Hackers are actively exploiting BleedingPipe vulnerability in Minecraft mods

BleedingPipe vulnerability

Last Saturday, researchers from the Minecraft security community, MMPA, issued a reminder to gamers via a blog post. They raised the alarm on a significant security vulnerability, recurrently exploited within specific 1.7.10/1.12.2 mods of the Minecraft game. This flaw permits hackers to execute malicious commands on game servers, thereby endangering the security of player devices.

It’s widely known that Minecraft, a flagship offering from Microsoft, is the best-selling video game in history, with over 238 million copies sold and a monthly active player base nearing 140 million. According to MMPA, the BleedingPipe vulnerability allows hackers to execute comprehensive remote code on player devices and servers running Minecraft mods.

According to MMPA, the popular mod platform Forge employs insecure deserialization code. Deserialization is the process of converting complex data back from serialized format to its original form, facilitating storage or transmission. However, if implemented carelessly, it can be exploited by attackers to enable remote code execution. The BleedingPipe vulnerability has been exploited on multiple occasions, impacting numerous Minecraft mods on the platform, the count exceeding thirty. Mods known to be affected include but are not limited to EnderCore (a prerequisite mod for EnderIO), LogisticsPipes, BDLib (versions 1.7-1.12), Smart Moving 1.12, Brazier, DankNull, and Gadomancy. Furthermore, any version of Minecraft could be affected by this vulnerability if an impacted mod is installed.

The Minecraft vulnerability was initially detected in March 2022. At the time, the mod development team GTNH released a patch to rectify it. However, in early July, a Minecraft player named Yoyoyopo5 was live-streaming on a public server equipped with Forge mods when an attacker utilized the BleedingPipe vulnerability to gain control over the devices of all connected players and executed code. Yoyoyopo5 reported this incident in his post, claiming that the hacker exploited this access privilege to steal session cookies from Discord and Steam.

Subsequent to the initial report, researchers discovered that hackers had scanned all Minecraft servers on the IPv4 address space and deployed malicious payloads on affected servers. To mitigate security risks, MMPA provided the following advice:

  • For server administrators: Examine servers for suspicious files, and update or remove mods affected by this vulnerability. As malicious software often infects other mods on the system, it is advised to run programs like jSus or jNeedle on all installed mods.
  • For players: If gamers do not play on servers, they are unaffected. Otherwise, they are advised to check for suspicious files and run antivirus software for virus scanning.

Via: bleepingcomputer