Skip to content

Instantly share code, notes, and snippets.

@apple502j

apple502j/zipinputstream-bugs-mods.md

Last active April 4, 2024 05:26
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save apple502j/193358682885fe1a6708309ce934e4ed to your computer and use it in GitHub Desktop.
Save apple502j/193358682885fe1a6708309ce934e4ed to your computer and use it in GitHub Desktop.
Download ZIP
Vulnerability research report for Minecraft mods.
Raw
zipinputstream-bugs-mods.md

ZipInputStream-related security bugs in Minecraft mods

Advisory issued on January 11th, 2024 (UTC) by apple502j.

Several Minecraft mods were found to have path traversal security bugs related to improper ZipInputStream usage. These bugs allow for writing files and installing mods unexpectedly. Note that while the underlying issues are the same, the method of exploitation significantly differs across mods.

Affected Mods

The following mods are affected. Note that this information will be updated as the authors patch the issue.

  • ServerRPExposer: 1.0.0-1.0.2. Update to 1.0.3.
  • ARRP: 0.5.4-the first version named 0.8.1. Update to the second version named 0.8.1.
  • MCRPX: Until 1.4.0. Update to 1.4.1.
  • Reden: Until 0.2.445. Update to 0.2.514.
  • An unnamed Forge mod (pending resolution)
  • An unnamed Spigot plugin (disclosure deferred)
  • An unnamed Paper plugin (pending resolution)

ServerRPExposer (CVE-2024-22779)

The victim must connect to a malicious multiplayer server then accept the server resource pack. Files in the resource pack may be written outside the expected directory, possibly to mods folder, leading to RCE.

  • CVSS3.1: 8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVSS4.0: 8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/V:D/RE:L

ARRP (CVE-2024-24042)

This is a bug in a library mod. It is only exploitable when another mod uses ARRP in the following ways:

  • Calling addRootResource with attacker-provided path and data, OR calling load(ZipInputStream) with attacker-provided zip, and
  • Calling dumpDirect(Path), dump(Path), or dump(File).

In this unlikely situation, files may be written outside the expected directory, possibly to mods folder, leading to RCE.

Note: load(Path) and dump(ZipOutputStream) are safe. If you use ARRP without loading zips, you are likely safe. We found zero mods that would allow exploitation of the vulnerability on GitHub; however some non-GitHub mods may be using this, hence this advisory.

There are two versions named "0.8.1", due to a broken patch. The second one - released later - fixes the issue.

  • CVSS3.1: 8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVSS4.0: 8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

MCRPX (CVE-2024-24043)

MCRPX is a tool to extract resource pack files. It is exploitable when the user feeds a malicious zip file.

  • CVSS3.1: 5.5(Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  • CVSS4.0: 6.7(Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/V:D/RE:L

Reden (CVE-2024-XXXX)

Reden is a mod with multiple debugging features. If a client connects to a malicious server and uses certain keybinds (referred to as DEBUG_RTC_REQUEST_SYNC_DATA in the code), the server can then send a packet to the client that includes a malicious Zip file, triggering path traversal in KeyCallbacks.kt and file write on the client.

  • CVSS3.1: 8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVSS4.0: 8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Technical Background

Path traversal bugs - bugs that abuse the resolution of .. paths, or in some contexts, absolute paths when unexpected - have been around for decades. When writing files to ./minecraft/temp with the name ../mods/malware.jar, the output path resolves to ./minecraft/mods/malware.jar in most circumstances - convenient when you are writing paths (in, say, config files), incredinly dangerous if an attacker is providing paths. Unfortunately, ZIP file formats do not prohibit .. as the directory name. Extracting a zip file without checking for those special paths, therefore, would lead to a disaster.

Example of vulnerable code:

// given bad zip and "./minecraft/temp"
public static void unzip(InputStream is, Path targetDir) throws IOException {
    try (ZipInputStream zip = new ZipInputSteram(is)) {
        ZipEntry e;
        while ((e = zip.getNextEntry()) != null) {
            // e.getName() could return: "../mods/malware.jar"
            // path would then be: "./minecraft/temp/../mods/malware.jar"
            // which resolves to: "./minecraft/mods/malware.jar"
            Path path = targetDir.resolve(e.getName());
            if (entry.isDirectory()) {
                Files.createDirectories(path);
            } else {
                Files.createDirectories(path.getParent());
                Files.copy(zip, path);
            }
        }
    }
}

To fix this, the absolute path could be checked:

if (!path.toRealPath().startsWith(targetDir.toRealPath())) {
    // continue is acceptable, however, at this point the Zip is likely malicious.
    break;
}

History (date in UTC)

  • 2024-01-07 Investigation started
  • 2024-01-11 Released this document
  • 2024-01-21 MCRPX affected.
  • 2024-03-17 Reden affected; CVE updated.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment