Wurst 7.41.1 - Security Fix

Alexander01998

@Everyone Wurst 7.41.1 is now available, with an important patch against a security vulnerability affecting Minecraft 1.20 and later versions, which allowed servers to detect if Wurst is installed by abusing Minecraft’s sign editing feature. https://www.wurstclient.net/updates/wurst-7-41-1/

Note that other client-side mods/hacks may still be vulnerable to this exploit if they haven't implemented similar countermeasures. If you are using any other client-side mods besides Wurst, consider using a mod like Mod Detection Preventer to avoid getting banned by overzealous server admins.

Mojang is tracking the underlying issue as MC-265322, but they don't currently consider it a security vulnerability or a high-priority bug.

Update: I've ported Wurst 7.41.1 back to all Minecraft 1.20.x versions, even the old ones that aren't supposed to receive updates anymore. That means everyone who is affected by this vulnerability can now install the update to protect themselves. Also, if you were still on 1.20.0 for some reason, then you now have a lot of new features to play with. 🙂

Cyclopropinon

Alexander01998 holy shit this exploit is really bad.

btw is there any way to make it, so you can detect what mods other players have installed?

Alexander01998

Cyclopropinon This specific vulnerability is a lot easier for a server to exploit than for another player, as a server can simply open virtual sign edit screens and force-close them instantly, multiple times per second, gathering lots of data before the target player even knows what's happening.

As a player using the same exploit, you would basically have to:

make the special sign, for example with a /setblock command in in Creative Mode
somehow convince the target player to edit that sign and click save while you are nearby
repeat this process several times, depending on how many mods you want to check for.

But that doesn't seem very practical with the amount of time and convincing it involves.

What might be a bit more practical, given that you'd have to do some social engineering anyways, would be to just give the target player a custom book with the translated components and ask them to read it back to you or send you a screenshot. They'd definitely get suspicious if you tried to repeat this multiple times, but it seems at least plausible that someone could fall for it once.

Cyclopropinon

Alexander01998 do you think such books could be created automatically by a hack?

Your_average_minecrafter

how does it work?
and what was the fix?

Alexander01998

Your_average_minecrafter Minecraft's rich text format has two problematic features: translated text and keybind text.

Translated text takes a given translation key, for example gui.cancel, and displays it in the client's preferred language, for example Cancel in English or Abbrechen in German. If the client has no translations for the given key, it instead displays the key itself, so for example you would see gui.cancel displayed on the cancel button.

Keybind text is similar, but it assumes that the translation key is for a keybind and displays what button that keybind is set to. For example, a translatable text of key.forward resolves to Walk Forwards in English, but a keybind text of key.forward resolves to W with the default keybinds.

What makes these features problematic is that they also work with modded translations and keybinds. For example, keybind text for of.key.zoom might display C if OptiFine is installed, but it will always display of.key.zoom if OptiFine is not installed.

Normally that's not a huge issue, since this text is only displayed on your screen. The fact that a server can send you this kind of text almost anywhere is quite sketchy though.

But when you edit a sign, all of its content is turned into plain text so that you can edit it. That means any translation/keybind text is resolved on your end, depending on your language, keybinds, and installed mods. And when you save your changes, that unformatted text is returned to the server.

Servers exploiting this vulnerability don't wait for you to right a sign or to click save. They just force-open the sign edit screen and instantly close it again. You never actually see the screen open.

As mentioned in the changelog, the fix in Wurst was to completely prevent Minecraft's rich text format from resolving any of Wurst's translations or keybinds. They will simply fail to resolve as if Wurst wasn't installed, not just in signs but anywhere formatted text is used in Minecraft. So if a similar exploit is discovered in books, for example, then Wurst will not be affected by it.

Ideally Mojang would stop signs from leaking all this data in the first place, but this is something that only they can do. If I fixed this leak, the signs of Wurst users would look different than the signs of vanilla Minecraft users, which would again allow servers to detect that Wurst is installed.

Skira_exe

does the .potion command work in multiplayer server ? i'm trying to make custom potion in the creative world of a server but when i apply any effect (like: .potion add/set invisibility 1 120 or anything else) is say "effect added" or something like that but if i check the potion or use the potion it's called uncraftable potion, it's pink/purple and it say/says (idk) "No Effects". so is it because i'm not OP on the server (other commands that wurst give work even if i'm not OP) or just because .potion command can't work in multiplayer ? (english is not my native language)

Your_average_minecrafter

https://www.gamergeeks.net/apps/minecraft/give-command-generator/potions

Skira_exe

Your_average_minecrafter i guess i have to say thanks, even if i still don't get it, i checked the wurst wiki and try the command ".potion set invisibility 1 600" nothing happen, the bottle turn pink and in the chat i got a message "[Wurst] Potion modified". so now i have 2 question, does it work with multiplayer and do i have to execute it with a command block ?

Alexander01998

Hey Skira_exe,

Yes, the .potion command should work in multiplayer. You only need Creative Mode. OP is not required. The commands you suggested are correctly following the syntax, too.

My guess is that your problem might be caused by a mismatch of Minecraft versions, as Minecraft's format for potion data has changed a lot over the years and, just a few weeks ago, was completely overhauled again.

Double-check that your client-side Minecraft version (visible in the launcher), the Minecraft version that your Wurst release is meant for (visible in the corner, "Wurst v... MC..."), and the Minecraft version of the server (usually visible in the server list) are all matching. If the server specifies a range of versions (e.g 1.8 - 1.20.4), then unfortunately it's likely running on the lowest version in that range (1.8).

Hope this helps!

Skira_exe

Alexander01998 it kinda help, but i still don't understand, how to write a command with .potion add/set ?
like, how can i turn this command "/give @a potion{CustomPotionEffects:[{Id:8,Duration:120,Amplifier:1}]}" into a .potion add/set command, with .potion set/add jump_boost 1 120 ?

for info the server i'm playing on is 1.20.4 only, i'm using fabric loader version 0.15.7 for 1.20.4 and i have the latest Wurst version wich is v7.41.1 MC1.20.4 for now.

even with everything in 1.20.4 i still don't understand and know how to make this .potion command work x)