Minecraft players and those who run Minecraft servers face a new and dangerous security vulnerability which could allow bad actors to run remote code on their computers. Dubbed ‘BleedingPipe,’ by a user group called MMPA (Minecraft Malware Prevention Alliance), the exploit uses Java deserialization to infect servers or clients that have one of many popular mods installed. If you don’t play Minecraft on a server that has one of the mods and don’t use the mods, you can’t be infected.
The number of vulnerable Minecraft mods is extensive. A German Computer Science Student who goes by Dogboy21 on GitHub, has identified three dozen popular mods that have the vulnerability, ranging from AetherCraft to Immersive Armors to ttCore. Dogboy21’s Github page also has a patch to fix the problem, which involves getting a new JAR file to put into your mods folder. The MMPA’s blog post lists even more mods that are affected and claims that, specifically, 1.7.10 and 1.12.2 version modpacks are those which are vulnerable.
BleedingPipe works by taking advantage of a problem with the ObjectInputStream class in Java. A hacker can feed data to the server with code that does something malicious and then, when the server receives the code and “deserializes” it (changing it from binary into an object), that code gets executed on the server side. Similarly, if the server itself is infected, it could feed binary data back to a client (a player) whose PC deserializes it locally and executes the code.
There’s a fantastic YouTube video that explains how deserialization vulnerabilities work on the PwnFunction channel.
If a bad actor is able to execute code on either the server or client side, the possibilities are nearly endless. They could find ways to exfiltrate your user data and use it for identity theft or could take over your computer and use it for Botnet attacks on other systems.
In early July, a player who goes by Yoyoyopo5 was running a public server using Forge 18.104.22.16860 mods and, during a live stream, a malicious user exploited BleedingPipe to gain control and execute code on every connected players’ device. In his post on the incident, Yoyoyopo5 says that the hacker used the remote code to steal browser, Discord and Steam session info.
According to the MMPA, a bad actor has scanned all Minecraft servers on the IPv4 address space and may have deployed a malicious payload to them. So any server running an affected mod could be infected.
BleedingPipe is similar to, but apparently not the same, as another recently-discovered exploit within Log4j, a Java logging library. Minecraft.net, an official Microsoft site, has a warning up along with mitigations for the Log4j vulnerability.
So what should you do to protect yourself? If you’re a player who plays on other peoples’ servers, MMPA recommends checking for infected files in your .minecraft directory, using a scanner such as JSus or jNeedle. Dogboy21 recommends downloading his patch if you are using any of the mods.
If you run a server, MMPA suggests running JSus or jNeedle on all of your installed mods. MMPA also suggests updating to the latest versions of EnderIO or LogisticsPipes, if you are using those. It also says to use the “GT New Horizons” fork of BDLib, if you are using that. The group has also created its own security mod called PipeBlocker, which is supposed to block these attacks.