During a security assessment, a community member (Credits at the end of the thread) made an important discovery that affected the security of the IW4x client. This blog post aims to inform all IW4x users about the identified remote execution vulnerabilities, their potential impact, and the necessary steps to stay safe while using the client.
THE VULNERABLE VERSIONS
All versions of IW4x that predate the 13th of December 2024 are vulnerable. The issue is within the game engine. We conducted a preliminary analysis and determined that the vulnerability could be exploited with a single click. This means an unintentional action by the user, such as joining a malicious server, could trigger the remote execution.
The RCE was fixed with the r4773
release of the IW4x client.
VERIFY THE IW4x CLIENT VERSION
- Open the command prompt or terminal
- Locate the IW4x installation folder containing
iw4x.exe
- Execute the following command:
iw4x.exe -version
, on Linux you might want to execute it using WINE (wine iw4x.exe -version
)
If you find that you are running a vulnerable version, update immediately using the provided trusted sources.
TIPS TO STAY SAFE (ON A VULNERABLE VERSION)
- Do not install any mod or GSC script from an untrusted source. Untrusted sources include YouTube videos. The most popular attack vector could be an infected trickshot GSC mod menu as those are the most popular. The target audience is not able to audit the code themselves, leaving them exposed to any exploit. You should only download mods or GSC scripts when you have access to the source code, which can be available on a website like GitHub.
- Do not join any “new server” you have never played on before.
- Possibly, do not join any server at all from the server list as servers can, have been, and will be spoofed. The player count can be faked to be higher than it is to attract more players and deliver malicious payloads. Go to your trusted or favourite clan’s website and manually connect to their server using the connect command. You can do that by opening the game console by pressing
~
and typing:connect IP:port
, for example:connect 127.0.0.1:28960
. Replace the IP with the IP of the server you are trying to join and add the correct port. If you need help with the step above, ask the moderators or staff members of your favourite clan as they can assist you on how to join their server whilst using this particular method.
You should also follow the advice above to some extent even after updating or discovering that your IW4x version is not vulnerable.
Only trust the following separate sources:
- Download
iw4x.dll
(or compile from source) from here: Releases · iw4x/iw4x-client · GitHub - Update the IW4x raw files using the AlterWare launcher