User Controls

Excecuting arbitrary java code on Minecraft clients for hacking purposes

  1. #1
    There is a Minecraft server and client exploit that affect Minecraft versions 1.8 - 1.18 and it can be used to compromise a system and run arbitrary code

    jndi:ldap formatMsgNoLookups
    -Dlog4j2.formatMsgNoLookups=true



  2. #2
    Vulnerability description
    Apache Log4j2 is a Java-based logging tool. This tool rewrites the Log4j framework and introduces a lot of rich features. The log framework is widely used in business system development to record log information.

    In most cases, developers may write error messages caused by user input into the log. Attackers can use this feature to construct special data request packets through this vulnerability, and ultimately trigger remote code execution.

    On November 24, 2021, the Alibaba Cloud security team officially reported the Apache Log4j2 remote code execution vulnerability to Apache. Because some functions of Apache Log4j2 have recursive analysis functions, attackers can directly construct malicious requests to trigger remote code execution vulnerabilities.

    Vulnerability exploitation does not require special configuration. After verification by the Alibaba Cloud security team, Apache Struts2, Apache Solr, Apache Druid, Apache Flink, etc. are all affected.

    Alibaba Cloud Emergency Response Center reminds Apache Log4j2 users to take security measures as soon as possible to prevent vulnerability attacks.

    Level of the vulnerability: Serious (Critical)
    The following users say it would be alright if the author of this post didn't die in a fire!
  3. #3
    aldra JIDF Controlled Opposition
    lol@ minecraft making ldap calls in the first place
  4. #4
    Sophie Pedophile Tech Support
    What's the CVE number Scron?
  5. #5
    maddie Houston
    Originally posted by Sophie What's the CVE number Scron?

    CVE-2021-44228 its the log4shell vuln thats been going around. there is already a patch for minecraft, and most other applications running log4j
    The following users say it would be alright if the author of this post didn't die in a fire!
  6. #6
    maddie Houston
    also if venders have not pushed out the patch yet for their applications, you can easily take out the snippet of code that is vulnerable to this attack as well. i believe log4j 2.15.rc2 is the new patched vesion, and it affects versions 2.0-2.14
  7. #7
    such fucking bullshit I haven't touched the game in a week because the retards can't even code their java right. I am not a happy customer to say the least
  8. #8
    maddie Houston
    Originally posted by the man who put it in my hood such fucking bullshit I haven't touched the game in a week because the retards can't even code their java right. I am not a happy customer to say the least

    its actually not the devs of java, but volunteers that created the package log4j, and that is open source. They maintain the project in their spare time, and came out with a patch within 24 hours of the exploit, Minecraft also came out with a patch i believe within 24 hours of the exploit as well (2 days ago) so if your minecraft server is not patched then thats due to the people who run your minecraft server being lazy.
  9. #9
    maddie Houston
    Also id like to mention minecraft is less than 1% of the affected devices, as the exploit is able to perform payloads on companies and applications such as: Apple, Google, Apache, Tesla, Ghidra, Solr, Amazon, Cloudflare, PaloAlto, LinkedIn, VMWare, Redis, Steam, just to name a few. They say this could be the worst vulnerability to ever exist, even worse than Shellshock.
  10. #10
    Obbe Alan What? [annoy my right-angled speediness]
    Originally posted by the man who put it in my hood such fucking bullshit I haven't touched the game in a week because the retards can't even code their java right. I am not a happy customer to say the least

    I just put optifine on it the other day and it is running good now.
  11. #11
    They say it's patched but I do not trust the anarchy community

  12. #12
    Obbe Alan What? [annoy my right-angled speediness]
    Me either, been playing on a private server ever since the incident.
  13. #13
    maddie Houston
    Originally posted by the man who put it in my hood They say it's patched but I do not trust the anarchy community


    java 1.18.1 is the only patched version of minecraft, all other versions are vulnerable.
  14. #14
    ⠀⠀⠀⠀⠀⠀ Naturally Camouflaged
    -javaagent:log4j-jndi-be-gone-1.0.0-standalone.jar
  15. #15
    Lanny Youth Mutton Buster Champion
    Lol, one more reason log4j is a joke
  16. #16
    aldra JIDF Controlled Opposition
    Originally posted by Lanny Lol, one more reason log4j is a joke

    pretty much all apache code I've seen is a bloated mess
    The following users say it would be alright if the author of this post didn't die in a fire!
  17. #17
    I just wanna play video games man

  18. #18
    Sophie Pedophile Tech Support
    Originally posted by maddie CVE-2021-44228 its the log4shell vuln thats been going around. there is already a patch for minecraft, and most other applications running log4j

    Thanks, although i've written tooling that can find all servers on the internet that run Apache or anything else for that matter, and i have a working PoC. Expect Ransomware actors to try and make use of this vuln ASAP. Not me personally but it wouldn't surprise me, given it literally took me less than an hour to read up on all the pertinent facts get a hold of some 'scanners' that were floating about and through that knowledge develop a specific payload to get RCE.
  19. #19
    maddie Houston
    When the entire world is distracted by the interplanetary vulnerability dubbed log4shell, who here is paying more attention to CVE-2021-42278 and CVE-2021-42287?
  20. #20
    Sophie Pedophile Tech Support
    How avant garde of you.
Jump to Top