Hackers are actively exploiting a 'BleedingPipe' remote code execution vulnerability in Minecraft mods to run malicious commands on servers and clients, allowing them to take control of the devices.
BleedingPipe is a vulnerability found in many Minecraft mods caused by the incorrect use of deserialization in the 'ObjectInputStream' class in Java to exchange network packets between servers and clients.
In short, the attackers send specially crafted network packets to vulnerable Minecraft mod servers to take over the servers.
The threat actors can then use those hacked servers to exploit the flaws in the same Minecraft mods used by players that connect to the server, allowing them to install malware on those devices as well.
In a new report by a Minecraft security community (MMPA), the researchers have found that the flaw impacts many Minecraft mods running on 1.7.10/1.12.2 Forge, which uses unsafe deserialization code.
Actively exploited in July
The first signs of BleedingPipe exploitation appeared in the wild in March 2022 but were quickly fixed by mod developers.
However, earlier this month, a Forge forum post warned about large-scale active exploitation using an unknown zero-day RCE to steal players' Discord and Steam session cookies.
"On July 9, 2023, a Forge forum post was made about a RCE happening live on a server, managing to compromise the server and send the discord credentials of clients, indicating the spread to clients," explained MMPA's article.
"The issue was nailed down to 3 mods; EnderCore, BDLib, and LogisticsPipes. However, this post did not go mainstream, and most were not aware."
After further research, the MMPA has found that the BleedingPipe vulnerability is also present in the following Minecraft mods:
- EnderCore
- LogisticsPipes versions older than 0.10.0.71
- BDLib 1.7 through 1.12
- Smart Moving 1.12
- Brazier
- DankNull
- Gadomancy
- Advent of Ascension (Nevermine) version 1.12.2
- Astral Sorcery versions 1.9.1 and older
- EnderCore versions below 1.12.2-0.5.77
- JourneyMap versions below 1.16.5-5.7.2
- Minecraft Comes Alive (MCA) versions 1.5.2 through 1.6.4
- RebornCore versions below 4.7.3
- Thaumic Tinkerer versions below 2.3-138
However, it is essential to note that the above list isn't complete, and BleedingPipe potentially impacts many more mods.
MMPA says a threat actor is actively scanning for Minecraft servers on the internet that are impacted by this flaw to conduct attacks, so fixing any vulnerable mods installed on servers is essential.
To protect your services and devices from BleedingPipe, download the latest release of impacted mods from the official release channels.
If the mod you're using has not addressed the vulnerability via a security update, you should migrate to a fork that has adopted the fixes.
The MMPA team has also released a 'PipeBlocker' mod to protect both forge servers and clients by filtering 'ObjectInputSteam' network traffic.
As the payload dropped by the attackers onto compromised systems is not yet known, server administrators are recommended to check all mods for suspicious file additions using the 'jSus' or 'jNeedle' scanners.
Players using mods known to be vulnerable are advised to perform similar scans on their .minecraft directory or the default directory used by their mod launcher to check for unusual files or malware.
Desktop users are also advised to run an antivirus scan to check for malicious executables installed on the system.
Comments
Sophon - 10 months ago
What many people fail to understand, is that MMPA are notoriously known for their unprofessionalism, fearmongering, rushing to hit the news first and even being the cause of releasing malware to the community.
As a brief reminder, this is the very same MMPA that had a complete community takeover by trusting a user who claimed to work for a reputable company - but who in fact used the position to spread malware.
As detailed on https://github.com/dogboy21/serializationisbad, this is a well known exploit - but one that in recent times started to be seen exploited in the wild. Whilst other teams such as that of dogboy21, worked in private to find the full extent of the exploit and provide mitigation - MMPA made the idiotic decision to rush out a blog post that omitted many of the key details, and themselves only had a half baked 'mitigation' solution that actually prevented players from joining servers - as the mod strictly blocked authentication packets.
The originally released patches by MMPA also contained extremely basic mistakes, such as using the GitHub api/raw URL as an update/content fetch. I would not be trusting this on a production server.
"Initially we were trying to investigate the whole issue privately and responsible so we can publish an extensive writeup and fix about the whole situation but since a group named MMPA just published a blog post about the issue, completely missing many important factors about the issue, we were forced to release a statement and attempt to fix the issue immediately since at the current time they're literally putting millions of modded Minecraft users at risk." - dogboy21
It's a shame that wide news sites such as bleepingcomputer continue to give credence and attention to MMPA - and in this instance, have completely disregarded the more reputable source of information.
Whilst serializationisbad boasts a credit list of well known, respected community members ranging from medium-large community networks, MMPA is construed of a handful of users who failed to involve the vast majority of their community for fear of 'chaos' but then themselves decided to disclose the information in order to 'be the first'.
Bill_Toulas - 10 months ago
Hello and thanks for your comment.
I should point out that we have linked to dogboy's report in the post, so it has by no means been "completely disregarded."
Sophon - 10 months ago
Is that the only thing you took away from my comment?
I suppose the part about MMPA themselves spreading malware, publishing a 'fix' that broke servers (that the article recommends, over the much more reputable serializationisbad) wasn't as important of note.
Putting the focus on MMPA and then the reputable source more or less as a footnote (using it only to point to the largest list) is more or less to disregard the genuine/reputable source.
Are you even aware of why the name 'Bleeding Pipe' was chosen? As you've likely understood, the exploit has nothing to do with pipes. It was named this way, because in MMPA's haste to push out another article, they believed the root cause of the exploit was a single mod named 'Logistics Pipes'. They then later realised that this was not the case, but did not opt to choose a more fitting name and instead elected to push an article out as quickly as possible, knowing that other teams were working on this in a more professional manor.