OculusVR / RakNet FileOperations: WriteFileWithDirectories() Array Overflow/Remote Code Execution Vulnerability

[aung-khant]

Overview:
There are two .cpp files namely 'FileOperations.cpp' and 'FileList.cpp"

FileOperations.cpp contains a function called 'WriteFileWithDirectories()' which accepts 3 parameters one of which is a pointer to the physical path that the data will be written onto disk.

FileList.cpp contains a function called 'WriteDataToDisk()" which also accepts a parameter as a pointer to the application directory.

The idea is that 'WriteDataToDisk' in FileList.cpp will receive a list of filenames along with corresponding directories (eg; C:\UnrealEngine\Mods\guns.dat) with which 'WriteFileWithDirectories' in FileOperations.cpp will write/update data to.

Vulnerability Details:
Now the root cause of the vulnerability exists in 'WriteFileWithDirectories' of FileOperations.cpp that the directory structure+filename is only limited to 260 maximum. However 'WriteDataToDisk' function can pass structure+filename up to 512. So when Strcpy() in WriteFileWithDirectories copy path+filename provided by WriteDataToDisk. The overflow is triggered. Refer to the link for more info.

https://drive.google.com/file/d/0B8MQckpnz0TaOTd6NkJXenV5M0E/view?usp=sharing

More Info:
There are features that DIRECTLY call 'WriteFileWithDirectories()' function. The result is it effectively eliminates/extend the limitation for max structure+filename size that can be passed to 'WriteFileWithDirectories() since no WriteDataToDisk() function is called before. So there is a window of opportunity in terms of control over buffer.
One such example is DirectoryDeltaTransfer and AutoPatcher feature. Please refer to page 2 and 3 of attached pdf.

(http://www.jenkinssoftware.com/raknet/manual/directorydeltatransfer.html

(http://www.raknet.net/raknet/manual/autopatcher.html)

Attack Vector:
As it has been highlighted. The FileOperations can be implemented both on server side (eg; DirectoryDeltaTransfer) and client side(eg;AutoPatcher ). It means to say that the attack can simply be a malicious user uploading crafted content to the server ( thus exploiting both server itself and users who download the payload).