Hackers are actively exploiting a ‘BleedingPipe’ remote code execution vulnerability in Minecraft mods to run malicious commands on servers and clients, allowing them to take control of the devices.
BleedingPipe is a vulnerability found in many Minecraft mods caused by the incorrect use of deserialization in the ‘ObjectInputStream’ class in Java to exchange network packets between servers and clients.
In short, the attackers send specially crafted network packets to vulnerable Minecraft mod servers to take over the servers.
The threat actors can then use those hacked servers to exploit the flaws in the same Minecraft mods used by players that connect to the server, allowing them to install malware on those devices as well.
In a new report by a Minecraft security community (MMPA), the researchers have found that the flaw impacts many Minecraft mods running on 1.7.10/1.12.2 Forge, which uses unsafe deserialization code.
Actively exploited in July
The first signs of BleedingPipe exploitation appeared in the wild in March 2022 but were quickly fixed by mod developers.
However, earlier this month, a Forge forum post warned about large-scale active exploitation using an unknown zero-day RCE to steal players’ Discord and Steam session cookies.
“On July 9, 2023, a Forge forum post was made about a RCE happening live on a server, managing to compromise the server and send the discord credentials of clients, indicating the spread to clients,” explained MMPA’s article.
“The issue was nailed down to 3 mods; EnderCore, BDLib, and LogisticsPipes. However, this post did not go mainstream, and most were not aware.”
After further research, the MMPA has found that the BleedingPipe vulnerability is also present in the following Minecraft mods:
- EnderCore
- LogisticsPipes versions older than 0.10.0.71
- BDLib 1.7 through 1.12
- Smart Moving 1.12
- Brazier
- DankNull
- Gadomancy
- Advent of Ascension (Nevermine) version 1.12.2
- Astral Sorcery versions 1.9.1 and older
- EnderCore versions below 1.12.2-0.5.77
- JourneyMap versions below 1.16.5-5.7.2
- Minecraft Comes Alive (MCA) versions 1.5.2 through 1.6.4
- RebornCore versions below 4.7.3
- Thaumic Tinkerer versions below 2.3-138
However, it is essential to note that the above list isn’t complete, and BleedingPipe potentially impacts many more mods.
MMPA says a threat actor is actively scanning for Minecraft servers on the internet that are impacted by this flaw to conduct attacks, so fixing any vulnerable mods installed on servers is essential.
To protect your services and devices from BleedingPipe, download the latest release of impacted mods from the official release channels.
If the mod you’re using has not addressed the vulnerability via a security update, you should migrate to a fork that has adopted the fixes.
The MMPA team has also released a ‘PipeBlocker‘ mod to protect both forge servers and clients by filtering ‘ObjectInputSteam’ network traffic.
As the payload dropped by the attackers onto compromised systems is not yet known, server administrators are recommended to check all mods for suspicious file additions using the ‘jSus‘ or ‘jNeedle‘ scanners.
Players using mods known to be vulnerable are advised to perform similar scans on their .minecraft directory or the default directory used by their mod launcher to check for unusual files or malware.
Desktop users are also advised to run an antivirus scan to check for malicious executables installed on the system.
