blog.mmpa.info Open in urlscan Pro
2606:4700:3030::ac43:ca50  Public Scan

URL: https://blog.mmpa.info/posts/bleeding-pipe/
Submission: On August 01 via api from TR — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

Skip to content
 * Posts
 * Tags
 * About
 * 
 * 

--------------------------------------------------------------------------------

Go back


BLEEDING PIPE: A RCE VULNERABILITY EXPLOITED IN THE WILD

Posted on:July 29, 2023 |  at 06:21 PM

This article will be updated with more information as it develops.


WE RECOMMEND THAT YOU TAKE THIS SERIOUSLY.

This vulnerability has already been exploited many times and many 1.7.10/1.12.2
modpacks are vulnerable, however any other version of Minecraft can be affected
if an affected mod is installed.

This vulnerability can spread past the server to infect any clients that might
join, though we do not know if there is any such malware in the wild.


INTRODUCTION

BleedingPipe is an exploit being used in the wild allowing FULL remote code
execution on clients and servers running popular Minecraft mods on 1.7.10/1.12.2
Forge (other versions could also be affected), alongside some other mods. Use of
the BleedingPipe exploit has already been observed on unsuspecting servers.

This is a vulnerability in mods using unsafe deserialization code, not in Forge
itself.


KNOWN AFFECTED MODS

The known affected mods include, but are not limited to:

 * EnderCore (dependency of EnderIO). The GT New Horizons fork has been fixed,
   and the original has been aswell, but EnderIO’s minimum versions has not yet
   been updated.
 * LogisticsPipes. This has once again been fixed in GT New Horizons version as
   of July 25, 2023, and the original is fixed since version 0.10.0.71. MC 1.12
   versions are not affected. If you have played on a server with a vulnerable
   version, assume you are infected.
 * The 1.7-1.12 versions of BDLib. Once again, GTNH fork has this fixed, but the
   developer of the original currently does not plan to fix it. Assume you are
   infected if you have played on a server and are not on the GTNH fork.
 * Smart Moving 1.12
 * Brazier
 * DankNull
 * Gadomancy


INITIAL DISCOVERY

To begin; this vulnerability is well known in the Java community, and has been
fixed before in other mods, such as RebornCore. This exploit is generally
referred to as a deserialization attack/gadget chain, and there are many
exploited cases, however none have been of this scale in the Minecraft
community.

The first hints of this exploit in this specific list of mods go back all the
way to March 2022, when this issue was posted on BDLib’s GitHub hinting at a
vulnerability in ObjectInputStream. The GTNH team promptly merged a fix into
their fork.

After this, the issue became quiet for a while, until MineYourMind posted about
a vulnerability on their Enigmatica 2 Expert server.

On July 9, 2023, a Forge forum post was made about a RCE happening live on a
server, managing to compromise the server and send the discord credentials of
clients, indicating the spread to clients. The issue was nailed down to 3 mods;
EnderCore, BDLib, and LogisticsPipes. However, this post did not go mainstream,
and most were not aware.

On July 24, 2023, MineYourMind suddenly announced they had “fixed” the bug and
will be working with the devs to make patches. No other info was published.

After this series of announcements, the vulnerability was promptly patched in
the rest of GTNH’s forks, but it is still present in most servers with these
mods, as well as the original versions of these mods.


MASS EXPLOITATION

After the initial discovery, we discovered that a bad actor scanned all
Minecraft servers on the IPv4 address space to mass-exploit vulnerable servers.
A likely malicious payload was then deployed onto all affected servers.

We do not know what the contents of the exploit were or if it was used to
exploit other clients, although this is very much possible with the exploit.


WHAT SHOULD I DO?

As we do not know the contents of the payload being sent to the vulnerable
servers, there is no concrete way of detecting this attack. There are still a
few potential methods for detection listed below.


AS A SERVER ADMIN

As a server admin, we recommend checking for suspicious files in your server and
updating/removing the mods affected by this vulnerabiilty.

Malware targeting servers tends to infect other mods on the system once they get
a target, so we recommend running something like jSus or jNeedle on all
installed mods.


AS A PLAYER

As a player if you don’t play on servers, you are not affected.

As a player, we recommend checking for suspicious files, doing an antivirus
scan, and doing a scan on your .minecraft directory with something like jSus or
jNeedle. Note that mod files are stored in a different directory when using a
modded launcher such as Curseforge. These files can typically be accessed by
right-clicking the modpack instance and clicking “Open Folder”


MITIGATION

If you have EnderIO or LogisticsPipes, update to the latest versions on
CurseForge.

If you have BDLib, migrate to the GT New Horizons fork if possible.

To mitigate all mods generally, you can install our mod PipeBlocker on both
forge servers and clients. We also recommend updating LogisticsPipes and all of
your other mods to the newest versions available. Note that pre-made modpacks
may become unstable or otherwise break by updating all mods.

If you are a mod developer and use ObjectInputStream, unless you know what you
are doing, you are recommended to switch to another safe serializer or make your
own.


TECHNICAL DETAILS

The bug is a well known issue with deserialization using ObjectInputStream. The
mods affected used OIS for networking code, and this allowed packets with
malicious serialization to be sent. This allows anything to be run on the
server, which then can be used on the server to do the same thing to all
clients, therefore infecting all clients with the server in reverse.

If you have any information on BleedingPipe, you can join the MMPA Discord, or
contact us anonymously at contact@mmpa.info.

 *  threat
 *  vuln

--------------------------------------------------------------------------------

Copyright © 2023  |  All rights reserved.