Advisory issued on January 11th, 2024 (UTC) by apple502j.
Several Minecraft mods were found to have path traversal security bugs related to improper ZipInputStream
usage. These bugs allow for writing files and installing mods unexpectedly. Note that while the underlying issues are the same, the method of exploitation significantly differs across mods.
The following mods are affected. Note that this information will be updated as the authors patch the issue.
- ServerRPExposer: 1.0.0-1.0.2. Update to 1.0.3.
- ARRP: 0.5.4-the first version named 0.8.1. Update to the second version named 0.8.1.
- MCRPX: Until 1.4.0. Update to 1.4.1.
- Reden: Until 0.2.445. Update to 0.2.514.
- Advanced Backups: Until 3.5.3. Update to 3.6.
- An unnamed Forge mod (pending resolution)
- An unnamed Spigot plugin (disclosure deferred)
- An unnamed Paper plugin (pending resolution)
The victim must connect to a malicious multiplayer server then accept the server resource pack. Files in the resource pack may be written outside the expected directory, possibly to mods
folder, leading to RCE.
- CVSS3.1: 8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- CVSS4.0: 8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/V:D/RE:L
This is a bug in a library mod. It is only exploitable when another mod uses ARRP in the following ways:
- Calling
addRootResource
with attacker-providedpath
anddata
, OR callingload(ZipInputStream)
with attacker-provided zip, and - Calling
dumpDirect(Path)
,dump(Path)
, ordump(File)
.
In this unlikely situation, files may be written outside the expected directory, possibly to mods
folder, leading to RCE.
Note: load(Path)
and dump(ZipOutputStream)
are safe. If you use ARRP without loading zips, you are likely safe. We found zero mods that would allow exploitation of the vulnerability on GitHub; however some non-GitHub mods may be using this, hence this advisory.
There are two versions named "0.8.1", due to a broken patch. The second one - released later - fixes the issue.
- CVSS3.1: 8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- CVSS4.0: 8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
MCRPX is a tool to extract resource pack files. It is exploitable when the user feeds a malicious zip file.
- CVSS3.1: 5.5(Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- CVSS4.0: 6.7(Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/V:D/RE:L
Reden is a mod with multiple debugging features. If a client connects to a malicious server and uses certain keybinds (referred to as DEBUG_RTC_REQUEST_SYNC_DATA
in the code), the server can then send a packet to the client that includes a malicious Zip file, triggering path traversal in KeyCallbacks.kt
and file write on the client.
- CVSS3.1: 8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- CVSS4.0: 8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Advanced Backups is a multiplatform mod providing backup functionality. The vulnerability triggers when a local user restores a crafted backup file.
- CVSS3.1: 5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- CVSS4.0: 6.7 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/V:D
Path traversal bugs - bugs that abuse the resolution of ..
paths, or in some contexts, absolute paths when unexpected - have been around for decades. When writing files to ./minecraft/temp
with the name ../mods/malware.jar
, the output path resolves to ./minecraft/mods/malware.jar
in most circumstances - convenient when you are writing paths (in, say, config files), incredinly dangerous if an attacker is providing paths. Unfortunately, ZIP file formats do not prohibit ..
as the directory name. Extracting a zip file without checking for those special paths, therefore, would lead to a disaster.
Example of vulnerable code:
// given bad zip and "./minecraft/temp"
public static void unzip(InputStream is, Path targetDir) throws IOException {
try (ZipInputStream zip = new ZipInputSteram(is)) {
ZipEntry e;
while ((e = zip.getNextEntry()) != null) {
// e.getName() could return: "../mods/malware.jar"
// path would then be: "./minecraft/temp/../mods/malware.jar"
// which resolves to: "./minecraft/mods/malware.jar"
Path path = targetDir.resolve(e.getName());
if (entry.isDirectory()) {
Files.createDirectories(path);
} else {
Files.createDirectories(path.getParent());
Files.copy(zip, path);
}
}
}
}
To fix this, the absolute path could be checked:
if (!path.toRealPath().startsWith(targetDir.toRealPath())) {
// continue is acceptable, however, at this point the Zip is likely malicious.
break;
}
- 2024-01-07 Investigation started
- 2024-01-11 Released this document
- 2024-01-21 MCRPX affected.
- 2024-03-17 Reden affected; CVE updated.
- 2024-06-22 Advanced Backups affected; CVE updated.
- 2024-07-06 Advanced Backups CVE updated.