CVE-2024-41799 in tgstation-serverinfo

Summary

by MITRE • 07/29/2024

tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the "Set .dme Path" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via tgstation-server (requiring a separate, isolated privilege) or some other means. A server configured to execute in BYOND's trusted security level (requiring a third separate, isolated privilege OR being set by another user) could lead to this escalating into remote code execution via BYOND's shell() proc. The ability to execute this kind of attack is a known side effect of having privileged TGS users, but normally requires multiple privileges with known weaknesses. This vector is not intentional as it does not require control over the where deployment code is sourced from and _may_ not require remote write access to an instance's `Configuration` directory. This problem is fixed in versions 6.8.0 and above.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 08/19/2025

The vulnerability described in CVE-2024-41799 affects tgstation-server, a production-scale tool designed for managing BYOND servers, which is widely used in the gaming industry for hosting multiplayer games built with the BYOND development environment. This vulnerability represents a significant security flaw that allows low-privilege users to escalate their access through a carefully orchestrated attack chain involving the manipulation of .dme files, which are the source code files used by BYOND applications. The issue exists in versions prior to 6.8.0, making a substantial portion of deployments potentially vulnerable to exploitation.

The technical flaw stems from insufficient validation of .dme file paths when users possess the "Set .dme Path" privilege, which is typically granted to users with limited permissions. This weakness allows attackers to point the system toward malicious .dme files that already exist on the host machine, bypassing normal security boundaries that would normally prevent such access. The vulnerability becomes particularly dangerous when combined with the ability to upload these files through separate privilege mechanisms or other means, creating a multi-vector attack approach. The core issue lies in the improper handling of file paths and the lack of adequate sandboxing controls that would normally prevent a user from accessing arbitrary files on the host system.

The operational impact of this vulnerability extends far beyond simple privilege escalation, as it can potentially lead to full remote code execution when the server is configured to operate in BYOND's trusted security level. This trusted mode, which requires either a third separate privilege or being set by another user, enables the execution of the dangerous shell() proc within BYOND applications. The attack vector is particularly concerning because it does not require control over where deployment code is sourced from, nor does it necessarily require remote write access to the instance's Configuration directory. This means that even with limited initial access, an attacker can potentially gain complete control over the affected server, making this a critical vulnerability for any organization relying on tgstation-server for their BYOND game hosting operations.

This vulnerability aligns with several CWE categories including CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), CWE-78 (Improper Neutralization of Special Elements used in OS Commands), and CWE-269 (Improper Privilege Management). From an ATT&CK framework perspective, this vulnerability maps to T1078 (Valid Accounts), T1548.001 (Abuse Elevation Control Mechanism), and T1059 (Command and Scripting Interpreter), representing a sophisticated attack chain that combines privilege escalation with remote code execution capabilities. The fix implemented in versions 6.8.0 and above addresses these issues through enhanced path validation, stricter privilege controls, and improved sandboxing mechanisms that prevent users from accessing arbitrary files on the host system. Organizations should immediately update to the patched versions and review their privilege assignments to minimize the risk of exploitation, particularly in environments where multiple users have access to the tgstation-server management interface.

Responsible

GitHub M

Reservation

07/22/2024

Disclosure

07/29/2024

Moderation

accepted

CPE

ready

EPSS

0.01210

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!