Unsafe Deserialization Vulnerability in many Minecraft mods

A few weeks ago, a very critical vulnerability allowing arbitrary remote code execution on clients and servers (and therefor even all connected clients on a server) was discovered in many Minecraft mods.

Initially we were trying to investigate the whole issue privately and responsible so we can publish an extensive writeup and fix about the whole situation but since a group named MMPA just published a blog post about the issue, completely missing many important factors about the issue, we were forced to release a statement and attempt to fix the issue immediately since at the current time they're literally putting millions of modded Minecraft users at risk.

Information on the vulnerability

The vulnerability is caused by an unsafe use of the Java serialization feature in network packets sent by servers to clients or clients to servers that allows to instantiate any Java class that is loaded in the Minecraft instance.

There was already a similar vulnerability in the past called "Mad Gadget". You can read more about that here:

While there are just a relatively small amount of attacks targetting this vulnerability in the wild, because of the significance of the vulnerability, it is completely dangerous to play with unpatched mods currently. Attackers already attempted (and succeeded in some cases) Microsoft access token and browser session steals. But since they can literally execute any code they want on a target system, the possibilities are endless.

How to protect against the vulnerability?

We developed a patcher that attempts to fix all currently known affected mods (listed below).

Should any more affected mods be discovered, a patch is as simple as updating the related config file. (We will publish a relesae that automates this for you) Version 1.3 of the patch now automatically uses the the latest version of the config file and otherwise falls back to the local config file. If there's no config present, there should be an error informing the user that there are currently no patches applied.

Minecraft Forge 1.7.x - latest

• Download the JAR file from the latest release on the releases page
• Add the JAR file to your mods folder
• Download the latest config file from this Github repository and add it directly to your instances config directory Version 1.3 of the patch now automatically uses the the latest version of the config file

Any other instances

• Download the JAR file from the latest release on the releases page and save it somewhere
• Add the following JVM argument to your client/server (refer to the documentation of the client/server launcher you are using on how to do this): -javaagent:<PATH TO SAVED JAR FILE>
• Download the latest config file from this Github repository and add it directly to your instances config directory Version 1.3 of the patch now automatically uses the the latest version of the config file

Affected mods

Unlike stated in the above blog post, there are plenty more mods that are affected by this issue. Although some of them already are fixed in the latest versions, these mods were exploitable in at least one older version:

KEEP IN MIND THAT THIS LIST IS DEFINITELY NOT COMPLETE. THESE ARE JUST THE MODS WE ARE CURRENTLY AWARE OF. At least Curseforge is already investigating the issue internally so we can maybe get a nearly complete list of vulnerable mods and versions in the future.

Because of the rushed announcement, we are currently unable to give exact version ranges of affected mods. If you want to help out with that, feel free to contribute to this list.

• AetherCraft
• Advent of Ascension (Nevermine) (Only affects versions for Minecraft 1.12.2)
• Arrows Plus
• Astral Sorcery (affected versions: <=1.9.1)
• BdLib (Only affects versions for Minecraft 1.8.9-1.12.2)
• Carbonization
• Custom Friends Capes
• CustomOreGen
• DankNull
• Energy Manipulation
• EnderCore (Only affects versions for Minecraft 1.9-1.13)
• EndermanEvolution
• Extrafirma
• Gadomancy
• Giacomo's Bookshelf
• Immersive Armors (Fixed in version 1.5.6 for Minecraft 1.18.2, 1.19.2-1.19.4, 1.20, versions for 1.16.5, 1.17.1, 1.18.1, 1.19.0, 1.19.1 remain affected, relevant commit)
• Immersive Aircraft
• Immersive Paintings
• JourneyMap (Fixed introduced in 1.16.5-5.7.1 and fixed in 1.16.5-5.7.2 No other versions were effected)
• LanteaCraft / SGCraft
• LogisticsPipes (Only affects versions for Minecraft 1.4.7-1.7.10. Fixed in version 0.10.0.71 for MC 1.7.10, relevant security advisory)
• Minecraft Comes Alive (MCA) (Only affects versions for Minecraft 1.5.2-1.6.4)
• MattDahEpic Core (MDECore) (Only affects versions for Minecraft 1.8.8-1.12.2)
• mxTune (Only affects versions for Minecraft 1.12-1.16.5)
• p455w0rd's Things
• Project Blue
• RadixCore
• RebornCore (affected versions: >= 3.13.8, <4.7.3, relevant security advisory)
• SimpleAchievements
• SmartMoving
• Strange
• SuperMartijn642's Config Lib (Fixed in version 1.0.9, relevant security advisory)
• Thaumic Tinkerer (Fixed in version 2.3-138 for Minecraft 1.7.2, versions for 1.6-1.6.4 remain affected, relevant commit)
• Tough Expansion
• ttCore (Only affects versions for Minecraft 1.7.10)

Credits

I'm not the only one that was working on the investigation of the whole situation.

Credits to anyone that was involved in this:

• Aidoneus (MineYourMind Server Network)
• bziemons (Logistics Pipes Mod Developer)
• Bennyboy1695 (Shadow Node Server Network)
• Dogboy21 (MyFTB Server Network)
• Einhornyordle (MyFTB Server Network)
• emily (CraftDownUnder Server Network)
• Exa (Nomifactory Modpack Developer)
• HanoverFist (MineYourMind Server Network)
• HellFirePvP (Astral Sorcery Mod Developer)
• Jacob (DirtCraft Server Network)
• Juakco_ (CraftDownUnder Server Network)
• Lìam (MineYourMind Server Network)
• MojangPlsFix (MyFTB Server Network)
• Heather (MMCC Server Network)
• Niels Pilgaard (Enigmatica Modpack Developer)
• oliviajumba (CraftDownUnder Server Network)
• oly2o6 (All the Mods Modpack Developer / Akliz Server Hoster)
• PurpleIsEverything (Shadow Node Server Network)
• Pyker (Technic Launcher Developer)
• RyanTheAllmighty (ATLauncher Developer)
• Saereth (Modpack Developer)
• Sauramel (CraftDownUnder Server Network)
• ThePixelbrain (MMCC Server Network)
• Tridos (DirtCraft Server Network)
• DarkStar (CraftDownUnder Server Network)

from Hacker News https://ift.tt/mUN1RWn