Sign up
Store
Badlion Client Security Update - 1.8.9


Hey all.

Today I want to write a short post explaining a recent Minecraft 1.8.X (affecting all 1.8 versions) exploit that was found in the vanilla Minecraft client. I will explain in very simple and easy to understand terms what the bug was, the risk factor, what the attackers could do with it, and things you do not need to worry about.

The Bug

When a server wants to check if you have a resource pack installed it sends the client a message (packet) to check if you own this resource pack. If you do not own the resource pack then your client will respond to the server saying "I don't have it."

The problem here is that a server could use special characters ("..") in the name of the resource pack to try and check if your computer has a file on it outside of your resource pack directory.

The Risk

On a scale of 0-10 with 10 being they have complete control over your computer (like a virus) i would honestly put this at a 1 or 2 at best. This is a very low risk attack and at best they can find the following pieces of information:

- If you have a file on your computer

Honestly that's all. The chance of this attack even being used to find a file on your machine is very low because the attacker has to know exactly the name of the file and the location of the file on your computer (Desktop, Downloads, Documents, etc). The below illustration shows how this attack works



What the Attacker cannot do

Just to emphasize how little risk this attack is on your computer, here are some things that an attacker using this exploit cannot do that people are normally concerned about:

- The attacker cannot install extra files on your computer
- The attacker cannot steal files from your computer
- The attacker cannot list files in a directory or folder on your computer
- The attacker cannot see your internet browsing history
- The attacker cannot modify your registry
- The attacker cannot crash your computer
- The attacker cannot steal your IP Address (you give this to any server you join as soon as you login to the server)

The Fix

The way to fix this is to simply validate the resource pack path that the server asks the client for. It is a very easy thing to fix, but shameful that Microsoft/Mojang quietly fixed this issue in 1.9 but did not backport the fix.

We release a hotfix for this exploit at 6:00 AM UTC time today for the Badlion Client 1.8.9 version. As mentioned previously, this does not affect 1.7 or 1.12, or any other Minecraft versions besides 1.8.X.

Conclusion

This concludes this special Developer Update about the recent 1.8.X exploit discovered yesterday. There have been no public sources showing this exploit being used in the wild.

If you want to avoid this possible exploit and other possible future problems by using an actively updated client, we recommend the Badlion Client. You can download it here: https://client.badlion.net/download

A special thanks to PunKeel and Sk1er_ who brought this to our attention. If you are interested in more about how the attack works technically you can review PunKeel's blog post here: https://ungeek.eu/minecraft-18-file-access/

tl;dr: Stay calm and relax, we patched the exploit already on Badlion Client already. There are no public sources showing this exploit being used anywhere. The amount of damage someome using the exploit could do is little to none.
 9
PM Link
1
 0
PM Link
Oh wow
 0
PM Link
Gj!
 0
PM Link
thanks for fixing it
 0
PM Link
nice job on fixing it quickly
 0
PM Link
Big Non-Gay
 0
PM Link
Hey @MasterGberry When I put minecraft bac 1.7.10 full screen is put on black screen, any solution?
 0
PM Link

Gonzqh wrote

Hey @MasterGberry When I put minecraft bac 1.7.10 full screen is put on black screen, any solution?


I think this might have to do with fast vs fancy graphics? Tbh I'm not 100% sure otherwise at the moment, would need to get a bug report from you to show any possible errors.
 0
PM Link
Thanks for fixing this so quickly after it was discovered, even if it was low risk :D
 0
PM Link
nice to see :)
 0
PM Link
because they closed badlion :(
 0
PM Link
I can not log in your client could you help me ??
 0
PM Link