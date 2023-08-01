Hackers are actively taking advantage of a remote code execution vulnerability in Minecraft mods known as ‘BleedingPipe’. This vulnerability stems from the incorrect use of deserialization in the ‘ObjectInputStream’ class in Java, which is used to exchange network packets between Minecraft servers and clients.

By sending specially crafted network packets to vulnerable Minecraft mod servers, attackers can gain control of the servers. Once compromised, they can exploit the same mods used by players connecting to the server, enabling them to install malware on those devices as well.

A recent report by the Minecraft security community (MMPA) reveals that this flaw affects numerous Minecraft mods running on 1.7.10/1.12.2 Forge, which utilizes unsafe deserialization code.

While signs of BleedingPipe exploitation were initially observed in March 2022, mod developers quickly addressed the issue. However, a recent post on the Forge forum highlighted widespread active exploitation through an unknown zero-day RCE, aimed at stealing players’ Discord and Steam session cookies.

The MMPA’s research indicates that the BleedingPipe vulnerability also exists in several other Minecraft mods, including EnderCore, LogisticsPipes (versions older than 0.10.0.71), BDLib (1.7 through 1.12), Smart Moving (1.12), Brazier, DankNull, Gadomancy, Advent of Ascension (Nevermine) (version 1.12.2), Astral Sorcery (versions 1.9.1 and older), EnderCore (versions below 1.12.2-0.5.77), JourneyMap (versions below 1.16.5-5.7.2), Minecraft Comes Alive (MCA) (versions 1.5.2 through 1.6.4), RebornCore (versions below 4.7.3), and Thaumic Tinkerer (versions below 2.3-138). It is important to note that this list may not be exhaustive, and many other mods could potentially be affected as well.

The MMPA warns that threat actors are actively scanning the internet for vulnerable Minecraft servers impacted by BleedingPipe. Therefore, it is crucial for server administrators to fix and update any vulnerable mods installed on their servers.

To protect against BleedingPipe, users should download the latest releases of affected mods from official channels. If a mod has not addressed the vulnerability through a security update, users should consider migrating to a fork that has implemented the necessary fixes.

Additionally, the MMPA has developed a ‘PipeBlocker’ mod that filters ‘ObjectInputStream’ network traffic, offering protection for both forge servers and clients.

As the payload delivered by attackers is still unknown, server administrators are advised to use scanners like ‘jSus’ or ‘jNeedle’ to check mods for any suspicious file additions. Players using vulnerable mods should conduct similar scans on their Minecraft directories to detect any unusual files or malware.

Desktop users are also encouraged to run antivirus scans to identify any malicious executables that may have been installed on their systems.