10.0.71.
- BDLib 1.7 through 1.12.
- Smart Moving 1.12.
- Advent of Ascension (Nevermine) version 1.12.2.
- Astral Sorcery versions 1.9.1 and older.
- EnderCore versions below 1.12.2-0.5.77.
- JourneyMap versions below 1.16.5-5.7.2.
- Minecraft Comes Alive (MCA) versions 1.5.2 through 1.6.4.
- RebornCore versions below 4.7.3.
- Thaumic Tinkerer versions below 2.3-138.
However, the above list may not be exhaustive, and the BleedingPipe vulnerability potentially affects many more modifications.
According to the MMPA, a threat actor is actively probing for Minecraft servers on the internet susceptible to this flaw to carry out attacks. Therefore, it is critical to fix any vulnerable modifications installed on servers.
To safeguard your services and devices from BleedingPipe, download the most recent release of affected mods from the official channels. If the modification you are using hasn’t addressed the vulnerability via a security update, consider migrating to a version that has implemented the fixes.
The MMPA has also introduced a ‘PipeBlocker’ modification to shield both forge servers and clients by filtering ‘ObjectInputSteam’ network traffic.
Given that the payload dropped by the malefactors onto compromised systems is currently unknown, server administrators are recommended to inspect all modifications for suspicious file additions using the ‘jSus’ or ‘jNeedle’ scanners.
Gamers employing modifications known to be susceptible are advised to perform similar scans on their .minecraft directory or the default directory used by their mod launcher to check for unusual files or malware.
Users of desktop systems are also encouraged to run an antivirus scan to check for malicious executables installed on the system.