Security Hole in Minecraft Mods Lets Hackers Execute Code Remotely

Alex running from dinosaur
(Image credit: Shutterstock (1934982539))

Minecraft players and those who run Minecraft servers face a new and dangerous security vulnerability which could allow bad actors to run remote code on their computers. Dubbed 'BleedingPipe,' by a user group called MMPA (Minecraft Malware Prevention Alliance), the exploit uses Java deserialization to infect servers or clients that have one of many popular mods installed. If you don't play Minecraft on a server that has one of the mods and don't use the mods, you can't be infected. 

The number of vulnerable Minecraft mods is extensive. A German Computer Science Student who goes by Dogboy21 on GitHub, has identified three dozen popular mods that have the vulnerability, ranging from AetherCraft to Immersive Armors to ttCore. Dogboy21's Github page also has a patch to fix the problem, which involves getting a new JAR file to put into your mods folder. The MMPA's blog post lists even more mods that are affected and claims that, specifically, 1.7.10 and 1.12.2 version modpacks are those which are vulnerable.

BleedingPipe works by taking advantage of a problem with the ObjectInputStream class in Java. A hacker can feed data to the server with code that does something malicious and then, when the server receives the code and "deserializes" it (changing it from binary into an object), that code gets executed on the server side. Similarly, if the server itself is infected, it could feed binary data back to a client (a player) whose PC deserializes it locally and executes the code.

There's a fantastic YouTube video that explains how deserialization vulnerabilities work on the PwnFunction channel.

If a bad actor is able to execute code on either the server or client side, the possibilities are nearly endless. They could find ways to exfiltrate your user data and use it for identity theft or could take over your computer and use it for Botnet attacks on other systems.

In early July, a player who goes by Yoyoyopo5 was running a public server using Forge 14.23.5.2860 mods and, during a live stream, a malicious user exploited BleedingPipe to gain control and execute code on every connected players' device. In his post on the incident, Yoyoyopo5 says that the hacker used the remote code to steal browser, Discord and Steam session info.

According to the MMPA, a bad actor has scanned all Minecraft servers on the IPv4 address space and may have deployed a malicious payload to them. So any server running an affected mod could be infected.

BleedingPipe is similar to, but apparently not the same, as another recently-discovered exploit within Log4j, a Java logging library. Minecraft.net, an official Microsoft site, has a warning up along with mitigations for the Log4j vulnerability.

So what should you do to protect yourself? If you're a player who plays on other peoples' servers, MMPA recommends checking for infected files in your .minecraft directory, using a scanner such as JSus or jNeedle. Dogboy21 recommends downloading his patch if you are using any of the mods.

If you run a server, MMPA suggests running JSus or jNeedle on all of your installed mods. MMPA also suggests updating to the latest versions of EnderIO or LogisticsPipes, if you are using those. It also says to use the "GT New Horizons" fork of BDLib, if you are using that. The group has also created its own security mod called PipeBlocker, which is supposed to block these attacks.

Avram Piltch
Avram Piltch is Tom's Hardware's editor-in-chief. When he's not playing with the latest gadgets at work or putting on VR helmets at trade shows, you'll find him rooting his phone, taking apart his PC or coding plugins. With his technical knowledge and passion for testing, Avram developed many real-world benchmarks, including our laptop battery test.
  • Falkreon
    The name "bleeding pipe" or "bleeding-pipe" or "pipebleed" is a complete misnomer; bleed attacks retrieve data. That is not what's going on here, it's a ACE attack (yes, very similar to the log4j attack). This is also not Minecraft-specific, this is a problem with Java SE which has been mentioned as a security vulnerability since 2015. Its actual name is Mad Gadget, and calling it pipebleed will just cause more problems.
    Reply
  • LabRat 891
    Funny.
    My Dad over 2 decades ago would 'freak out' over this very possibility when I first started playing Multiplayer games.

    Also funny, is that this isn't an issue with the App or the content, it's a Java-related problem. Meaning, even a friggin Sat/Cable TV STB is potentially at risk.

    The popularity of this particular Java application, just makes it a bigger target.
    Reply
  • RichardtST
    Yeah, this has existed forever. ObjectInputStream only partially works and unreliably at that. Especially for larger objects. Slow news day when you've got to dig up Java bugs...
    Reply