For the Record: World of Tanks Replay Vulnerable to Malicious Code
Hello everyone, the following very interesting message was found on WoT Reddit – did you know that World of Tanks replays can be injected with (potentially malicious) code? Check this out – user KeeperOfTheFeels wrote this: A couple of months ago I was rooting around within the WoT replay files and their format. I discovered that they way they stored data within certain packets in the replays made it extremely easy to get code execution. After a couple of days working at reliable execution I came upon a reliable way to take any replay file and inject code to execute. This happens very quickly after opening the infected replay file with no way to prevent it once WoT begins reading from the replay. To my knowledge any replay after May, 2014 is vulnerable to this. It is likely any replays before then are also vulnerable and should not be trusted. A proof of concept replay file that opens a calculator window can be found in the link below. As of now you should not trust any replay files from sources you do not trust, until an official fix is released by WarGaming. I would advise not directly posting about it on the official forums or linking back to here. You may get your account banned from the forums and your message deleted. Proof Of Concept: PoC Well, of course I had to try it out and sure enough, the “proof of concept” replay indeed starts the calculator. I am sure you can imagine the potential joys of having infected replays. According to the original poster, WG is now aware of the issue. Whether they are working on a fix or whether they wait for something bad to happen first is the real question.
vBAddict is safe against this Python pickle attack.