World of Tanks Replay Vulnerable to Malicious Code

Hello everyone,

the following very interesting message was found on WoT Reddit – did you know that World of Tanks replays can be injected with (potentially malicious) code?

Check this out – user KeeperOfTheFeels wrote this:

A couple of months ago I was rooting around within the WoT replay files and their format. I discovered that they way they stored data within certain packets in the replays made it extremely easy to get code execution. After a couple of days working at reliable execution I came upon a reliable way to take any replay file and inject code to execute. This happens very quickly after opening the infected replay file with no way to prevent it once WoT begins reading from the replay.

To my knowledge any replay after May, 2014 is vulnerable to this. It is likely any replays before then are also vulnerable and should not be trusted. A proof of concept replay file that opens a calculator window can be found in the link below. As of now you should not trust any replay files from sources you do not trust, until an official fix is released by WarGaming.

I would advise not directly posting about it on the official forums or linking back to here. You may get your account banned from the forums and your message deleted.

Proof Of Concept: PoC

Well, of course I had to try it out and sure enough, the “proof of concept” replay indeed starts the calculator. I am sure you can imagine the potential joys of having infected replays. According to the original poster, WG is now aware of the issue. Whether they are working on a fix or whether they wait for something bad to happen first is the real question.

49 thoughts on “World of Tanks Replay Vulnerable to Malicious Code

    • There os some good news that hasn’t been mentioned.

      The wotreplays site won’t accept ‘tampered’ replays.

      I have not dug into it enough to say how good this protection is (hunch says embedded hash – so possible to break)

      It’s a minor thing, but a replay on Wotreplays is (slightly) safer than one from say – dropbox (like the PoC replay) that someone has linked to because, of this limited protection.

  1. [...] they wait for something bad to happen first [...]

    I’m pretty sure that’s it. Replays do not really have a significance to WG, and they should not imo, there are tons of stuff to make better in the actual game. Except it is easy to fix the replays, then WG might really do sth about it.

    • Security exploits are almost always quite high on the lists of companies, especially in files that are as widely distributed. It’s very simple to abuse this, easy example is starting up a browser leading to some dangerous site, and there are many others.

  2. “Whether they are working on a fix or whether they wait for something bad to happen first is the real question.”

    Of course they are working on it! When it’s done, it’s done.

  3. I’ve known about this since May and WGs first response to the guy who found it was to ban him. He has been pestering them since May this year to finally get someone to look at it… SEVEN months later they finally get someone on the case

    I had a play around with replay manipulation to a reasonable degree of success – Replay analysers would accept the manipulated info but replays websites would not… but as you can see here: once tweaked properly even WOTReplays is able to be fooled

  4. Replays from older versions tend to be broke as fuck anyway, though.

    Seriously though this is pretty massive security issue.
    I expect we’ll see a hotfix patch by the end of the week, although that’s me being optimistic.

  5. Is the exploit limited to running a program that is already installed or can you put an EXE in the replay?

      • Well, there is executable code in there.

        I haven’t looked at it first-hand but I assume that it will be a script for the built in scripting engine inside WOT

        Embedding an exe would probably be possible. Probably easier to have the game connect to the Web and download whatever for you though.

  6. play an ESL game, provide some misplaced results in order to make one ESL admin watch the replay, have some fun there :)

    this would be a nice story

      • As this becomes a widely spread issue so the serverside replay coding becomes much more important. Or maybe they havent fixed because it will be fixed by keeping replays server side?

        … much theorycrafting for this time of the day.

  7. Sadly, the Proof Of Concept is not working for me; doesn’t open the calculator. Something blocking external executions or so?

  8. I haven’t seen the thing in action, but this has been going on for a while I think. I downloaded some replays about a year ago that looked fake/edited on the replay site and they wouldn’t launch the client to play said replay. I watched for open processes and port listening at the time but nothing nasty was there. I do know that many “Competitions” that go on where players “Submit” replays have had results that just don’t go with what is shown in the game or via noobmeter (those are just basic API pulls I guess?)..

    WG will have no choice but to fix it once it becomes public knowledge, else someone will send in a “Ticket” reporting something in game, and the moment they open it then their own internal network can be exposed to a hacker… There in lies the rub..

    If Replays were ONLY used by players then they would probably sit on their hands, but as they use them internally too then Hopefully it will spur them on. There is no reason why the wot exe should be launching external programs anyhow, and if it is then they should be signed in the software.

  9. Pingback: Replaye z World of Tanks napadnuteľné škodlivým kódom

  10. Pingback: 10.12.2014 | For the Record