Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label MMPA. Show all posts

The BleedingPipe RCE Exploit Presents Minecraft With a New Security Challenge

 


'BleedingPipe' is actively exploited by hackers to execute malicious commands on servers and clients running Minecraft mods. This is to take advantage of the remote code execution vulnerability. By doing this, they can gain control over the devices and make them work as they want. 

There is a vulnerability known as BleedingPipe, which can be found in many Minecraft mods because the wrong way the 'ObjectInputStream' class is used to deserialize is implemented in Java, which leads to BleedingPipe Servers and clients using this to exchange packets of information between each other over the network. Attackers tamper with Minecraft mod servers by sending specially crafted network packets to them to take control of the servers. 

As a result of a newly discovered security vulnerability, Minecraft Java Edition players and server owners have been able to execute code remotely on their computers caused by bad actors. Because the exploit takes advantage of Java's deserialization mechanism, you will likely be affected if you run one of the many popular mods that are susceptible to it. This is also true if you play on a server with them installed. 

In addition to AetherCraft, Immersive Armor, CreativeCore, ttCore, and many other popular Minecraft mods, several other vulnerabilities affect Minecraft. The following GitHub user dogboy21 has compiled a comprehensive list of mods that you may find useful. 

In addition to listing some other mods affected by this issue, the MMPA's blog post on the subject has an in-depth description of the bug. As you can see from the video below that's taken from the YouTube channel PwnFunction, this insecure deserialization attack works by exploiting the insecurity of the serialization process. 

As a result of remote code execution exploits (RCE) vulnerabilities, the attackers could also infect your computer and use it to spread code elsewhere, or they could install ransomware that is designed to block you from accessing your files unless you pay a cash ransom for it. 

By exploiting the flaws in the same Minecraft mods used by those players who connect to the server through these hacked servers, the threat actors are additionally able to install malware on the devices that connect to those servers. 

An investigation conducted by the Minecraft security community (MMPA) has found that the flaw affects many Minecraft mods that run on the 1.7.10/1.12.2 Forge, which utilizes unsafe code to deserialize data to Minecraft objects. 

July, Active Exploitation


It was in March 2022 when the first indications of BleedingPipe exploitation were seen in the wild, however, developers of the mod managed to fix them within minutes. A Forge forum post earlier this month warned that an unknown zero-day RCE being used by a large number of attackers to steal players' Steam session cookies is being used in large-scale active exploitation. 

It has been discovered by the MMPA that the BleedingPipe vulnerability in the following Minecraft mods is also present due to further research:

EnderCore
LogisticsPipes versions older than 0.10.0.71
BDLib 1.7 through 1.12
Smart Moving 1.12
Brazier
DankNull 
Gadomancy
Advent of Ascension (Nevermine) version 1.12.2
Astral Sorcery versions 1.9.1 and older
EnderCore versions below 1.12.2-0.5.77
JourneyMap versions below 1.16.5-5.7.2
Minecraft Comes Alive (MCA) versions 1.5.2 through 1.6.4
RebornCore versions below 4.7.3
Thaumic Tinkerer versions below 2.3-138   

Although the above list is not complete, it is worthwhile to note that BleedingPipe could potentially negatively impact a wide variety of mods in addition to the ones listed above. 

According to the Mobile Media Protection Association (MMPA), an attacker is actively scanning the internet to see which Minecraft servers are affected by this vulnerability so they can conduct data breaches. If any mods on servers are vulnerable, they must be fixed immediately. 

For protection against BleedingPipe, check the official release channels of the impacted mods to download the latest versions of the affected mods. It is recommended that you migrate to a fork that has adopted the fixes for the vulnerability. This is if the mod you are using has not addressed it in a security update. 

In addition to the PipeBlocker mod, MMPA has released a 'PipeBlocker' mod. This allows both bots and servers to protect from 'ObjectInputSteam' network traffic by filtering it. Server administrators are strongly advised to check all mods for suspicious file additions using the 'jSus' or 'jNeedle' scanners. This is to check for suspicious file additions dropped by attackers. The payload dropped on compromised systems is currently unknown.

If you are using a mod that may be vulnerable, it would be wise to perform similar checks in your .minecraft directory, or your mod launcher's default directory. This will enable you to check for unusual files or malware before playing with that mod. 

Users of desktops are also advised to run a scan of the system with an antivirus program rather than not installing one. This is so that they can detect malicious executables. To protect their servers, owners are advised to use jSus and Needle to check the status of their mods, as well as install the MMPA's PipeBlocker mod, which filters Java's ObjectInputStream for any exploits that arise due to this. The use of the GT New Horizons version of the BDLib mod is highly recommended if you use EnderIO and LogisticsPipes, as well as the modified GT New Horizons version of the BDLib mod if you use those.