ImpactDevelopment / ImpactIssues

Please use this repo to report bugs and request features
https://impactclient.net/
221 stars 36 forks source link

Log4j exploit with Impact client for 1.12.2 #3338

Open SAPET123 opened 2 years ago

SAPET123 commented 2 years ago

Is the log4j exploit working with impact for 1.12.2 or is it/ will it be patched? Thats all.

thatITfox commented 2 years ago

if you are running a the official minecraft launcher you can go to advance settings and add -Dlog4j2.formatMsgNoLookups=true to the jvm arguments, well this is what some people told me, i'm not 100% sure. if i'm wrong plz give some feedback

MyUsernamee commented 2 years ago

Is this also patched in 1.16.5?

thatITfox commented 2 years ago

well the article i read told me that it works on older version of minecraft, so it should also work on 1.16

kitor commented 2 years ago

May be not enough to add just this param. While official FAQ doesn't list a solutions for clients, it lists different solutions for 1.12 - 1.16 servers. Someone with better Java experience would need to verify this. https://help.minecraft.net/hc/en-us/articles/4416199399693-Security-Vulnerability-in-Minecraft-Java-Edition

Coding-Muffin commented 2 years ago

@kitor does it mean that the impact is fixed though? Isn't it a separate launcher?

kitor commented 2 years ago

@Coding-Muffin I don't know why you ask me.

Anyway, per official MS FAQ:

Modified clients and third-party launchers might not be automatically updated. In these cases, we recommend following the advice of your third-party provider. If the third-party provider has not patched the vulnerability, or has not stated it is safe to play, you should assume the vulnerability is not fixed and you are at risk by playing.

Have you seen any Impact updates for 12.2 since March of this year?

Coding-Muffin commented 2 years ago

@kitor thought you might know as you have sent a reference to the docs. Tbh I'm pretty sure impact is dead now, as it didn't update since the beginning of the year

Coding-Muffin commented 2 years ago

@kitor there are no daily updates too, its dead... time to go to future I guess...

kitor commented 2 years ago

Not true. There were 1.16.x Impact nightly releases for premium users while test.2b2t.org was resurrected earlier this year.

Coding-Muffin commented 2 years ago

IDK... Discord is also dead though, plus this log4j is not something that is obscure, it's literally a nightmare for so many developers and headline news for 2 weeks Hope impact is not dead though

DizzyFop commented 2 years ago

https://wiki.wurstclient.net/log4shell By looking at the: How to test if you are affected section, it looks like its ok if your java is up to date but I'm not sure. I tried it on Impact and I got the not vulnerable result on my single player world. Can anyone else replicate this?

CesiumCs commented 2 years ago

checked with a few guides including that one and it seems like its not vulnerable to the exploit. would still recommend for anyone to test themselves before using the mod online though

SIMULATAN commented 2 years ago

Impact uses mixin which means that as long as vanilla isn't vulnerable Impact isn't too. (Exception: they added the exploit manually which I don't think they did, lol)

CesiumCs commented 2 years ago

right. keeping this open for a while just so it stays visible

biran4454 commented 2 years ago

idk much about impact development or the exploit, but I do know that I'm staying well away from using impact in multiplayer, along with any other not-regularly-updated hacked clients (eg. kamiblue etc.) and I'd advise everyone else to stay away from multiplayer as well. wurst has patched it, but wurst is (fittingly) so much worse than impact that idk if I can cope with it. as someone mentioned the discord is dead so there's not really any reliable way to check if it's patched except to wait until it's clearly mentioned by the devs.

thatITfox commented 2 years ago

hey i just found a video on hak5 to test if something is vulnerable to log4shell, https://youtu.be/qjA_vc9Ua5A. i test it on the client and it didn't activate the exploit, let me know if you guys get any results from this

biran4454 commented 2 years ago

I've also tried the (very easy) example from https://gaming.stackexchange.com/a/394240 and also https://log4j-tester.trendmicro.com/ . It's not a guarantee obviously, but I didn't get a positive result from either of those tests on singleplayer 1.16.5 java17. I'd suggest still putting Dlog4j2.formatMsgNoLookups=true in your launch settings though, especially if using Impact on anarchy servers.