Important Security Notice - Remote Execution Vulnerabilities Found in IW4x

During a security assessment, a community member made an important discovery that affected the security of the IW4x client. This blog post aims to inform all IW4x users about the identified remote execution vulnerabilities, their potential impact, and the necessary steps to stay safe while using the client.

THE VULNERABLE VERSIONS
The affected versions of IW4x are between 0.5.0 and 0.7.7 (inclusive). Any version released within this range is confirmed to be vulnerable. We conducted a preliminary analysis, and it was determined that both vulnerabilities could be exploited with a single click, meaning an unintentional action by the user, such as joining a malicious server or downloading a harmful mod, could trigger the remote execution.

VERIFY THE IW4x CLIENT VERSION

  • Open the command prompt or terminal
  • Locate the IW4x installation folder containing iw4x.exe
  • Execute the following command: iw4x.exe -version, on Linux you might want to execute it using WINE (wine iw4x.exe -version)

Possible output (latest version provided by AlterWare)

IW4y r4364 (built Jul 31 2023 11:27:06)
Revision: 4364 - develop

If you find that you are running a vulnerable version, update immediately using the provided trusted sources.

Question: Why is there a y instead of an x?
Answer: It’s unrelated to this matter, a new letter was chosen to replace the x after the XLabs shutdown. The y is of a sarcastic nature and does not affect the client in any way beyond appearances.

TIPS TO STAY SAFE (ON A VULNERABLE VERSION)

  • Do not install any mod or GSC script from an untrusted source. Untrusted sources include YouTube videos. The most popular attack vector could be an infected trickshot GSC mod menu as those are the most popular. The target audience is not able to audit the code themselves, leaving them exposed to any exploit. You should only download mods or GSC scripts when you have access to the source code, which can be rendered available on a website like GitHub.
  • Do not join any “new server” you have never played on before.
  • Possibly, do not join any server at all from the server list as servers can, have been, and will be spoofed. The player count can be faked to be higher than it actually is in order to attract more players and deliver malicious payloads. Go to your trusted or favourite clan’s website and manually connect to their server using the connect command. You can do that by opening the game console by pressing ~ and typing: connect IP:port, for example: connect 127.0.0.1:28960. Replace the IP with the IP of the server you are trying to join and add the correct port. If you need help with the step above, ask the moderators or staff members of your favourite clan as they can assist you on how to join their server whilst using this particular method.

You should also follow the advice above after you have updated or discovered your IW4x version is not vulnerable.

UPDATE YOUR IW4x INSTALL
Only trust the following separate sources:

CONCLUSIONS
This brings the total of discovered RCEs found on IW4x to three
The publicly disclosed RCE is the openLink RCE which is not related to this report.
The openLink was promptly removed and it’s documented in the official IW4x changelog.
The two RCEs concerning this post are not documented, they have been inadvertently patched by myself at one point in late December 2022 after I fixed a patch that looked ‘odd’ and was not doing what it was supposed to do in an efficient manner.
The two new RCEs were disclosed privately in a secure manner and will stay private until enough time has passed to allow everyone to update.

During the last two years of IW4x, before the XLabs shut down, many other potentially exploitable functions/patches have been fixed or removed entirely. For example, the HttpGet & HttpCancel were removed due to being potentially exploitable by allowing an attacker to use them as part of an attack chain that could lead to malware being downloaded from a remote server. They are not in itself exploitable but those functions can be used in harmful ways.

All security concerns that were raised up until today are addressed in the latest IW4x release.
Please update IW4x and follow the tips to stay safe.

1 Like