Skip to content

Instantly share code, notes, and snippets.

View apple502j's full-sized avatar
🍎
Eaten

apple502j apple502j

🍎
Eaten
209 followers · 8 following
View GitHub Profile
@apple502j
apple502j / resourcepack-server-path-traversal.md
Created May 10, 2024 14:59

ResourcePack Server Path Traversal (CWE-22)

  • CVE-2024-PENDING
  • CVSS3.1: 6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVSS4.0: 7.1 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/V:C/RE:L

In ResourcePack Server mod before version 1.0.8, a path traversal allows any player with permission level 1 to make public any files on the server, due to setPath method of ResourcePackFileServer.kt not validating the path. After the attack is performed, the files will be exposed on a public HTTP server.

This was resolved in version 1.0.8.

References:

@apple502j
apple502j / rpshare-path-traversal-rce.md
Last active May 10, 2024 14:35

RPShare Vulnerability Disclosures

Vulnerability disclosures for RPShare mod.

Path Traversal (CWE-22) CVE-2024-33369

In all versions of RPShare Fabric client mod for Minecraft, a path traversal in DownloadTask#getFileNameFromConnection allows arbitrary file write and, consequentially, remote code execution. User interaction is required for exploitation, in that a victim must interact with the user interface to accept a malicious file download. Note: the Paper server-side plugin is unaffected. Note 2: RPShare was archived and will not receive fixes for this vulnerability.

  • CVSS3.1: 8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVSS4.0: 8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/V:D/RE:L

Command Injection (CWE-78) CVE-2024-33368

@apple502j
apple502j / 24w03b-breaking-changes.md
Created January 21, 2024 14:49
24w03a/b Fabric API breaking changes tracker

24w03a/b FAPI breaking changes

There are A LOT, mostly due to Mojang breaking networking AGAIN.

Removal & deprecation

The following deprecated APIs were removed:

  • fabric-containers-v0 (deprecated since 2020), use fabric-screen-handler-api-v1
  • ScreenRegistry and ScreenHandlerRegistry, use TAW

The following were deprecated:

@apple502j
apple502j / zipinputstream-bugs-mods.md
Last active April 4, 2024 05:26
Vulnerability research report for Minecraft mods.

ZipInputStream-related security bugs in Minecraft mods

Advisory issued on January 11th, 2024 (UTC) by apple502j.

Several Minecraft mods were found to have path traversal security bugs related to improper ZipInputStream usage. These bugs allow for writing files and installing mods unexpectedly. Note that while the underlying issues are the same, the method of exploitation significantly differs across mods.

Affected Mods

The following mods are affected. Note that this information will be updated as the authors patch the issue.

  • ServerRPExposer: 1.0.0-1.0.2. Update to 1.0.3.
  • ARRP: 0.5.4-the first version named 0.8.1. Update to the second version named 0.8.1.
@apple502j
apple502j / 23w45a-stuff.md
Created November 11, 2023 17:09

23w45a: Another Codecification Update

Advancements got codecs, registries were updated, etc.

Fabric update

FAPI 0.90.8 released, no breaking change.

Minecraft update

Blocks and spawners

Some mob spawner logics have been moved to Spawner interface (to be implemented by spawner block entities). MobSpawnerLogic and related classes are now placed in block.spawner package. The existing Spawner interface used for spawning cats, "the worst mob", and the frequent homicide victims is now renamed to SpecialSpawner.

@apple502j
apple502j / 23w44a-stuff.md
Created November 3, 2023 04:29

23w44a (and some bits of 43a)

The sort-of-weekly thingy is back?

Fabric update

No breaking changes for Fabric API.

Minecraft update

Ticks (23w43a)

/tick command from the Carpet mod arrives in the vanilla game. To support this functionality in your mod:

@apple502j
apple502j / unicopia-advisory.md
Created October 16, 2023 09:42

Unicopia Mod Security Advisory

CVE: CVE-2023-39680

Deserialization of untrusted data exists in Unicopia mod for Minecraf by Sollace up to and including version 1.1.1. Unsafe Java deserialization occurs after a user's client connects to a malicious server. This is fixed in version 1.2.0. (See the fix commit)

CVSS3.1: 7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

@apple502j
apple502j / 23w41a-stuff.md
Last active October 15, 2023 15:01

23w41a: Command Update

Commands received the biggest change in this snapshot. With the help of the new Brigadier function and the advanced command execution implementation, commands were significantly enhanced.

Fabric update

Fabric API 0.90.1 was released, with no breaking changes.

Minecraft changes

There is no progress on last week's block codecs. This week, we instead saw a massive refactor in commands.

Commands

@apple502j
apple502j / in-re-gender-handling-change-case.md
Last active October 16, 2023 12:11
@apple502j
apple502j / 23w40a-stuff.md
Last active December 25, 2023 18:20

23w40a: Block Codecs Update

A surprise update for 1.20.3 comes, with a big change to blocks! The changes are likely for the future expansion of data packs to allow custom blocks. All Block classes must(tm) now define its codec. I recommend checking the article on Fabric Modding Wiki, that should be good for most users.

Fabric updates

A new Fabric Loader, version 0.14.23, supporting 1.20.3 versions was released. This update also comes with several changes, including support for Java 22 and duplicate loader detection that is useful in dev environment. It also changes some error messages to be more user-friendly.

Loom 1.4 was also released; this version requires Gradle 8.3. The biggest feature is the support for Vineflower (formerly known as Quiltflower) decompiler. Vineflower produces better output in certain cases, including chained methods. CFR remains the default decompiler. Other changes include fabricApi.module support for deprecated modules, disk usage imp