MC1.18+ is unlikely to be exploitable
Closed this issue · 4 comments
The exploit relies on a gadget capable of doing bad things on ObjectInputStream. So far, nobody has found such a gadget (a serializable object with dangerous methods invoked during deserialization - such as reflection) in Minecraft, the Mojang-provided dependencies, or the mod loader code.
The most well-known gadgets are
- one that uses vanilla Java, in Java 7 and below (that affects MC1.11 and below, since MC1.12 requires Java 8) and
- Apache Commons Collections gadget. However, Minecraft does not use this library, and the payload used in Commons Collections (as well as many other gadget) requires use of internal JDK classes, which is inaccessible in Java 17.
Without any information to the contrary, I'd note that this bug is unlikely to be exploitable for Minecraft versions 1.18+ (requiring Java 17), and possibly 1.12+.
If you want a recently patched example of the exploit in 1.20.1: Luke100000/ImmersiveArmors@cf0aeb6
@Einhornyordle No, that bug can exist in any Java version. The problem is whether you can do anything with that (besides using it as a DNS query machine).
ObjectInputStream isn't inherently insecure (unlike, say, Python pickle), despite what sources claim. The only reason it is considered a vulnerability is because, when combined with certain code, it can be used to do more than deserialization, and potentially execute code. The fact that ObjectInputStream can deserialize, say, HashMap or Enum or any other object, is not a security risk besides potential ClassCastException (most of which are caught).
In certain veeeery old versions of Java, or when certain veeeeery old versions of Apache Commons Collections are present in Java 16 or below, it is known to be vulnerable AND exploitable. ObjectInputStream alone is unexploitable (at least for code execution and other serious issues) in modern Java versions.
That's exactly what I was thinking of as well when I saw this, you can't really do that much with ObjectInputStream.
I'd also like to add to this:
one that uses vanilla Java, in Java 7 and below (that affects MC1.11 and below, since MC1.12 requires Java 8)
All versions since MC1.0 used Java 8, so even for MC1.11 and below the Java 7 attack vector is not a concern.
I don't really get why there is such a hype about this, because it's really not that dangerous without another attack vector, which from my knowledge, doesn't exist. There may be really old libraries in those old MC versions that could be exploited, but I didn't look into it that much.
Also, Spigot used to have ObjectInputStream in its release for 1.8.8 as well, but again, that's not really a problem because there isn't an exploitable attack vector.
Of course, it's not a bad idea to remove ObjectInputStream from those mods (because... why not remove a possibly exploitable entry point?) but I wouldn't worry that much until there is actually proof of something like RCE.
While I currently haven't tested 1.18+, I can definitely say that there's a gadget chain (currently not publicly known) for at least 1.12.
And the vulnerability was already RCE-exploited in the wild, so it's definitely not just a theoretical issue.