Page MenuHomeFeedback Tracker
Create Task
Maniphest T80800

Hijack uiNamespace global variables using compileFinal for arbitary SQF execution in MP in vanilla Arma
Acknowledged, HighPublic
Actions

Description

I was fixing a couple security holes in CBA this last week when I began to dig a bit deeper into issues with compileFinal and function caching using uiNamespace.

I realized that in CBA if you currently disable our function caching system (that stores the cached functions in uiNamespace) in a editor mission and load that mission before ever getting in multiplayer you can hijack a cached by using compileFinal in uiNamespace to inject a protected function in an existing namespace. When CBA then tries to cache the real function into it, it will not load the new function, but retain the original code compiled into from the editor.

We solved this issue in SQF, but then I thought about any arbitrary functions that are defined in SQF functions that are also executed in uiNamespace. I found a number of these functions defined in the BI GUI SQF code. Using compile final in a mission editor I am able to hijack that variable name, and when Arma calls that SQF in the GUI (using the options menu GUI right now) it will fail to overwrite the hijacked variable and use the one I set in the editor instead.

Using the userconfig folder you can preprocess and load sqf files that will never been seen by signature checking because of how userconfig works, this allows easily loading exploit sqf libs.

Details

Legacy ID
3810515419
Severity
Major
Resolution
Open
Reproducibility
Always
Category
Scripting
Steps To Reproduce

Go into editor and execute the following line in the debug dialog:

with uiNamespace do { RscDisplayGameOptions_showDifficultyGroup = compileFinal "diag_log text 'owned!!!';"; };

Now click into the Configure->Game options menu. Menu is corrupted and RPT will have line "owned!!!" in it.

Exit single player editor, join a multiplayer server and repeat the above menu step. RPT will show owned message there too.

RscDisplayGameOptions_showDifficultyGroup is initially defined in \a3\ui_f\scripts\GUI\RscDisplayGameOptions.sqf

Additional Information

This can be fixed by not assigning and executing functions directly to global variables in uiNamespace or any other persistent namespace. The only safe place to inline define functions is missionNamespace, as that resets at the start of all missions and will load only code from the mission or from the addons.

Make sure all functions cached/compiled in uiNamespace use compileFinal. Any inline functions should use local variables.

This security exploit affects user modification that use uiNamespace in this manner as well.

Event Timeline

Nou edited Steps To Reproduce. (Show Details)Jan 25 2015, 6:33 PM
Nou edited Additional Information. (Show Details)
Nou set Category to Scripting.
Nou set Reproducibility to Always.
Nou set Severity to Major.
Nou set Resolution to Open.
Nou set Legacy ID to 3810515419.May 7 2016, 8:09 PM
Nou edited a custom field.
Jukk added a subscriber: Jukk.Jul 11 2016, 1:31 PM
dedmen added a subscriber: dedmen.Sep 13 2017, 1:47 PM

Is this still an issue? I guess Arma GUI functions now also use cfgFunction which does compileFinal.
If this is still an issue it should probably be moved to the security issue category.

Dell added a subscriber: Dell.Sep 4 2018, 8:47 PM
gen_henry_arnold added a subscriber: gen_henry_arnold.Sep 17 2020, 4:00 AM
In T80800#1644291, @dedmen wrote:

Is this still an issue? I guess Arma GUI functions now also use cfgFunction which does compileFinal.
If this is still an issue it should probably be moved to the security issue category.

Yes, but from 3rd party sources it appears that you are aware of this still being an issue

© Bohemia Interactive a.s. Bohemia Interactive® is a registered trademark of Bohemia Interactive a.s. All rights reserved. · Privacy Policy · Terms and Conditions