Page MenuHomeFeedback Tracker
Create Task
Maniphest T70895

[SEVERE] Overal Security Vulnerability
Closed, ResolvedPublic
Actions

Description

This ticket is private because it quite sensitive so please give it priority.

Earlier today I was able to join Battleye protected public server and execute custom code in my client and it was pretty easy.

Lets look at stance indicator (only because I stumbled upon this when was looking for it):

x = "10.1 * ( ((safezoneW / safezoneH) min 1.2) / 40) + (call compile (profilenamespace getvariable [""IGUI_GRID_WEAPON_X"",str ( ((safezoneX + safezoneW) - (12.4 * ( ((safezoneW / safezoneH) min 1.2) / 40)) - 0.5 * ( ((safezoneW / safezoneH) min 1.2) / 40)))]))";

What are we looking at? The dreadful "call compile", which on top of everything is done on profileNamespace variable! Don't know about you but I'm personally lost for words. How to stop hacking 101 - do not call compile a variable that can be altered by third party!

Unfortunately this is not a single instance, other pofileNamespace variables are call compiled throughout config left right and centre. Son, I'm so disappoint right now.

Details

Legacy ID
3981548514
Severity
None
Resolution
Fixed
Reproducibility
Always
Category
Config
Steps To Reproduce

Open debug console, type:

with profileNamespace do {IGUI_GRID_WEAPON_X = "hint 'IMA HACKING YA SEVRER'"; hint IGUI_GRID_WEAPON_X;};

execute. Doest it show "hint 'IMA HACKING YA SEVRER'"? We are in business.

Exit editor, go to multiplayer, join public server, you will see the hint showing "IMA HACKING YA SEVRER" when joined.

Additional Information

How to fix:

Change

x = "10.1 * ( ((safezoneW / safezoneH) min 1.2) / 40) + (call compile (profilenamespace getvariable [""IGUI_GRID_WEAPON_X"",str ( ((safezoneX + safezoneW) - (12.4 * ( ((safezoneW / safezoneH) min 1.2) / 40)) - 0.5 * ( ((safezoneW / safezoneH) min 1.2) / 40)))]))";

To

x = "with profileNamespace do {\

		if (!isNil ""IGUI_GRID_WEAPON_X"") then [\
			{10.1 * (((safezoneW / safezoneH) min 1.2) / 40) + IGUI_GRID_WEAPON_X},\
			{((safezoneX + safezoneW) - (12.4 * (((safezoneW / safezoneH) min 1.2) / 40)) - 0.5 * (((safezoneW / safezoneH) min 1.2) / 40))}\
		]\

}";

And not just here, everywhere! The above is tested and works just fine with dynamic class loading. Of course the value of IGUI_GRID_WEAPON_X is now SCALAR not STRING, but this is what we want anyway, right?

Event Timeline

Killzone_Kid edited Steps To Reproduce. (Show Details)Aug 8 2013, 1:50 PM
Killzone_Kid edited Additional Information. (Show Details)
Killzone_Kid set Category to Config.
Killzone_Kid set Reproducibility to Always.
Killzone_Kid set Severity to None.
Killzone_Kid set Resolution to Fixed.
Killzone_Kid set Legacy ID to 3981548514.May 7 2016, 3:55 PM
Bohemia added a subscriber: Dwarden.Aug 8 2013, 1:50 PM
Dwarden added a comment.Aug 8 2013, 4:32 PM

call compile ...

the same nightmare i was fighting in DayZ mod scriptcode :)

Moricky added a comment.Sep 26 2013, 10:53 AM

Call compile removed completely, values are now stored as numbers instead of string

Fireball added a comment.Nov 1 2013, 8:18 AM

Mass-closing resolved issues not updated in 10 days.

© Bohemia Interactive a.s. Bohemia Interactive® is a registered trademark of Bohemia Interactive a.s. All rights reserved. · Privacy Policy · Terms and Conditions