1.12.2 Potential RCE Zero-Day Exploit Targeting Forge 14.23.5.2860 (1.12.2)

[Yoyoyopo5]

Hi Forge contributors and users,

I was running a public modded server using Forge 14.23.5.2860 on Minecraft 1.12.2 (Enigmatica 2 Expert 1.90e) when a malicious user gained control of the server and executed code remotely on every connected clients device. I have live video evidence of this occurring and the hacker/developer of the exploit claiming that it is an unknown zero-day exploit. I believe the developer in question is the one who created the exploit. Sadly, the remote code executed on client PCs was used to steal browser sessions and info as well as active Discord and Steam sessions.

I'm sure many of your are aware of the log4shell exploit from 2021 that Forge was protected against. I don't believe this exploit was log4shell, but it's behavior is nearly identical, and thus I believe the severity is very high. Unfortunately, I am unable to recreate or understand the exploit in any way at this point, and the developer is not being forthcoming in how it is performed either (I think he intends to sell it for a profit). I'm mostly certain that this exploit affects Forge specifically, and most likely only Minecraft version 1.12.2.

I am providing a Youtube link to the unedited VOD from the livestream when the attack occurred (chat is blurred at some points to protect private information that was leaked). In the description of the video there is also a link to a .zip archive that contains relevant client and server log files from the session. Hopefully these are of some help, but from what I've looked at I couldn't find much at all pertaining to how the exploit was performed. I'm hoping that with all of this information someone more knowledgeable than me with Forge will be able to figure out more details on the exploit.

Link to VOD (relevant timestamps are included in Youtube description on the video):

 

Edited July 9, 2023 by Yoyoyopo5

[MojangPlsFix]

After some investigation and using OpenEye(https://openeye.openmods.info/mod/exploit/latest). 
We can observe, that this is not a forge problem, but rather a problem with the following mods:

• EnderCore
• BdLib
• LogisticsPipes

There is an existing CVE for BdLib aswell https://www.cvedetails.com/cve/CVE-2021-33806

Edited July 23, 2023 by MojangPlsFix

[LexManos]

The concept is a known exploit that has been around for several years. It is not something that is caused by anything in ours, or Minecraft's end. 
It is unfortunately a risk when using mods in Minecraft. They are arbitrary jars which can have any code in them. This is one of the reasons we push people to use the latest versions.
This particular case was fixed in BdLib for 1.16+ and the author has no intention of back porting.