Third-Party Minecraft Mods Provide Backdoor For Hackers

It’s an old acquaintance of the Java community: the BleedingPipe exploit is making the rounds of Minecraft again. Bugs in the code of third-party mods allow extensive access. Experts advise server admins and players to act.

Java deserialization: Minecraft mods provide a gateway

A great appeal of Minecraft is the far-reaching opportunities to change the game through mods. The Minecraft Malware Prevention Alliance (MMPA) is now warning again of an exploit that has been known to the community for over a year. “BleedingPipe” uses Java deserialization to infect servers or clients that have specific mods installed. The problem: The bug yawns in many of the most popular customization packages.

In his report, Tom’s Hardware refers to the work of a German computer science student who is on GitHub under the name Dogboy21 is active. He has compiled a list of over 30 mods that are currently known to have the vulnerability – including popular packages such as AetherCraft, Immersive Armors, or ttCore. Dogboy21 also provides a relatively simple fix here. For this, a new JAR file must be stored in the mod folder.

As the MMPA describes in its warning, the development of BleedingPipe has been observed since early 2022. After the first discovery, it was found “that a malicious actor had scanned all Minecraft servers in the IPv4 address space in order to exploit vulnerable servers en masse”. An incident in July showed that an attacker used this method to take control of a public modded server (Forge and run code on all connected clients.

What to do to protect yourself?

The MMPA recommends all players playing on non-official servers to check the .minecraft directory for infected files using a scanner such as JSus or jNeedle. As mentioned above, a patch for the vulnerability in the mods is also available on Github. As a server operator, all installed mods should be scanned with tools such as JSus or jNeedle. If EnderIO or LogisticsPipes are in use, they should be updated to the latest version, the same applies to the “GT New Horizons” fork from BDLib.

Leave a Reply