**0.8.2 Hardcore Alchemy Modpack Security Hotfix**

asanetargoss, 2024-01-04

## First, a Correction

When I first announced the existence of a security issue in the Hardcore Alchemy modpack, I wrote the following statement:

```text
Server Security Warning: There is a new report of a modded server exploit affecting versions 1.7.10 through 1.12.2 . There are currently conflicting claims of how to fix the issue. At this time I am not able to verify that either suggested fix is adequate or safe for the Hardcore Alchemy modpack, or 1.10.2 more generally. At this time, I strongly advise that Hardcore Alchemy players do not play multiplayer until I personally confirm the issue is fixed.
```

This statement was based on second-hand knowledge at the time, which turned out to be partially incorrect. The exploit, or vulnerability, in question can, in principle, affect any Minecraft version.

Also, to clarify, this exploit does not affect vanilla. It is an issue affecting certain mods, and can be considered a bug.

## Mad Gadget, aka serializationisbad

The vulnerability has been more widely known in the modding community for several months now. It has been dubbed, "serializationisbad" and several other names in the modding community. In the wider Java programming community, it is known as, "Mad Gadget."

For more information about the details of the vulnerability as it pertains to modded Minecraft, as well as more information about Mad Gadget, please visit [the serializationisbad mod repository](https://github.com/dogboy21/serializationisbad).

Mad Gadget affects modded clients and/or servers, depending on the vulnerability present in one or more mods.

## Impact on the Hardcore Alchemy modpack

Mad Gadget was found to affect multiple third-party mods in the Hardcore Alchemy modpack.

I don't recommend you play the Hardcore Alchemy modpack in multiplayer, but if you attempt to do so anyway, I strongly recommend you do the following:

- Upgrade to 0.8.2 or the latest version, which addresses Mad Gadget
- Keep the server in whitelisted mode
- Read [this server security guide](./log4j.md.html) to understand log4j

## Impact on the 1.10.2 modding ecosystem

If you attempt to play the Hardcore Alchemy modpack in multiplayer with your own additional mods added on top, I recommend deleting the serializationisbad config to force it to revert to the default, which re-enables auto updates.

There are likely multiple 1.10.2 versions of mods that are not currently patched by the serializationisbad mod. I make no guarantees either way.

1.10.2 is an old version that most modders don't want to maintain anymore, so please be mindful of that.

## Methodology

### Finding affected mods

The Mad Gadget vulnerability occurs when a client or server reads a network packet. To understand the scope of the vulnerability, I decompiled all the mods in the modpack using [Fernflower](https://github.com/fesh0r/fernflower/), and searched for references to `ObjectInputStream`. I then read the decompiled code to decide if the use of `ObjectInputStream` could be triggered by sending a network packet.

I discovered that there were a sufficient number of vulnerabilities in the mods, that both clients and servers could be targeted.

### Testing the vulnerability

I created a mod, [hca_canary](https://github.com/asanetargoss/hca_canary), to spoof Netty messages which exploited the vulnerability. The spoofing runs when the player joins a world or connects to a server [^server_side]. If one or more vulnerabilities are found, the canary mod would crash the client and/or server with a warning.

I then ran the modpack with both hca_canary and the serializationisbad mod, and found that the serializationisbad mod did not fix all the vulnerabilities I found.

### Limitations of hca_canary

The hca_canary mod is included in version 0.8.2 of the Hardcore Alchemy modpack. Like a canary in a coal mine [^canary], the hca_canary mod alerts the user to a small number of known Mad Gadget vulnerabilities. However, it cannot guarantee protection from these vulnerabilities. That is what I intended the serializationisbad mod to do.

hca_canary is not very useful outside of the Hardcore Alchemy modpack, due to its low coverage.

### Fixing the vulnerability

I switched the serializationisbad mod configuration to an offline/local configuration mode, and appended to that config. I then restarted the game and loaded a world, and confirmed that all the canaries in hca_canary were no longer triggered.

Below is the serializationisbad mod with the modified config, at work on the server side [^server_side], protecting the game from a fake Mad Gadget exploit ("canary") in the hca_canary mod, and therefore preventing hca_canary from crashing the game:

```text
[Server thread/DEBUG] [io.dogboy.serializationisbad.core.SerializationIsBad/]: Resolving class targoss.hca_canary.listener.CanaryListener$Canary
[Server thread/WARN] [io.dogboy.serializationisbad.core.SerializationIsBad/]: Tried to resolve class targoss.hca_canary.listener.CanaryListener$Canary, which is not allowed to be deserialized
```

This happens on the client as well.

With the fixes confirmed working, I sent a patch upstream to the serializationisbad mod repository. Users running serializationisbad with the default config should benefit from this fix.

The 0.8.2 version of the Hardcore Alchemy modpack does not use the default config. It is configured to run in an offline/local configuration mode, which prevents receiving automatic updates. This is a tradeoff in favor of marginally better privacy and other technical considerations, and is generally not a good idea if you don't know what the mods in your modpack are doing behind the scenes.

## The Hardcore Alchemy Modpack is for Singleplayer

To be honest, I have no intent of maintaining multiplayer for the Hardcore Alchemy modpack. However, I can't stop you from hosting a server; you are a free individual (within the bounds of what the licenses allow). That said, the Hardcore Alchemy modpack is built for singleplayer, so please keep that in mind.




^ Jump to top




[^server_side]: Minecraft is always running a server, even in singleplayer. There are two types of Minecraft servers: integrated servers and dedicated servers. An integrated server is what runs when loading a singleplayer world or connecting over LAN. A dedicated server is connected to from a URL or IP address.

[^canary]: https://en.wiktionary.org/wiki/canary_in_a_coal_mine