Giters

Luke100000 / serializationisbad

A Minecraft coremod / Java Agent aiming to patch serious security vulnerabilities found in many different mods

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Unsafe Deserialization Vulnerability in Many Minecraft Mods

A few weeks ago, a critical vulnerability allowing arbitrary remote code execution on clients and servers (and therefore all connected clients on a server) was discovered in many Minecraft mods.

Initially, we were trying to investigate the whole issue privately and responsibly so we can publish an extensive write-up and fix the vulnerability entirely, but since a group named MMPA just published a blog post about the issue, completely missing many important factors about the vulnerability, we were forced to release a statement and attempt to fix the issue immediately since at the current time, they were putting millions of modded Minecraft users at risk.

Information on the Vulnerability

The vulnerability is caused by an unsafe use of the Java serialization feature in network packets sent by servers to clients or clients to servers that allows to instantiate any Java class that is loaded in the Minecraft instance.

There was already a similar vulnerability in the past called "Mad Gadget". You can read more about that here:

While there are just a relatively small amount of attacks targeting this vulnerability in the wild, because of the significance of the vulnerability, it is extremely dangerous to play with the unpatched mods currently. Attackers have already attempted (and succeeded in some cases) in gaining access to Microsoft tokens and browser session data. Since they can execute any code they want on a target system, the possibilities are endless.

How Can I Protect Myself Against the Vulnerability?

We developed a patcher that attempts to fix all mods that we know of (list of mods is below).

Should any more affected mods be discovered, a patch is as simple as updating the related config file. (We will publish a release that automates this for you) Version 1.3 of the patch now automatically uses the the latest version of the config file and otherwise falls back to the local config file. If there's no config present, there should be an error informing the user that there are currently no patches applied.

Minecraft Forge 1.7.x - Latest

  • Download the JAR file from the latest release on the releases page
  • Add the JAR file to your mods folder
  • Download the latest config file from this Github repository and add it directly to your instances config directory Version 1.3 of the patch now automatically uses the the latest version of the config file

Any Other Instances

  • Download the JAR file from the latest release on the releases page (or alternatively from CurseForge or Modrinth) and save it somewhere
  • Add the following JVM argument to your client/server (refer to the documentation of the client/server launcher you are using on how to do this): -javaagent:<PATH TO SAVED JAR FILE>
  • Download the latest config file from this Github repository and add it directly to your instances config directory Version 1.3 of the patch now automatically uses the the latest version of the config file

Affected Mods

Unlike the blog post stated above, there are plenty of mods that are and could be affected by this issue. Although some of them are already fixed in their latest versions, these mods were exploitable in at least one older version. It is to be expected that several modpacks over the years just are not maintained anymore, but are still popular and loved within the community. Keeping this in-mind, we are trying to help those people who still love running those modpacks and strive to keep them safe as they play.

KEEP IN MIND THAT THIS LIST IS DEFINITELY NOT COMPLETE! THESE ARE JUST THE MODS WE ARE CURRENTLY AWARE OF! CurseForge is already investigating the issue internally so we hope we can get a nearly complete list of vulnerable mods and versions in the future.

We have moved our affected mods list to another location! See the link below:

Affected Mods List

This list will change frequently as we find more mods that could have vulnerabilities and as developers add patches to their own mods. If you want to help us in keeping this list up-to-date, please feel free to contribute!

Credits

I'm not the only one that was working on the investigation of the whole situation.

Credits to anyone that was involved in this:

  • Aidoneus (MineYourMind Server Network)
  • bziemons (Logistics Pipes Mod Developer)
  • Bennyboy1695 (Shadow Node Server Network)
  • Dogboy21 (MyFTB Server Network)
  • Einhornyordle (MyFTB Server Network)
  • emily (CraftDownUnder Server Network)
  • Exa (Nomifactory Modpack Developer)
  • HanoverFist (MineYourMind Server Network)
  • HellFirePvP (Astral Sorcery Mod Developer)
  • Jacob (DirtCraft Server Network)
  • Juakco_ (CraftDownUnder Server Network)
  • Lìam (MineYourMind Server Network)
  • MojangPlsFix (MyFTB Server Network)
  • Heather (MMCC Server Network)
  • Niels Pilgaard (Enigmatica Modpack Developer)
  • oliviajumba (CraftDownUnder Server Network)
  • oly2o6 (All the Mods Modpack Developer / Akliz Server Hosting)
  • PurpleIsEverything (Shadow Node Server Network)
  • Pyker (Technic Launcher Developer)
  • RyanTheAllmighty (ATLauncher Developer)
  • Saereth (Modpack Developer)
  • Sauramel (CraftDownUnder Server Network)
  • ThePixelbrain (MMCC Server Network)
  • Tridos (DirtCraft Server Network)
  • DarkStar (CraftDownUnder Server Network)

About

A Minecraft coremod / Java Agent aiming to patch serious security vulnerabilities found in many different mods

License:MIT License

Languages

Language:Java 100.0%