Impact
RebornCore is a popular library used by a number of modifications for the game Minecraft. RebornCore has been downloaded over 50,000,000 times from CurseForge among other places. It is estimiated that this version of RebornCore is running on 1000's of vulnerable server's and millions of vulnerable clients.
RebornCore uses ObjectInputStream.readObject() to deserialize some packet data after being sent over the minecraft packet pipeline. However RebornCore opens up this up to maliciouly crafted data from untrusted Minecraft servers and clients by not validating the data before deserialization.
This can theoretically lead to a number of diffrent outcomes:
- Remote Code Exectution on a hosted Minecraft server from a malicous client.
- Remote Code Exectution on a Minecraft client from a malicous server.
- Denial of Service (DoS) of a Minecraft server.
- Gaining an advantage over other players on a target Minecraft server.
This works becuase when ObjectInputStream is reading a serialized object the input data controls what class is instantiated and not the deserializer. This would allow an attacker to instantiate any class on the classpath with any data. To successfully execute any of the above attacks it would require a suitable target class to be present on the classpath. The chances of this would be higer with a large amount of other Minecraft mods also installed.
There are no known cases of this vulnerability beign explolited in the wild.
Patches
A patch has be released for the following Minecraft versions:
| Minecraft Version |
Mod Loader |
Fix Version |
| 1.16.5 |
Fabric |
4.7.3 |
| 1.15.2 |
Fabric |
4.2.10 |
| 1.12.2 |
Forge |
3.19.5 |
If you are using any other version you must update to a supported Minecraft version and ensure you are using a patched RebornCore version.
Workarounds
- There are no known workarounds for server owners who have not updated to the patched version.
- For players you must not join any untrusted Minecraft servers with the affected RebornCore installed on your client.
Credits
This vulnerability was reported in private by Ry0taK
References
The following links provide more infomation on the security of deserializing objects using ObjectInputStream.readObject
https://snyk.io/blog/serialization-and-deserialization-in-java/
http://frohoff.github.io/appseccali-marshalling-pickles/
For more information
If you have any questions or comments about this advisory:
Ry0taK Analyst
Impact
RebornCore is a popular library used by a number of modifications for the game Minecraft. RebornCore has been downloaded over 50,000,000 times from CurseForge among other places. It is estimiated that this version of RebornCore is running on 1000's of vulnerable server's and millions of vulnerable clients.
RebornCore uses
ObjectInputStream.readObject()to deserialize some packet data after being sent over the minecraft packet pipeline. However RebornCore opens up this up to maliciouly crafted data from untrusted Minecraft servers and clients by not validating the data before deserialization.This can theoretically lead to a number of diffrent outcomes:
This works becuase when ObjectInputStream is reading a serialized object the input data controls what class is instantiated and not the deserializer. This would allow an attacker to instantiate any class on the classpath with any data. To successfully execute any of the above attacks it would require a suitable target class to be present on the classpath. The chances of this would be higer with a large amount of other Minecraft mods also installed.
There are no known cases of this vulnerability beign explolited in the wild.
Patches
A patch has be released for the following Minecraft versions:
If you are using any other version you must update to a supported Minecraft version and ensure you are using a patched RebornCore version.
Workarounds
Credits
This vulnerability was reported in private by Ry0taK
References
The following links provide more infomation on the security of deserializing objects using
ObjectInputStream.readObjecthttps://snyk.io/blog/serialization-and-deserialization-in-java/
http://frohoff.github.io/appseccali-marshalling-pickles/
For more information
If you have any questions or comments about this advisory: