Forgot your password?
typodupeerror
Security Windows Games IT

Critical Vulnerabilities In Call of Duty: Modern Warfare 3, CryEngine 3 77

Posted by Soulskill
from the can't-even-trust-games-anymore dept.
hypnosec writes with news that two security consultants have found vulnerabilities in Call of Duty: Modern Warfare 3 and the CryEngine 3 graphics engine that could harm game makers and players alike. Presenting at the Power of Community (POC2012) security conference, the researchers demonstrated how a denial-of-service attack could affect Modern Warfare 3, and how a server-level attack on CryEngine 3 allowed them to "create a remote shell on a game-player's computer." "'Once you get access to the server, which is basically the interface with the company, you can get access to all of the information on the players through the server,' Ferrante said. In general, game companies don't seem to be very focused on security but rather on performance of the game itself, Ferrante said. Adding security checks can slow down games, and if the companies don't deem the problem a very critical issue, it will usually be ignored. 'These are games that have a very large market,' Auriemma said."
This discussion has been archived. No new comments can be posted.

Critical Vulnerabilities In Call of Duty: Modern Warfare 3, CryEngine 3

Comments Filter:
  • Well duh (Score:4, Insightful)

    by neo8750 (566137) <zepskiNO@SPAMzepski.net> on Saturday November 10, 2012 @08:01PM (#41946365) Homepage

    Ferrante said. In general, game companies don't seem to be very focused on security but rather on performance of the game itself, Ferrante said. Adding security checks can slow down games, and if the companies don't deem the problem a very critical issue, it will usually be ignored.

    Well of course they care only about performance Its all their user base really cares about.

    • by tuppe666 (904118) on Saturday November 10, 2012 @08:21PM (#41946491)

      Well of course they care only about performance Its all their user base really cares about.

      To be fair...nobody is interested in security until things go wrong, they will and they do. Then its look for a scapegoat, and the solution is to remove rights and privacy of the individual for the illusion protection, throw in a few laws, that only affect the law abiding and decent. Then we live in fear.

      ...If I looks like I could be talking about anything...I am; The strategies are the same for everything.

    • This is pretty common. Source engine can also be DoSed very easily with corrupt packets. It's one of the reasons I stopped playing Left 4 Dead --- some people can't just lose, they need to be losers.
  • Oh no! (Score:1, Funny)

    If there only was a way to remedy this problem, a "patch" if you will.
    • Re:Oh no! (Score:5, Insightful)

      by PlusFiveTroll (754249) on Saturday November 10, 2012 @08:15PM (#41946437) Homepage

      Yep, and that patch will clean up your computer after hackers take over the server and run a remote shell on your computer and pilfer any information their botnet can find. Thank god we don't have to write secure software any more since we can patch it any time we need to before the hackers actually run exploits.

    • Re:Oh no! (Score:5, Funny)

      by sjwt (161428) on Saturday November 10, 2012 @11:59PM (#41947425)

      Are you kidding? Why patch it.. is a feature, after all the future of modern warfare is cyber warfare! Users are now getting extra content for free,they should be thankful they aren't charged for a DLC pack that they are already using!

  • The game makes can install arbitrary code on the user's computer anyways by way of updates. (Anybody remember Sony's root-kit?). A remote shell is therefore trivial to implement.

    • The importance of the remote shell is not that "if you can get arbitrary code execution, you can get a remote shell" (this is pretty much a tautology). The importance is that it demonstrates the possibility of arbitrary code execution at all. A lot of security vulnerabilities are difficult to actually exploit. In most cases, the best that an attacker will ever achieve is denial of service ( a crash, or forced disconnect, or using up all the RAM so the game runs too slowly, or soemthing like that).

      Contrary to what the movies would have you believe, actual exploits are (especially in a modern environment full of vulnerability mitigations) very difficult to produce in most cases. Many security researchers don't even bother with that step; it's enough to find the vulnerability and flag it "probably exploitable".

      • Contrary to what the movies would have you believe, actual exploits are (especially in a modern environment full of vulnerability mitigations) very difficult to produce in most cases. Many security researchers don't even bother with that step; it's enough to find the vulnerability and flag it "probably exploitable".

        On another hand, unpatched, unresolved, unfixed security issues will attract hackers until they find a way to exploit them. So, no need to find an easy exploitable scenario to flag them as probably exploitable. Why someone should sit and wait it becomes exploitable to fix it? It's a kind of security through obscurity you are talking about. I'm sorry, but this must be secure by design.

        • by cbhacking (979169)

          What do you mean, I'm talking about security through obscurity? That makes nothing resembling sense. I certainly didn't suggest that the vuln shouldn't be reported if the researcher doesn't develop an exploit, nor that the developer shouldn't fix it. Some devs won't take a vuln seriously without a PoC, it's true, but that's a failure on their part, not on the researcher's. Some developers don't take security seriously regardless.

          I also don't understand why you seem to think that flagging a vuln as probably

      • by gweihir (88907)

        The attack stipulates the server-side is compromised. Updates come from the server-side. This is not a remote code execution, this is a compromised update server scenario, no need for any exploit at all.There is not much that can be done on client side to defend.

        • by cbhacking (979169)

          Good point on the distinction between server and client side, and the fact that a meaningful cliam is actually being made here (two, really: first that it's possible to get arbitrary code execution on the server, second that it's possible to leverage that into arbitrary code execution on the client).

          However, I don't quite buy your argument about updates. The update server is not usually the game server. Compromising a game server doesn't (in theory) let you send an update to the client, much less force them

    • That's an oversimplification. If the patches are signed and the update system verifies the signatures using well tested libraries, it's probably much harder to attack it that way instead of using any of the other "data entry points", even if that data isn't supposed to contain code.

      • by gweihir (88907)

        I agree, but only if the signature keys are off-line and well protected. This rarely seems to be the case though.

  • by sandytaru (1158959) on Saturday November 10, 2012 @08:32PM (#41946557) Journal
    I have to do triple double or level security passes, including a one time security token, to get into quite a few MMOs. They had to; many RMT organizations made a profit hacking and looting accounts by using keyloggers to obtain passwords.
  • Wouldn't the rest of the series down to the original COD also be affected?
    • by Black LED (1957016) on Saturday November 10, 2012 @09:30PM (#41946825)
      They pretty much are. Some of these exploits have existed since the original id Tech 3 engine, from which Modern Warfare 3's engine is originally based. I've been using Luigi's proof of concept tools to do testing on old id Tech 3 engine games that I used to host servers on for years. With his advice I was able to work around certain problems, but not all of them.

      I am not sure how bad the vulnerabilities have become, but back then it was generally buffer overflow exploits that allowed player clients to be crashed, servers to be crashed or even the master server to be crashed. There weren't any exploits that I would consider critical, but they were highly annoying.
  • ... by you know having LAN and private servers again so hacks don't take down the community. Security wouldn't be an issue for Diablo 3 if you could play the fucking game offline. But corporate greed and the dumb masses that feed the move to "online only" games this will become more frequent.

    • by cbhacking (979169)

      Security would absolutely still be an issue. The scope of an attack might be lower, but the actual threat of compromise would still exit unless they removed the multiplayer funcationity (clients and servers) entirely.

      • by blahplusplus (757119) on Saturday November 10, 2012 @09:47PM (#41946899)

        Well yes but THINK about having millions of people playing a SINGLE PLAYER GAME ONLINE, that means huge swaths of computers wouldn't have open ports/be communicating with servers at all if not for 'online drm'. Diablo 3 being a case in point, all these security issues are caused by gaming corporations wanting absolute control over everyone and everything in gaming.

        The point is the whole centralization and DRM make security issues much bigger since companies tend to want control and as much information as possible about users and are careless with data. All that could be avoided if the multiplayer aspects of videogames didn't require being chained to online and all sorts of needing accounts, user info and other nonsense.

        In Quake 3 you didn't need to sign up anywhere to play the damn game and you never had to give out emails or information to anybody. Not only that requiring users to be online when they play single player just creates a huge attack surface.

    • by ildon (413912)

      Security wouldn't be an issue for Diablo 3 if you could play the fucking game offline.

      False. If you could play Diablo 3 offline and on LAN, there would still be a significant portion of the population that would want to play it on the battle.net servers. Just like Diablo 2. And those people would still need to have these security concerns addressed.

  • by Tr3vin (1220548) on Saturday November 10, 2012 @08:46PM (#41946617)
    On Tuesday the patch for MW3 will be released. Some know it as Black Ops II but it will practically ensure that nobody is left playing MW3.
    • by Anonymous Coward on Saturday November 10, 2012 @09:19PM (#41946783)

      MW3. My mind will always translates as Mech Warrior.

      • by Anonymous Coward

        Funny, my mind will always translate it as Moraff's World.

        • by gl4ss (559668)

          Funny, my mind will always translate it as Moraff's World.

          damn man.. I had forgotten about Moraffs games totally. was moraffs world any good?

      • MW3. My mind will always translates as Mech Warrior.

        Same here!

      • by ildon (413912)

        Every time I see someone refer to Assassin's Creed 3 as "AC3" I read "Asheron's Call 3" in my head.

  • The common will always serve the main. Please continue to serve up your shiny hardware for use, as if you even had a clue to what it means to open up ports to arbitrary root level apps. Bitches.
  • Anyone know if the Dunia [wikipedia.org] codebase forked from CryEngine before or after this vulnerability was introduced? I'd really like to enjoy some FarCry 3 during my year end holiday but I'd prefer not to get hacked.
  • HA! This is yet another piece of proof that consoles are better! NAH NAH :-)~ :) Go ahead, hack my console. Whatyagonnado? Jack up my Skyrim campaign. *Feigned Horror Scary Face* :O
  • It's so quaint they think anyone cares.

  • You will have to pay our software or you will get all of your computers cracked to the bones. We made sure that a hole was there for that matters. After all if a customer's computer gets penetrated, that's ... collateral damage. Besides you all accepted no guarantees when you purchased and you are the only ones who are going to suffer the consequences of our actions. So who cares :). The MW3 Staff
  • Vulnerable to hacks indeed. WELL... if these Call of Duty Black Ops server thingies have become a problem, a way to hurt people I say maybe we should call it a day and just shut them down.

    'Cause we don't want to hurt people now do we.

    Do we??

  • Hello!! Fashion,low price,the good shopping places, Cheap wholesale and retail Gucci/Shoes $45, ( Discount UGG/Boots ) LV Shoes $46, DG Shoes $46, BURBERRY Shoes $46, LACOSTE Shoes $46, Women Boots $55, handbags(Coach lv fendi d&g/Gucci) $39, Sunglasses(Oakey,coach/Gucci,Armaini) $25, free shipping and quantity discount, Accept credit card and PAYPAL ==== http://www.cbssbase.com/ [cbssbase.com] ==== ==== http://www.cbssbase.com/ [cbssbase.com] ====

Memory fault -- brain fried

Working...