CVE-2023-29478

Vulnerability

BiblioCraft versions prior to v2.4.6 contain a path traversal vulnerability in the book-saving feature. The mod does not sanitize path-traversal characters (../) in filenames derived from the book title or author name. This allows an attacker to write files outside the intended world/books/ directory. The vulnerability exists in Minecraft 1.7.10 (BiblioCraft v1.11.7) and 1.12.2 (BiblioCraft v2.4.5), and likely all versions before v2.4.6 [1].

Exploitation

An attacker needs the ability to craft a written book with a malicious NBT tag, which is achievable through in-game commands or third-party tools. The exploit involves setting the book title or author name to include path traversal sequences (e.g., ../../mods/malicious). When the book is saved, BiblioCraft writes the file to the traversal path. The crafted book content includes payload that, when combined with the fact that a JAR/ZIP file remains valid with prepended garbage data, allows writing a valid JAR file to the mods/ folder. No other mods are required [1].

Impact

Successful exploitation results in arbitrary file write to the Minecraft mods folder. Since the written file can be a valid JAR (exploiting ZIP file format tolerance of prepended data), the attacker achieves remote code execution on the server or client when the mod is loaded. The attacker can execute arbitrary Java code in the context of the Minecraft instance [1].

Mitigation

Upgrade to BiblioCraft v2.4.6 or later, which fixes the path traversal vulnerability. As of publication (2023-04-07), the fixed version is available. No workaround is provided; the vendor advises updating. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.