How it might work
How the heck can a save file run arbitrary code? Well, I haven't looked at this vuln in detail, but there's a known class of exploits that affects almost any framework that allows you to deserialize arbitrary classes, like PHP, C#, Java, Ruby, etc etc.
- Find a class in the program which does something in its Dispose() method (called when the object should release its resources), say the HonkBonk class.
- If the Dispose() method includes a callback, you're wide open, but there are several things you can exploit.
- There are a lot of .NET classes too, you can abuse those as well as the program's own classes.
- In your malicious save file you put a saved object for the HonkBonk class - for the callback field, put a lambda with your arbitrary code.
- Program tries to read the SaveData class from the save file
- Instead of the SaveData class, the BinaryFormatter sees a HonkBonk object - it creates it (it's a known class!) and reads the fields into it
- When the program tries to cast HonkBonk object to SaveData class, this fails, so you get a cast exception.
- The HonkBonk object is 'lost' (there are no references to it)
- The HonkBonk object gets garbage collected
- Dispose() is called on the HonkBonk object
- Your arbitrary code is executed
- * HONK*
You can use the SerializationBinder in .NET to stop it from attempting to handle completely arbitrary data.