Info Serialization is Bad Exploit Fix

Discussion in 'Server Info' started by Aidoneus, Jul 29, 2023.

  1. Aidoneus

    Aidoneus Director Booster

    Messages:
    4,417
    Likes Received:
    1,930
    Local Time:
    1:26 AM
    Hello everyone! I hope everyone is having a good weekend. I have some things we need to talk about so please listen up as this probably affects all of you.

    MineYourMind's Story

    On July 1st, 2023, our Enigmatica 2 Expert server was hit with an Remote Code Execution (RCE) vulnerability. Several of our players that were on at the time had their, what is likely, browser data stolen. They lost access to several of their account ranging from Discord to Microsoft. As soon as I heard of this, I immediately kicked everyone off of our servers 1.12 Minecraft servers, see Discord Post, and shut them down. At the time, this was our safest option and to protect not just us, everyone on the network as a whole. We didn't know what we were looking for at the time, but had a good understanding of the damage done.

    Several days later, we still didn't know the exact ways this exploit was being used or how. By popular demand, despite knowing the risk, people wanted to join the servers. So we enabled the whitelist and only verified members could request being whitelisted. See this Discord Post.

    Fast forward a couple weeks after MyM turning on the whitelist, I was finally able to track down the reason for this exploit. With the help of several other people, I was finally confident on what the exploit was and how it worked. At this time, we discovered that this can happen on older Minecraft servers like our 1.7.10 ones. A network friend helped track down the mod in question that the exploiter used. This helped greatly in tracking down what mods had vulnerabilities. This all ultimately lead to a ripple effect which I will explain now.

    Summary of the Vulnerability

    The vulnerability is related to one that was discovered a few years ago already, and often referred to as "Mad Gadget." You can see the links here and here for further details on that. We discovered initially that several mods have similar vulnerabilities that use the unsafe Java serialization feature with un-trusted user input in the network packets sent from the server to the client or from client to the server. This can and has lead to arbitrary remote code executions (RCE for short) on connected servers or clients. Some of the versions of Minecraft we checked dates back to as far as 2015 for Minecraft 1.7.10, but there are probably many more version that can have similar vulnerabilities.


    What we did

    With the help of a couple talented developers and other networks, we were able to patch this server-side. This stopped players on our network from being infected by "bad actors" using the exploit.

    Sadly though we discovered it just wasn't just a "few" mods that were able to have this exploit quickly after. As we learned more and more, we became increasingly worried that this was going to get out of hand quick. We assembled several people to help research/look into this. Once we did, this list of mods with serialization issues kept expanding. Before going public, we wanted to make sure we had a fix people can install on servers and on clients in-case those servers didn't have the mod.

    The Project

    Sadly, before we were really ready to go public, an announcement was made about parts of the exploit from a different group of people. You can see their post here. You can see that this wasn't the approach we wanted to take and it didn't really fix the issues well. Our goal was to have this fix released in collaboration with other launcher platforms

    The project is called Serialization is Bad, which is created by the talented developer dogboy21. We aim to fix exploits in several mods and make the list of what can be fixed expandable. This way, people can keep playing on the modpacks they love without having to uninstall mods or somehow try and not use them. This fix can be installed on both server and client with it not really needing to be on the client if the server has it installed. Which MineYourMind does have installed.

    Full information about the project can be found at:
    GitHub - dogboy21/serializationisbad: A Minecraft coremod / Java Agent aiming to patch serious security vulnerabilities found in many different mods

    Thanks for reading! If you have any questions regarding this, feel free to ask them here or ask away on our Discord Server

    Admin Aidoneus
     
    Last edited: Jul 29, 2023
  2. MaulwurfRitter

    MaulwurfRitter Well-Known Member

    Messages:
    26
    Likes Received:
    3
    Local Time:
    9:26 AM
    Thanks for your and all the Others people Work for keeping us Save
     
    Aidoneus likes this.
  3. mrminesheeps

    mrminesheeps Helper

    Messages:
    973
    Likes Received:
    237
    Local Time:
    12:26 AM
    So is the mod currently available on platforms like Curseforge? If not, are there plans to? Would help all current and future pack devs include it in their finished files.

    Also, I believe I speak for everyone when I say that we all appreciate the work that went into keeping us all safe!
     
  4. Aidoneus

    Aidoneus Director Booster

    Messages:
    4,417
    Likes Received:
    1,930
    Local Time:
    1:26 AM
    I will ask but I am not sure what the plan is for that. As of right now no. We never got that far.
     
  5. Deathwich

    Deathwich Well-Known Member

    Messages:
    21
    Likes Received:
    5
    Local Time:
    3:26 AM
    Great article, thank you for the transparency and quick action throughout this event.
     
  6. SparedPumpkins

    SparedPumpkins Senior Moderator

    Messages:
    259
    Likes Received:
    81
    Local Time:
    8:26 AM
    Thanks Aidoneus. You're a star for spending all this time keeping the community safe.

    :happy::happy:
     
  7. Willfon

    Willfon Well-Known Member

    Messages:
    754
    Likes Received:
    155
    Local Time:
    9:26 AM
    For those who doesn't speak Coder, serialisation is taking clumps of data and rewriting it as text or some predetermined simple format (such as json which is more or less this: { variable = "value" } ) which can then be saved somewhere. This is prominently done to an object so that you can load that up again at a later date and you get a smidge of persistence. Think of this as clumping the data together as a snowball and storing it in the fridge until next year.

    The fun starts when you make a snowball with a dog turd in it.
     
    iLuxxy likes this.

Share This Page