Openspades potential server exploit detected 21 january 2016 by Enderxenomorph

i found an exploit in the connection and server data sharing system where the server is able to send files to openspades that clone to desktop and activate.
i found this because i had openspades open and i was checking my netstat in my antivirus and i noticed openspades connections werent in there so if a server sends (well not send actually the virus is the map file but the game grabs and uses its code to visualize a map but the virus code says to copy and run on desktop) a virus to a openspades client (from openspades 0.0.9 to 0.0.12b client)to clone to desktop.

i just wanna say this: this is dangerous and maybe yvt can do something about…

yeah, uhh, sorry but no. the only data that is sent from the server to the client are packets with preset IDs, size in bytes and data in numerous formats, as seen here. you can’t send code from the server.
the closest thing to what you are talking about is .vxl map files, but those are extremely strict in their data format, and don’t contain any metadata inside the file itself (servers use .txt files for that metadata and they’re only read by the server, never sent to the client).

if you were to put any code in any of the packets, the client would crash before doing this hypothetical running of the ‘virus’ code.
if you were to put any code in any of the .vxl map files, the server would crash 1. before any clients join, or 2. right when a client joined

now, onto this code running part. just no.
you can’t send uncompiled C++ to OpenSpades because there’s nothing on the client side to compile and run it.
you can’t send compiled C++ to OpenSpades because there’s no way to tell if it’s for the right architecture, and even if it only runs on x86 (which i havent tested), you still have all the memory problems and the fact that this newly compiled c++ has an entry point when the code running the new code doesn’t and AHHHHHHHHHHHHHHHH
you can’t send AngelScript to OpenSpades because OpenSpades doesn’t call on AngelScript when interpreting .vxl and positioning (etc.) data.

I strongly encourage someone who knows this stuff to correct me if I’m wrong.
BR? Danke?

however, if you actually have strong evidence for this, I’d like to see it, preferably in a PM.