Jump to content

Potential RCE Zero-Day Exploit Targeting Forge (1.12.2)


Recommended Posts

Hi Forge contributors and users,

I was running a public modded server using Forge on Minecraft 1.12.2 (Enigmatica 2 Expert 1.90e) when a malicious user gained control of the server and executed code remotely on every connected clients device. I have live video evidence of this occurring and the hacker/developer of the exploit claiming that it is an unknown zero-day exploit. I believe the developer in question is the one who created the exploit. Sadly, the remote code executed on client PCs was used to steal browser sessions and info as well as active Discord and Steam sessions.

I'm sure many of your are aware of the log4shell exploit from 2021 that Forge was protected against. I don't believe this exploit was log4shell, but it's behavior is nearly identical, and thus I believe the severity is very high. Unfortunately, I am unable to recreate or understand the exploit in any way at this point, and the developer is not being forthcoming in how it is performed either (I think he intends to sell it for a profit). I'm mostly certain that this exploit affects Forge specifically, and most likely only Minecraft version 1.12.2.

I am providing a Youtube link to the unedited VOD from the livestream when the attack occurred (chat is blurred at some points to protect private information that was leaked). In the description of the video there is also a link to a .zip archive that contains relevant client and server log files from the session. Hopefully these are of some help, but from what I've looked at I couldn't find much at all pertaining to how the exploit was performed. I'm hoping that with all of this information someone more knowledgeable than me with Forge will be able to figure out more details on the exploit.

Link to VOD (relevant timestamps are included in Youtube description on the video):


Edited by Yoyoyopo5
Link to comment
Share on other sites

  • 2 weeks later...

After some investigation and using OpenEye(https://openeye.openmods.info/mod/exploit/latest). 
We can observe, that this is not a forge problem, but rather a problem with the following mods:

  • EnderCore
  • BdLib
  • LogisticsPipes

There is an existing CVE for BdLib aswell https://www.cvedetails.com/cve/CVE-2021-33806

Edited by MojangPlsFix
Link to comment
Share on other sites

The concept is a known exploit that has been around for several years. It is not something that is caused by anything in ours, or Minecraft's end. 
It is unfortunately a risk when using mods in Minecraft. They are arbitrary jars which can have any code in them. This is one of the reasons we push people to use the latest versions.
This particular case was fixed in BdLib for 1.16+ and the author has no intention of back porting.

I do Forge for free, however the servers to run it arn't free, so anything is appreciated.
Consider supporting the team on Patreon

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...

Important Information

By using this site, you agree to our Terms of Use.