celes.in

Mordhau (stupid sword game) Remote Command Execution

I wanted to bring your attention to a serious issue I discovered during my investigation. Despite the limited time I spent looking into it, I found something alarming. Although I reported it to the developer team, they have been taking weeks to address the problem. This puts all of you, the players, at risk. Therefore, I have decided to make this information public to ensure that people are aware and avoid playing this game, which could potentially result in hacking incidents.

It's quite baffling to me that this behavior is occurring. Typically, companies prioritize fixing critical vulnerabilities like this one immediately to prevent any legal repercussions. However, it seems that Triternion, the developer of the game, does not share the same sense of urgency.

Here is the content of my original report, dated April 19th:

_{Hello, I would like to do the responsible disclosure of a critical security vulnerability I've found on MORDHAU. MORDHAU uses Unreal Engine and Chromium Embedded Framework (CEF) to render its MOTD popups and other UI components. An outdated version of CEF is used in the game, which can be exploited by attackers to hack any users who join into a server. Attackers can exploit this vulnerability by adding malicious code to the Message of the Day (MOTD) feature of MORDHAU servers. When a player joins a server, the MOTD is displayed, and the outdated CEF version in Unreal Engine renders it, allowing the malicious code to execute on the player's system. Furthermore, attackers can also spoof player counts on the server to make it more attractive to players. This can be achieved by manipulating server-side scripts or by using third-party tools. This vulnerability poses a significant risk to players of the game, as attackers can execute arbitrary code on their systems, potentially leading to theft of personal information or other malicious activities.}

As of May 5th, the vulnerability remains unfixed. It's disheartening to see that the solution is relatively simple, yet the responsible developers seem to lack concern. They have consistently ignored my messages and offers of assistance. To demonstrate the severity of the issue, I have provided proof of a test where I opened "calc.exe" upon joining the server.

I want to emphasize that I do not condone using the exploit on unsuspecting players who join your server. They are already facing enough challenges playing a game with a developer team that appears indifferent to security.