Important Security Notice - Another Remote Execution Vulnerability Found in IW4

During a security assessment, a community member (Credits at the end of the thread) made an important discovery that affected the security of the IW4x client. This blog post aims to inform all IW4x users about the identified remote execution vulnerabilities, their potential impact, and the necessary steps to stay safe while using the client.

THE VULNERABLE VERSIONS
All versions of IW4x that predate the 13th of December 2024 are vulnerable. The issue is within the game engine. We conducted a preliminary analysis and determined that the vulnerability could be exploited with a single click. This means an unintentional action by the user, such as joining a malicious server, could trigger the remote execution.

The RCE was fixed with the r4773 release of the IW4x client.

VERIFY THE IW4x CLIENT VERSION

  • Open the command prompt or terminal
  • Locate the IW4x installation folder containing iw4x.exe
  • Execute the following command: iw4x.exe -version, on Linux you might want to execute it using WINE (wine iw4x.exe -version)

If you find that you are running a vulnerable version, update immediately using the provided trusted sources.

TIPS TO STAY SAFE (ON A VULNERABLE VERSION)

  • Do not install any mod or GSC script from an untrusted source. Untrusted sources include YouTube videos. The most popular attack vector could be an infected trickshot GSC mod menu as those are the most popular. The target audience is not able to audit the code themselves, leaving them exposed to any exploit. You should only download mods or GSC scripts when you have access to the source code, which can be available on a website like GitHub.
  • Do not join any “new server” you have never played on before.
  • Possibly, do not join any server at all from the server list as servers can, have been, and will be spoofed. The player count can be faked to be higher than it is to attract more players and deliver malicious payloads. Go to your trusted or favourite clan’s website and manually connect to their server using the connect command. You can do that by opening the game console by pressing ~ and typing: connect IP:port, for example: connect 127.0.0.1:28960. Replace the IP with the IP of the server you are trying to join and add the correct port. If you need help with the step above, ask the moderators or staff members of your favourite clan as they can assist you on how to join their server whilst using this particular method.

You should also follow the advice above to some extent even after updating or discovering that your IW4x version is not vulnerable.

Only trust the following separate sources:

Let us discuss the RCE exploit and how it works.

Overview of the Vulnerability

The exploit is believed to only be possible when connecting to a malicious server. Regular users connected to the same server cannot exploit either the server or other clients. However, a server host, whether it’s a player-hosted session or a dedicated server, can execute RCE attacks on clients using this exploit, provided they are on a vulnerable version of the game.

How the Exploit Works

  1. Message Injection
    The exploit involves a server sending a specially crafted message (of type Bold Game Message) with ID 'g' (0x67) to all connected clients. This message is processed by the function CG_Deployservercommand.
  2. Localization and HUD Update
    Inside CG_Deployservercommand, the message is passed to CG_TranslateHudElemMessage, which attempts to localize the string. This localized string is then passed to UI_ReplaceDirective, a function responsible for updating the content of HUD elements with the message.
  3. Buffer Overflow
    On engines IW4 and IW5, if the supplied string is excessively large, the localization process triggers a stack-based buffer overflow. This allows an attacker to achieve remote code execution.

Affected and Non-Affected Versions

  • Vulnerable Engines:
    • IW4
    • IW5
  • Not Affected:
    • IW3: The inbound string size is properly checked, preventing overflows.
    • IW6 and S1: The issue appears to have been resolved, though further analysis is required to confirm the exact changes.
    • Treyarch Titles (3arc): These titles retain the original string size checks from the IW3 engine, making them immune to this exploit.

Black Ops 3 - A Related Bug

Interestingly, Black Ops 3 reintroduces a similar issue in a nearly identical function. However, this variant does not appear to allow RCE; it is only known to cause crashes.

CREDITS

It has come to my attention that the user named query on Discord has reported the issue.

Rackover, also known as Louvenarde, wrote the initial POC and report for the issue. She fixed the RCE in the IW4x client.

The issue in the IW5 client was fixed by the AlterWare team