Hackers are abusing a vulnerability in a number of Minecraft mods to infiltrate servers and any users who install certain mod packages.
The attack exploits a remote code execution vulnerability in Minecraft mods to run malicious commands on servers and clients, allowing them to take control of the devices.
BleedingPipe
Known as BleedingPipe, the vulnerability is found in multiple Minecraft mods using version 1.7.10/1.12.2 Forge and is caused by the incorrect use of deserialization in the ‘ObjectInputStream’ class in Java which is used to exchange data packets between servers and clients.
A list of the currently known mods affected is shown below, however the full list could extent to many more mods:
- EnderCore
- LogisticsPipes versions older than 0.10.0.71
- BDLib 1.7 through 1.12
- Smart Moving 1.12
- Brazier
- DankNull
- Gadomancy
- Advent of Ascension (Nevermine) version 1.12.2
- Astral Sorcery versions 1.9.1 and older
- EnderCore versions below 1.12.2-0.5.77
- JourneyMap versions below 1.16.5-5.7.2
- Minecraft Comes Alive (MCA) versions 1.5.2 through 1.6.4
- RebornCore versions below 4.7.3
- Thaumic Tinkerer versions below 2.3-138
When triggered, the vulnerability allows a hacker the ability to upload malicious code to the server and then use those hacked servers to exploit the same mods used by players that connect to that server, allowing them to install malware on those devices as well.
Fix available
Since the vulnerability was discoverd back in early July, a fix has been pushed out but not all mods have been upgraded to the new, patched code.
A ‘PipeBlocker’ mod to protect forge servers and clients by filtering ‘ObjectInputSteam’ network traffic has been released.
What is deserialisation?
Deserialisation is the process of reconstructing a data structure from a series of bytes or a string in order to instantiate the data for processing.
As the name suggests, deserialisation is the reverse process of serialisation, i.e., converting a data structure into a series of bytes for storage or transmission across devices.
Modern data systems tend to consist of many parts, meaning that it can be time-consuming and inefficient to write code that handles the delivery of each individual part. Serialization enables programs the ability to transmit and store the state of a data object in a standardised format.
Deserialisation then enables programs to recreate data objects after they have been serialised for transmission over the wire, between applications, through firewalls, and more.
If serialised data is not checked for malicious code before being deserialised, then a recieving program could process the malicious code allowing an attacker to gain an advantage over the process and underlying operating system.