CVE-2015-5070 in Battle for Wesnoth
Summary
by MITRE
The (1) filesystem::get_wml_location function in filesystem.cpp and (2) is_legal_file function in filesystem_boost.cpp in Battle for Wesnoth before 1.12.4 and 1.13.x before 1.13.1, when a case-insensitive filesystem is used, allow remote attackers to obtain sensitive information via vectors related to inclusion of .pbl files from WML. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5069.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/30/2022
The vulnerability described in CVE-2015-5070 represents a critical information disclosure issue within the Battle for Wesnoth gaming engine that affects versions prior to 1.12.4 and 1.13.1. This flaw manifests in two distinct functions within the filesystem handling codebase, specifically the filesystem::get_wml_location function in filesystem.cpp and the is_legal_file function in filesystem_boost.cpp. The vulnerability becomes exploitable when the game operates on a case-insensitive filesystem environment, creating a path traversal scenario that allows remote attackers to access sensitive information through manipulation of .pbl files within the WML (Wesnoth Markup Language) system.
The technical root cause of this vulnerability stems from an incomplete remediation of a previous issue documented as CVE-2015-5069, which demonstrates a common pattern in software security where fixes are insufficient or introduce new attack vectors. The flaw occurs when the game engine processes WML files and attempts to resolve file locations on filesystems that do not distinguish between uppercase and lowercase file extensions. This case-insensitive behavior creates opportunities for attackers to manipulate file inclusion paths and potentially access unauthorized files or data that should remain protected within the game's resource structure.
From an operational impact perspective, this vulnerability enables remote attackers to obtain sensitive information that could include game configuration details, user data, or potentially system-level information depending on how the filesystem is structured. The attack vector specifically leverages the inclusion of .pbl files which are typically part of the game's resource management system, allowing an attacker to manipulate the file resolution process and potentially access files outside of the intended game resources. This represents a significant security risk for online gaming environments where multiple users interact and share resources.
The vulnerability aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, and CWE-200, which covers exposure of sensitive information. The attack pattern follows techniques described in the MITRE ATT&CK framework under T1083, which covers file and directory discovery, and T1566, which covers credential access through various means. Organizations and game developers should prioritize applying the official patches released for versions 1.12.4 and 1.13.1 to address this incomplete fix that left the system vulnerable to information disclosure attacks. The remediation process should include thorough testing of the filesystem handling code to ensure that all case sensitivity scenarios are properly addressed and that the fix prevents unauthorized file access patterns that could be exploited by remote attackers in networked gaming environments.