Page MenuHomeFeedback Tracker

remoteExec and remoteExecCall Opens thousands of exploits for hackers
Assigned, WishlistPublic

Description

remoteExec and remoteExecCall are nice commands, they offer heaps of improvements to BIS_FNC_MP. However they will break thousands of missions and mods with a flood of hackers because this command is not something that can be disabled.

Dwarden Justifies this new replacement to BIS_fnc_MP because its just as secure if not more secure. However the problem is this command can't be disabled. Every single mod / mission that isn't having nuclear missiles going off everywhere has disabled this command in several places. If you are using remote execution commands you have designed your mission incorrectly.

Even if you guys don't remove the command and just add a whitelist. I can deference a pointer to the network manager and alter stack memory and still cause just as much damage.

Details

Legacy ID
2664667616
Severity
None
Resolution
Open
Reproducibility
Always
Category
Scripting
Steps To Reproduce

Just one of the thousands of examples mentioned on the skype chat

[5/30/2015 8:39:56 PM] Grim: well
[5/30/2015 8:40:00 PM] Grim: tvh
[5/30/2015 8:40:22 PM] Grim: CfgRemoteExecCommands = {};
{player setdamage 1;} remoteExec ["bis_fnc_call", 0,true]; still works on RC build
[5/30/2015 8:40:31 PM] Grim: + non memory based injection method

Removing BIS_fnc_call isn't the solution to this problem ^^.

Event Timeline

Deathlyrage set Category to Scripting.
Deathlyrage set Reproducibility to Always.
Deathlyrage set Severity to None.
Deathlyrage set Resolution to Open.
Deathlyrage set Legacy ID to 2664667616.May 8 2016, 12:09 PM
Deathlyrage edited a custom field.

I would love to hear an official explanation as to why this won't be a major security issue.

ymok added a subscriber: ymok.May 8 2016, 12:09 PM
ymok added a comment.May 31 2015, 12:38 PM

And why CfgRemoteExecCommands = {}; not blocking RemoteExec?

Arma3 destroys more than it fixes, they should be bussy fixing theire shit bugs that havent been fixed for more than a year instead of patching shit all the time! The only revenue they get is from people buying the game to play mods, nobody is intrested in playing their crappy single/multiplayer missions and what do they do? Instead of helping modders they push them deeper underground. Look what happened to dayz mod/standalone that turned out GREAT.. full of hackers!

As a fact I tried playing theire singleplayer mission once, and in the second mission I ended up with broken legs and I couldnt fix myself eventhough I had a medickit and tons of bandages I ended up crawling for 2hrs and never played it again.

#BIplease ;)

MGTDB added a subscriber: MGTDB.May 8 2016, 12:09 PM
MGTDB added a comment.May 31 2015, 4:31 PM

Bohemia is placing too much trust in Battleye to stop exploitation of this, fact is Battleye won't be able to prevent this as it's easily bypassable. This is handing a golden nuke button to every script kiddie.

this is a hackers wet dream, please dont do it!

vbawol added a subscriber: vbawol.May 8 2016, 12:09 PM

Confirmed here too, this needs to be fixed before the release of 1.46.

ARMA needs some way too disable stupid functions like via the desc.ext maybe.
If this gets into Release, we are all fucked!

I am really am surprised it made this made it into a RC without someone checking if you can whitelist the commands.

Anyway this function really needs to be able to be disabled altogether.
Also needs to be checked that if someone manages to call the function from engine, it won't trigger code on other clients / servers since its engine based command.

Suppe added a subscriber: Suppe.May 8 2016, 12:09 PM
Suppe added a comment.May 31 2015, 6:18 PM

is this a joke BIS ?

These commands should not be released into stable until they are fully functional (which they are not) and full security review has been done including whatever additional commands need to be released to accompany remoteExec. I am a little bit suprised commands are already in RC.

remoteExec implementation currently in DEV version is not yet final. It will indeed be possible to limit it or disable it. It's not planned to be in 1.46, we want to be extra sure about it before pushing it to the main branch.
Sorry for confusion.

this ticket covers work-in-progress change in underlaying system which was explained in http://dev.arma3.com/post/sitrep-00108

so don't blow it out of proportions, atm. it's quite buggy but expect it to be improved over upcoming DEV branch builds

A small wishlist

  1. description.ext whitelist of functions, or serverside compileFinal'able array of functions. The latter would be more flexible.
  1. ability to enable reasonable RPT logging each time the functions are called. What, from who, and to whom. If its called, I want it logged.
  1. ability for server to block unsolicited uses of the function. If I have it being called from 2 different scripts, and it gets called from an unknown 3rd script, I don't want the code to be remote executed.
  1. Ability to easily disable other remote execution methods. Such as disabling BIS_fnc_MP without preinit tricks.
  1. BattlEye kick for unsolicited uses of remoteExec/remoteExecCall
  1. Define in description.ext the filepaths of the script where each approved use of remoteExec is located. If remoteExec not from these scripts and use in console disabled, then reject the attempt.

Just some ideas.

Regards,
Quiksilver