Fix RakNet::RakString Security Bug

This commit is contained in:
TheBrokenRail 2021-07-16 18:17:49 -04:00
parent d114a2d668
commit a9830c3bba
4 changed files with 20 additions and 1 deletions

View File

@ -1 +1 @@
2.1.3
2.1.4

View File

@ -1,5 +1,8 @@
# Changelog
**2.1.4**
* Fix RakNet::RakString Security Bug
**2.1.3**
* Workaround Broken Library Search Path On Some ARM 32-Bit Systems

View File

@ -360,6 +360,9 @@ static uint32_t FillingContainer_linked_slots_length_property_offset = 0x14; //
// RakNet::RakString
typedef unsigned char *(*RakNet_RakString_t)(unsigned char *rak_string, const char *format, ...);
static RakNet_RakString_t RakNet_RakString = (RakNet_RakString_t) 0xea5cc;
typedef void (*RakNet_RakString_Assign_t)(unsigned char *rak_string, const char *str);
static RakNet_RakString_Assign_t RakNet_RakString_Assign = (RakNet_RakString_Assign_t) 0xe9e34;

View File

@ -64,6 +64,16 @@ static void LoginPacket_read_injection(unsigned char *packet, unsigned char *bit
free(new_username);
}
// Fix RakNet::RakString Security Bug
//
// RakNet::RakString's format constructor is often given unsanitized user input and is never used for formatting,
// this is a massive security risk, allowing clients to run arbitrary format specifiers, this disables the
// formatting functionality.
static unsigned char *RakNet_RakString_injection(unsigned char *rak_string, const char *format, ...) {
// Call Original Method
return (*RakNet_RakString)(rak_string, "%s", format);
}
// Init
void init_misc() {
if (feature_has("Remove Invalid Item Background", 0)) {
@ -82,6 +92,9 @@ void init_misc() {
// Sanitize Username
patch_address(LoginPacket_read_vtable_addr, (void *) LoginPacket_read_injection);
// Fix RakNet::RakString Security Bug
overwrite_calls((void *) RakNet_RakString, RakNet_RakString_injection);
// Init C++
_init_misc_cpp();
}