Page MenuHomeFeedback Tracker
Create Task
Maniphest T83699

Major security issue with #include
Assigned, WishlistPublic
Actions

Description

With Arma 3 version 1.50 the #include preprocessor command can read files from any number of parent directories up to root*. That way an unpacked mission could access any file stored on the machine.
This is a major security issue, because it's possible to copy stuff like memory dumps or browser passwords.

Below is an example on how to access and copy the "C:/Windows/system.ini" file.

*Apperently this only applies to unpacked missions in the documents folder. It should however always be impossible to access files outside of the game folders. This limitation seems to work for packed missions and addons, but not unpacked missions.

Edited. {F26872}

Details

Legacy ID
885416224
Severity
None
Resolution
Open
Reproducibility
Always
Category
Other
Steps To Reproduce
  1. Create mission with this init.sqf:

diag_log text preprocessFileLineNumbers 'hack.sqf';

  1. Create a file named hack.sqf:

#include "..\..\..\..\..\..\..\Windows\system.ini"

Additional Information

Noubernou posted this thread on reddit warning players about this exploit:

http://www.reddit.com/r/arma/comments/3irs3v/until_further_notice_do_not_play_on_any_arma/

Event Timeline

commy2 edited Steps To Reproduce. (Show Details)Aug 28 2015, 11:33 PM
commy2 edited Additional Information. (Show Details)
commy2 set Category to Other.
commy2 set Reproducibility to Always.
commy2 set Severity to None.
commy2 set Resolution to Open.
commy2 set Legacy ID to 885416224.May 8 2016, 12:35 PM
commy2 edited a custom field.
dedmen added a subscriber: dedmen.Mar 31 2020, 2:12 PM

Should be fixed by disabling filePatching by default

© Bohemia Interactive a.s. Bohemia Interactive® is a registered trademark of Bohemia Interactive a.s. All rights reserved. · Privacy Policy · Terms and Conditions