When you run replays of the game World Of Tanks on your computer, arbitrary code may be executed

Original author: KeeperOfTheFeels
Transfer from reddit.com.

A couple of months ago I researched WoT replays and their format. I found that the way they store data packets makes it easy to get arbitrary code to execute . After a couple of days of improving the launch of the code in the replay to a reliable state, I got the opportunity to embed arbitrary code in an arbitrary replay. This code is executed immediately after opening, and there is no way to stop it from the moment the WoT client started playing the replay.

As far as I know, any replay newer than May 2014 is subject to this vulnerability. Most likely, earlier replays are also vulnerable and not trustworthy. As a proof of concept, I am attaching a replay that opens the calculator window:dl.dropboxusercontent.com/u/19977649/Replay-exploit.wotreplay
Thus, you should not run any replays before the official fix from WG


Before all this turns into a complaint to WG support, I want to mention that before this post I did not inform them of the vulnerability. In fact, it was the WG Trezvor_WGA employee who helped me a lot in conveying the problem to the right people, they confirmed it and are already making a fix.

Why didn’t I use the bugtracker? In short - I just don't want to. This is not the first vulnerability I found, and the standard procedure for catching bugs practically does not work. Many of the companies that I reported in this way about vulnerabilities did not do anything until the vulnerability was published in the public domain.

I do not want to say that WG is one of such companies. First of all, I informed them, but I want to warn the public before sending the ticket so that they are careful. Not the best way to earn the respect of the company, but the most reliable way to quickly see the fix.

From a translator - as it was posted on a VERY visited resource on the subject of this project, it is probably already in use. So take care!

Also popular now: