Forgot your password?
typodupeerror
Bug Security Games

Vulnerability Found In Skyrim, Fallout, Other Bethesda Games 179

Posted by Soulskill
from the beware-meddling-daedra dept.
An anonymous reader writes "The author of this article goes over a format string vulnerability he found in The Elder Scrolls series starting with Morrowind and going all the way up to Skyrim. It's not something that will likely be exploited, but it's interesting that the vulnerability has lasted through a decade of games. 'Functions like printf() and its variants allow us to view and manipulate the program’s running stack frame by specifying certain format string characters. By passing %08x.%08x.%08x.%08x.%08x, we get 5 parameters from the stack and display them in an 8-digit padded hex format. The format string specifier ‘%s’ displays memory from an address that is supplied on the stack. Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack. Powerful stuff.'"
This discussion has been archived. No new comments can be posted.

Vulnerability Found In Skyrim, Fallout, Other Bethesda Games

Comments Filter:
  • by loufoque (1400831) on Sunday May 12, 2013 @05:37AM (#43700981)

    Those games crash easily, isn't that proof enough they're full of vulnerabilities that you could exploit to run arbitrary code?
    Now the question is, why does it matter? It's a game, not a production server.

    • by muphin (842524)
      isnt this what "Trainers" do ?
    • by Opportunist (166417) on Sunday May 12, 2013 @06:20AM (#43701107)

      Because a hijacked machine is a hijacked machine. It can be used to send spam, participate in a DOS or mine bitcoins. And given that it's games we're talking, and power hungry games too, it's likely that you get a machine with a very powerful GPU and CPU.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        How would you even exploit this for hijacking? You have to inject malformed strings into a vsprintf() function that's called for console error output. Sure, load the code file, craft a string full of %x and ... call vsprintf() ??? I mean, what do you get this way that you don't by just calling into libc's function directly? And to hack the running game you need to attach as a debugger ... what privileges did your hacking process have again? If you're already at system level why bother with hacking skyrim? a

    • Because http://xkcd.com/1200/ [xkcd.com]

      Don't you care about your personal security?

  • by Viol8 (599362) on Sunday May 12, 2013 @05:42AM (#43700997)

    .... who has never used the %n formatter? I'd heard of it but I had to go and google it to find out what it did because I couldn't even remember.

    The only use I can see for it is for figuring out single line formatting lentghs after you've printed some string but thats pushing it a bit since surely any half decent coder would preformat a string before outputting it?

    Are there any "killer app" uses for %n that anyone can think of?

    • by Anonymous Coward

      It's used for sscanf():
      http://stackoverflow.com/questions/353614/are-there-any-practical-applications-for-the-format-n-in-printf-scanf-family

    • by Anonymous Coward

      Pre-formatting strings requires extra memory (an amount which could be significant on the systems C was originally designed for), and the buffer has to be sized for the worst possible case if you only have C89 (snprintf wasn't added until C99).

    • Are there any "killer app" uses for %n that anyone can think of?

      According to the summary, with %n you can write a killer app that kills other apps:

      "Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack."

      • by cbhacking (979169)

        "crashes applications" is the least of what you can do with %n. In fact, heavy misuse of the other format string specifiers is usually enough to crash the program; just keep reading strings (or doubles, or whatever) until you wander into unallocated memory and trigger a Read AV / segfault.

        No, %n is what you do when you want arbitrary code execution in the vulnerable process. Format string vulnerabilites are as serious as buffer overflows, and as stupid (as in, no excuse for having them) as using gets() (whi

    • Re: (Score:3, Informative)

      Actually it's for use further down the road in the same printf string, IIRC. You %n something, then use the value in some later argument, not in a completely different printf. Indeed, the purpose is to keep you from needing multiple printfs when outpit depends on dynamic calculation of lengths of what went before on the same line.

  • wtf

  • by Rosco P. Coltrane (209368) on Sunday May 12, 2013 @05:48AM (#43701021)

    stdio functions often lead to stack overflows. News at ten...
    What next? Null pointers are bad, m'kay...?

    • by Dunbal (464142) * on Sunday May 12, 2013 @05:55AM (#43701047)
      Null pointers don't kill programs, it's sloppy programmers who kill programs.
      • by mlookaba (2802163)

        Null pointers don't kill programs, it's sloppy programmers who kill programs.

        There is no legitimate use for null pointer exceptions. We should ban them. Think of the children.

      • Null pointers are great, assuming you actually write tests for code coverage. Otherwise you potentially have many of the typical C bugs lurking, not just null pointer dereference.

        I remember using sentinel structures for a linked list in Pascal, just like it was recommend in my old computer science texts. And I had a bug where I would sometimes return the sentinel and the rest of my program would happily write to it. So instead of a crash, It would silently write data and lose track of it. I don't remember h

      • by Darinbob (1142669)

        Sloppy programmers don't kill programs, curious users who open up the console and type in malformed commands kill programs!

    • by Opportunist (166417) on Sunday May 12, 2013 @06:27AM (#43701131)

      How about putting a structure you allow the user to specify the length of on the stack [offensive-security.com]? Like it was done in the animated cursor in Windows (and of course exploited for an attack).

      And, unlike games, that was in an OS that has been under attack for years when this was exploited.

      Game developers usually don't consider security when they develop. If anything should be a dead giveaway, it's how DRM is implemented. I think we're going to see a lot more exploits targeting games in the future. For very obvious reasons:

      - Tend to run with admin privileges due to DRM
      - Little to no consideration for security during development
      - AAA-titles usually widely spread, leaving a big attack surface
      - Tend to be used with rather powerful machines due to requirements of the graphics engine

      And those are only the reasons that I could come up with without even thinking.

      • Because this can be exploited by changing printf strings, if you can change string tables, rather than running code or even executable files -- string tables are regularly manipulated by design for language translations -- you can get your foot in the door, first for examining and programming stacks.

        • by Darinbob (1142669)

          But you can already examine the stack of these games. They're not closed up tight (well, Skyrim sort of is being a Steam game). Poke around in memory all you want, crash it when you want.

    • What next? Null pointers are bad, m'kay...?

      Well, then there is a recommendation of replacing fopen() with fopen_s() for improved safety [drdobbs.com]. It was previously a Microsoft extension, but now is part of the C11 standard (Annex K).

    • by am 2k (217885)

      stdio functions often lead to stack overflows. News at ten...

      Well, it's interesting insofar that this is a rookie mistake you usually fall into in your first year of programming in C, and never again afterwards. It's amazing that such programmers are working in a very high profile gaming company.

      • by Darinbob (1142669)

        Why amazing? High profile gaming companies do more thorough process of interviewing than other high profile companies? Game programmers are not necessarily better skilled than others, in some parts of the gaming developer world the stress levels are very high and it's not at all a glamorous job like the kids imagine.

  • "One thing I am looking forward to is the newest Elder Scrolls game by Bethesda – The Elder Scrolls Online. This online capability might just make remote exploitation of my 0day feasible. Why? If the same vulnerability is present in Morrowind released in 2002 is still present in Skyrim (released 2012), the odds are in my favor that the same vulnerability will be in the latest game release."
    Odds are, Zenimax, the company actually developing The Elder Scrolls Online, is using a different engine than Skyrim.

    http://www.gameinformer.com/b/features/archive/2012/05/25/why-the-elder-scrolls-online-isn-39-t-using-heroengine.aspx [gameinformer.com]
    "We started ZeniMax Online from scratch [...]. It takes a long time to write game engines, especially MMO engines, which are inherently more complicated than typical single-player ones."
  • If you have access to a machine, you can cause it to crash. What's exactly surprising about this?

  • by wisnoskij (1206448)

    A single player game whit extensive mod suppose is "hackable", colour me surprised.

    How is this not just a bug? How can you hack a program where nothing was put in to prevent anyone from doing pretty much anything they wanted to do with it in the first place?

    • by julesh (229690)

      +1

      It's only a vulnerability if it allows you to do something that you wouldn't normally be able to do. AFAICT, there are no security guarantees involved here that can be violated, so this is not a vulnerability. It's a bug.

If A = B and B = C, then A = C, except where void or prohibited by law. -- Roy Santoro

Working...