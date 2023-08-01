A Minecraft mod security monitoring community has discovered a critical vulnerability in popular mod packs for the world’s most-played video game.

Dubbed “Bleeding Pipe”, the security flaw could allow full remote code execution on clients and servers running popular Minecraft mods on 1.7.10/1.12.2 Forge. Other versions could potentially also be affected.

The exploit has already been spotted running in the wild on unsuspecting servers.

“This vulnerability can spread past the server to infect any clients that might join, though we do not know if there is any such malware in the wild,” MMPA said.

They explained the vulnerability was not in Forge itself but in mods using unsafe deserialisation code.

“The mods affected used OIS for networking code, and this allowed packets with malicious serialisation to be sent,” the group said.

“This allows anything to be run on the server, which then can be used on the server to do the same thing to all clients, therefore infecting all clients with the server in reverse.”

The mods confirmed to be affected are as follows:

EnderCore — GT New Horizons fork has been fixed, and the original has been as well, but EnderIO’s minimum versions have not yet been updated.

LogisticsPipes — Fixed in GT New Horizons version as of July 25, 2023, and the original is fixed since version 0.10.0.71. MC 1.12 versions are not affected. If you have played on a server with a vulnerable version, assume you are infected.

The 1.7-1.12 versions of BDLib — GT New Horizons fork has this fixed, but the developer of the original currently does not plan to fix it. Assume you are infected if you have played on a server and are not on the GTNH fork.

Smart Moving 1.12

Brazier

DankNull

Gadomancy

MMPA said there was no way to detect whether a server had been attacked because the payload being sent to vulnerable servers was unknown.

It advised server admins to check for suspicious files on their server, updating or removing mods affected by the vulnerability.

“Malware targeting servers tends to infect other mods on the system once they get a target, so we recommend running something like jSus or jNeedle on all installed mods,” MMPA said.

For gamers who played on servers running the affected mods, MMPA recommended checking for suspicious files with an antivirus scan and to scan the .minecraft directory with jSus or jNeedle.

“Note that mod files are stored in a different directory when using a modded launcher such as Curseforge,” MMPA said.

“These files can typically be accessed by right-clicking the mod pack instance and clicking ‘Open Folder’.”

Further mitigation measures are available on MMPA’s website.

