CVE-2022-31265
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on a user's system when they launch a replay file from an untrusted source in World of Warships. The replay feature fails to properly validate input, enabling code execution through crafted replay files. All users running the vulnerable version of World of Warships client are affected.
💻 Affected Systems
- Wargaming World of Warships
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the victim's computer, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Attackers distribute malicious replay files through forums or social media, leading to malware installation, credential theft, or system compromise when users open these files.
If Mitigated
Limited impact if users only open replay files from trusted sources and have updated antivirus software that detects malicious replay files.
🎯 Exploit Status
The vulnerability requires user interaction (opening a malicious replay file) but exploitation is straightforward once the malicious file is created. The provided references suggest proof-of-concept exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.11.5 or later
Vendor Advisory: https://worldofwarships.com/news/general-news/
Restart Required: Yes
Instructions:
1. Launch the Wargaming Game Center. 2. Check for updates for World of Warships. 3. Install any available updates. 4. Restart the game client.
🔧 Temporary Workarounds
Disable replay feature
allPrevent execution of replay files by disabling the replay feature in game settings
Restrict replay file execution
windowsChange file association for .wowsreplay files to open with a text editor instead of the game
assoc .wowsreplay=txtfile
ftype txtfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
🧯 If You Can't Patch
- Only open replay files from trusted, verified sources
- Use antivirus software with real-time protection enabled to scan replay files before opening
🔍 How to Verify
Check if Vulnerable:
Check game version in the game client settings or launcher. If version is 0.11.4, the system is vulnerable.Check Version:
Check version in World of Warships launcher or game settings menuVerify Fix Applied:
Verify game version is 0.11.5 or higher in the game client settings.📡 Detection & Monitoring
Log Indicators:
- Game crash logs after opening replay files
- Unexpected process execution from World of Warships directory
- Network connections from game client to unexpected destinations
Network Indicators:
- Game client making unexpected outbound connections after opening replay files
- DNS requests to suspicious domains from game process
SIEM Query:
Process Creation where (Image contains 'wows' OR ParentImage contains 'wows') AND CommandLine contains '.wowsreplay'