p2r3 Bareiron Write-What-Where Vulnerability Allowing Arbitrary Code Execution

A write-what-where vulnerability has been identified in p2r3 Bareiron, starting from commit ba86dfd927b5e2432be797e12095642dc4091fe1. This vulnerability allows unauthenticated attackers to write arbitrary values to memory, which can lead to arbitrary code execution by manipulating the storage pointer within the player's crafting items. The issue arises because a user-controlled slot index is used to calculate pointers to inventory or chest storage, and the slot is not properly validated. Exploitation involves overwriting specific memory elements related to the player's inventory, particularly when interacting with chests.

Impact

Exploitation of this vulnerability allows for full arbitrary memory writes, with the potential to overwrite critical player data and execute arbitrary code.

Reproduction

To reproduce this vulnerability, send a crafted packet that includes a user-controlled slot index. This packet should be directed to the 'cs_clickContainer' function, which handles container interactions. The vulnerability can be exploited by overwriting arbitrary memory locations, including those related to the player's inventory or crafting items.

Remediation

Users are advised to update to the latest version of Bareiron, where this vulnerability has been fixed.