GZDoom ZScript Actor State Handling Vulnerability Leading to Arbitrary Code Execution

A vulnerability in GZDoom, a popular open-source port for Doom engine games, allows for arbitrary code execution through ZScript actor state manipulation. This issue affects GZDoom versions 4.14.2 and earlier. The vulnerability arises from ZScript's handling of actor states, which can be exploited to read arbitrary memory addresses, write constants into executable JIT-compiled code, and alter control flow using crafted FState and VMFunction structures. By copying FState structures into a writable buffer and modifying function pointers and state transitions, an attacker can execute controlled bytecode, leading to unauthorized code execution.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system.

Reproduction

To reproduce this vulnerability, create a ZScript file that defines a class with a non-dynamic array of uint8. Instantiate this class and use ZScript syntax to access the memory addresses of the object's state. Calculate the offset to the FState structure and overwrite function pointers to redirect execution to injected bytecode. This can be done by writing specific constants into the JIT code section, which is then executed by the engine.

Remediation

Users can upgrade to GZDoom version 4.14.3, where this vulnerability has been patched.