Badlion Client Security Update - 1.8.9
Last edited on 18 September 2018 - 07:02 AM by MasterGberry
Today I want to write a short post explaining a recent Minecraft 1.8.X (affecting all 1.8 versions) exploit that was found in the vanilla Minecraft client. I will explain in very simple and easy to understand terms what the bug was, the risk factor, what the attackers could do with it, and things you do not need to worry about.
When a server wants to check if you have a resource pack installed it sends the client a message (packet) to check if you own this resource pack. If you do not own the resource pack then your client will respond to the server saying "I don't have it."
The problem here is that a server could use special characters ("..") in the name of the resource pack to try and check if your computer has a file on it outside of your resource pack directory.
On a scale of 0-10 with 10 being they have complete control over your computer (like a virus) i would honestly put this at a 1 or 2 at best. This is a very low risk attack and at best they can find the following pieces of information:
- If you have a file on your computer
Honestly that's all. The chance of this attack even being used to find a file on your machine is very low because the attacker has to know exactly the name of the file and the location of the file on your computer (Desktop, Downloads, Documents, etc). The below illustration shows how this attack works
What the Attacker cannot do
Just to emphasize how little risk this attack is on your computer, here are some things that an attacker using this exploit cannot do that people are normally concerned about:
- The attacker cannot install extra files on your computer
- The attacker cannot steal files from your computer
- The attacker cannot list files in a directory or folder on your computer
- The attacker cannot see your internet browsing history
- The attacker cannot modify your registry
- The attacker cannot crash your computer
- The attacker cannot steal your IP Address (you give this to any server you join as soon as you login to the server)
The way to fix this is to simply validate the resource pack path that the server asks the client for. It is a very easy thing to fix, but shameful that Microsoft/Mojang quietly fixed this issue in 1.9 but did not backport the fix.
We release a hotfix for this exploit at 6:00 AM UTC time today for the Badlion Client 1.8.9 version. As mentioned previously, this does not affect 1.7 or 1.12, or any other Minecraft versions besides 1.8.X.
This concludes this special Developer Update about the recent 1.8.X exploit discovered yesterday. There have been no public sources showing this exploit being used in the wild.
If you want to avoid this possible exploit and other possible future problems by using an actively updated client, we recommend the Badlion Client. You can download it here: https://client.badlion.net/download
A special thanks to PunKeel and Sk1er_ who brought this to our attention. If you are interested in more about how the attack works technically you can review PunKeel's blog post here: https://ungeek.eu/minecraft-18-file-access/
tl;dr: Stay calm and relax, we patched the exploit already on Badlion Client already. There are no public sources showing this exploit being used anywhere. The amount of damage someome using the exploit could do is little to none.
Posted on 14 September 2018 - 12:35 AMHey @MasterGberry When I put minecraft bac 1.7.10 full screen is put on black screen, any solution?
Posted on 14 September 2018 - 01:01 AM
Hey @MasterGberry When I put minecraft bac 1.7.10 full screen is put on black screen, any solution?
I think this might have to do with fast vs fancy graphics? Tbh I'm not 100% sure otherwise at the moment, would need to get a bug report from you to show any possible errors.
Posted on 16 September 2018 - 11:19 AMThanks for fixing this so quickly after it was discovered, even if it was low risk :D
Posted on 18 September 2018 - 03:07 PMbecause they closed badlion :(