Vulnerability Found In Skyrim, Fallout, Other Bethesda Games 179
An anonymous reader writes "The author of this article goes over a format string vulnerability he found in The Elder Scrolls series starting with Morrowind and going all the way up to Skyrim. It's not something that will likely be exploited, but it's interesting that the vulnerability has lasted through a decade of games. 'Functions like printf() and its variants allow us to view and manipulate the program’s running stack frame by specifying certain format string characters. By passing %08x.%08x.%08x.%08x.%08x, we get 5 parameters from the stack and display them in an 8-digit padded hex format. The format string specifier ‘%s’ displays memory from an address that is supplied on the stack. Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack. Powerful stuff.'"
Those games crash easily (Score:5, Insightful)
Those games crash easily, isn't that proof enough they're full of vulnerabilities that you could exploit to run arbitrary code?
Now the question is, why does it matter? It's a game, not a production server.
Re: (Score:2)
Re:Those games crash easily (Score:5, Insightful)
Because a hijacked machine is a hijacked machine. It can be used to send spam, participate in a DOS or mine bitcoins. And given that it's games we're talking, and power hungry games too, it's likely that you get a machine with a very powerful GPU and CPU.
Re: (Score:3, Insightful)
How would you even exploit this for hijacking? You have to inject malformed strings into a vsprintf() function that's called for console error output. Sure, load the code file, craft a string full of %x and ... call vsprintf() ??? I mean, what do you get this way that you don't by just calling into libc's function directly? And to hack the running game you need to attach as a debugger ... what privileges did your hacking process have again? If you're already at system level why bother with hacking skyrim? a
Re:Those games crash easily (Score:4, Informative)
I love it how you include "mine bitcoins" in your list of online criminal activities.
Because botnets have been observed in the wild mining bitcoins. That is something we know they are used for.
Re: (Score:2)
Because http://xkcd.com/1200/ [xkcd.com]
Don't you care about your personal security?
Re: (Score:2)
Am I the only professional C/C++ coder ... (Score:3)
.... who has never used the %n formatter? I'd heard of it but I had to go and google it to find out what it did because I couldn't even remember.
The only use I can see for it is for figuring out single line formatting lentghs after you've printed some string but thats pushing it a bit since surely any half decent coder would preformat a string before outputting it?
Are there any "killer app" uses for %n that anyone can think of?
Re: (Score:1)
It's used for sscanf():
http://stackoverflow.com/questions/353614/are-there-any-practical-applications-for-the-format-n-in-printf-scanf-family
Re: (Score:1)
Pre-formatting strings requires extra memory (an amount which could be significant on the systems C was originally designed for), and the buffer has to be sized for the worst possible case if you only have C89 (snprintf wasn't added until C99).
Re: (Score:3)
Are there any "killer app" uses for %n that anyone can think of?
According to the summary, with %n you can write a killer app that kills other apps:
"Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack."
Re: (Score:2)
"crashes applications" is the least of what you can do with %n. In fact, heavy misuse of the other format string specifiers is usually enough to crash the program; just keep reading strings (or doubles, or whatever) until you wander into unallocated memory and trigger a Read AV / segfault.
No, %n is what you do when you want arbitrary code execution in the vulnerable process. Format string vulnerabilites are as serious as buffer overflows, and as stupid (as in, no excuse for having them) as using gets() (whi
Re: (Score:3, Informative)
Actually it's for use further down the road in the same printf string, IIRC. You %n something, then use the value in some later argument, not in a completely different printf. Indeed, the purpose is to keep you from needing multiple printfs when outpit depends on dynamic calculation of lengths of what went before on the same line.
Re: (Score:2, Insightful)
Says a whiny C# "programmer"
Re:Am I the only professional C/C++ coder ... (Score:5, Informative)
Some of us C# programmers started life as C programmers, became C++ programmers at some point, and have now ended up as C# ones. You go where the money is; that's what being a professional is: doing something for money.
Re: (Score:1)
I prefer the terms "code whore" or "prostitute programmer", thankyouverymuch.
Re: (Score:2)
the rest are just people who think they are c++ programmers
That's enough for many jobs.
Re: (Score:1)
I'm a professional C coder, I have professionally done C++ as well. And I have news for you. Not everything is a webpage, and most of the platform software you work in was written in either C or in C++, and guess what, it typically isn't that buggy. Maybe it's a surprise to you, but at some level you actually have to program at a level below the virtual machine, and if you're say, interacting directly with hardware, then all your trendy high level languages go right out the window, and C/C++, the work ho
Re: (Score:1)
Re: (Score:2)
Not sure about C++, but most of the decent C programmers I know don't consider themselves "C programmers." They're "programmers." I've heard with some of the new fangled languages you only learn one.
Re: (Score:2)
I'm a C Programmer. It's the only language where I'm paid to program.
Re: (Score:1)
or in bourne shell, any value of LANGUAGE
Re: (Score:2)
Re: (Score:2)
My current project is in C++ and I still find myself missing printf/sprintf. iostream operations are a bit more work to get the same stuff done. So far I haven't run into an instance where I've H
Re: Am I the only professional C/C++ coder ... (Score:5, Interesting)
The reason C++ does not implement format strings is that C libraries work just fine in it.
There are no prizes for most pure usage of <iostream> or any rule saying C++ programmers must use it at all, it is simply a nifty library that exists that you may use when it suits you. If the code you're writing will be simpler, faster and or more comprehensible to later maintainers if you use <cstdio>, then you should use it. If it can be written better with <iostream> then use that.
If you get a chance to do some hardcore IO in C++, you will find two functions at the core of your code: select (or epoll on Linux) and mmap. Neither are in either of those two headers and both work on integer file descriptors, rather than FILE or ostream/istream objects. They are about as un-c++ as you can get, they are kernel syscalls, but you can build some truly excellent C++ around them which looks simple, does a lot and runs more efficiently than <fstream> allows.
C++ is not about purity, Bjarne Stroustrup designed it to allow multiple unrelated paradigms to be used together to allow programmers maximum efficiency and flexibility to write great code, it was never meant to be deconstructivist. Good C++ is not just knowing when to pass by reference, what to declare const, which members to make pure virtual, which STL type to use, which functions and classes should be templates and which shouldn't, etc. Good C++ is also knowing when to use stringstream and when to use strnprintf. And good friend malloc is still there, believe it or not, great C++ programmers know how to use it well in C++ too.
Re: (Score:2)
Re: (Score:1)
... inclusive of multiple products you (all) definitely use ranging from OSs to processors and the stuff that powers your cities, etc.
Should this be "we" definitely use, and that powers "our" cities? Or the more exciting possibility, that you exist outside the framework of normal life?
bfd (Score:1)
wtf
Wow, some discovery (Score:5, Insightful)
stdio functions often lead to stack overflows. News at ten...
What next? Null pointers are bad, m'kay...?
Re:Wow, some discovery (Score:5, Insightful)
Re: (Score:1)
Null pointers don't kill programs, it's sloppy programmers who kill programs.
There is no legitimate use for null pointer exceptions. We should ban them. Think of the children.
We've all been sloppy programmers (Score:2)
Null pointers are great, assuming you actually write tests for code coverage. Otherwise you potentially have many of the typical C bugs lurking, not just null pointer dereference.
I remember using sentinel structures for a linked list in Pascal, just like it was recommend in my old computer science texts. And I had a bug where I would sometimes return the sentinel and the rest of my program would happily write to it. So instead of a crash, It would silently write data and lose track of it. I don't remember h
Re: (Score:2)
Sloppy programmers don't kill programs, curious users who open up the console and type in malformed commands kill programs!
Re: (Score:2, Insightful)
But you've got to admit, null pointers do make it a hell of a lot easier to find the bug. Dangling and uninitialized pointers, those are the dangerous ones.
Re: (Score:1)
I write watchdog routines to kill my programs using null pointers, in case of misbehavior. My latest creation,
*(char **)0 = "description of an error condition";
This causes the prog to dump a core, letting me analyze the stack and find deadlocks, etc.
Re: (Score:2)
Have you considered using abort()? It should send your process a SIGABRT, which unless you've configured it otherwise will generate a core dump, and is rather more readable to other programmers.
Re:Wow, some discovery (Score:5, Insightful)
How about putting a structure you allow the user to specify the length of on the stack [offensive-security.com]? Like it was done in the animated cursor in Windows (and of course exploited for an attack).
And, unlike games, that was in an OS that has been under attack for years when this was exploited.
Game developers usually don't consider security when they develop. If anything should be a dead giveaway, it's how DRM is implemented. I think we're going to see a lot more exploits targeting games in the future. For very obvious reasons:
- Tend to run with admin privileges due to DRM
- Little to no consideration for security during development
- AAA-titles usually widely spread, leaving a big attack surface
- Tend to be used with rather powerful machines due to requirements of the graphics engine
And those are only the reasons that I could come up with without even thinking.
Re: (Score:1)
Because this can be exploited by changing printf strings, if you can change string tables, rather than running code or even executable files -- string tables are regularly manipulated by design for language translations -- you can get your foot in the door, first for examining and programming stacks.
Re: (Score:2)
But you can already examine the stack of these games. They're not closed up tight (well, Skyrim sort of is being a Steam game). Poke around in memory all you want, crash it when you want.
Re: (Score:2)
What next? Null pointers are bad, m'kay...?
Well, then there is a recommendation of replacing fopen() with fopen_s() for improved safety [drdobbs.com]. It was previously a Microsoft extension, but now is part of the C11 standard (Annex K).
Re: (Score:2)
Re: (Score:2)
stdio functions often lead to stack overflows. News at ten...
Well, it's interesting insofar that this is a rookie mistake you usually fall into in your first year of programming in C, and never again afterwards. It's amazing that such programmers are working in a very high profile gaming company.
Re: (Score:2)
Why amazing? High profile gaming companies do more thorough process of interviewing than other high profile companies? Game programmers are not necessarily better skilled than others, in some parts of the gaming developer world the stress levels are very high and it's not at all a glamorous job like the kids imagine.
Elder Scrolls online is not coded by Bethesda (Score:3)
Odds are, Zenimax, the company actually developing The Elder Scrolls Online, is using a different engine than Skyrim.
http://www.gameinformer.com/b/features/archive/2012/05/25/why-the-elder-scrolls-online-isn-39-t-using-heroengine.aspx [gameinformer.com]
"We started ZeniMax Online from scratch [...]. It takes a long time to write game engines, especially MMO engines, which are inherently more complicated than typical single-player ones."
Re: (Score:2)
TESO is slated to be using the HeroEngine (the same one that powers TOR) and not the infamous (and crash happy) GameBryo engine that Bethesda used for so long.
Re:Elder Scrolls online is not coded by Bethesda (Score:4, Informative)
"We started ZeniMax Online from scratch, with no employees and no technology. We had to build everything ourselves. It takes a long time to write game engines, especially MMO engines, which are inherently more complicated than typical single-player ones. So, we decided to license the HeroEngine to give us a headstart. It was a useful tool for us to use to prototype areas and game design concepts, and it provided us the ability to get art into the game that was visible, so we could work on the game’s art style."
http://www.gameinformer.com/b/features/archive/2012/05/25/why-the-elder-scrolls-online-isn-39-t-using-heroengine.aspx [gameinformer.com]
Or as the title of the article says: "Why The Elder Scrolls Online Isn't Using HeroEngine"
Not really a vulnerability (Score:2)
If you have access to a machine, you can cause it to crash. What's exactly surprising about this?
SO (Score:2)
A single player game whit extensive mod suppose is "hackable", colour me surprised.
How is this not just a bug? How can you hack a program where nothing was put in to prevent anyone from doing pretty much anything they wanted to do with it in the first place?
Re: (Score:2)
+1
It's only a vulnerability if it allows you to do something that you wouldn't normally be able to do. AFAICT, there are no security guarantees involved here that can be violated, so this is not a vulnerability. It's a bug.
Re:Whats the purpose of this (Score:5, Informative)
getting hits. no other purpose.
"So far, the only feasible way to exploit the game I’ve come up with is by some sort of hand crafted mod or plugin for the game as that would have access to the scripting console on which the vulnerabilities lie. That said, it would be difficult to exploit in the wild also do in part to the video games having no network capability."
don't mods or plugins already get to pretty much do whatever they want? that is, I wasn't under the impression that they're in some security sandbox.
Re: (Score:2)
Well, considering how games tend to run with admin privileges on Windows because of DRM, I could well see some attack vector here.
I don't remember these games requiring that.
but my point was that you're already pretty much accepted the risk when using a mod - a mod that has potentially whatever code in it.
Modded to +5 Informative because (Score:5, Informative)
It knocks both DRM and Windows in one sentence. Which is popular on slashdot.
Facts don't matter, accuracy doesn't matter. Comments can be outright lies (like this one) and still achieve the highest ranking as *informative* just because it plays to a popular myth.
No, games are *not* run with admin rights. No they do *not* need to run with admin privileges, not even to use DRM. Especially not the online DRM variety that steam uses.
Re: (Score:1, Informative)
These games require Steam as DRM. Steam very often asks for admin privileges when starting games. With some games it's only once. With others it's every single time you start the game. It's really annoying. Plus, Steam has a background process with admin rights running. No idea how much access games have there but it's there. DRM is definitely an added security risk.
Re: (Score:1)
Re:Whats the purpose of this (Score:5, Insightful)
Steam only asks for admin when performing installation steps, as installers often require admin privileges. And this is stuff like DirectX, C++ runtimes, etc so it's understandable since that stuff goes into system32.
The game itself is not run as admin.
Re: (Score:1)
If a game needs admin rights, it's either malware/spyware or it's poorly programmed. There is absolutely no reason a game or any non-system maintenance application should need admin. If you do have games that require it and it's not stated on the box or the download page, then I'd demand a refund.
Re: (Score:2)
i have several games on steam that require admin rights to run
Why do you continue to play them?
Also, please name them so people can know what to avoid.
Seriously, this is shit that should have died last century.
--
BMO
Re:Whats the purpose of this (Score:5, Insightful)
i have several games on steam that require admin rights to run
Why do you continue to play them?
Also, please name them so people can know what to avoid.
Seriously, this is shit that should have died last century.
--
BMO
He can't name them, because he's spouting BS, like most Steam-hating trolls. They're just angry that VAC noticed them being stupid hacking trolls.
Re: (Score:3)
I do have to run UT2004 as admin in order for LAN play to work. I'm not sure why. There's probably another way, that doesn't involve blanket admin access, but "run as admin" is easier.
Runs perfectly fine singleplayer without admin rights, though. And it's hardly a "recent" game (and it's not even the Steam version - CD from the Unreal Anthology). I've never encountered a game that requires admin rights just to run.
Re:Whats the purpose of this (Score:4, Informative)
Some games do in fact request Administrator rights when run from Steam on every launch. Typically, this is a consequence of a bugged launch condition check that fails to accurately detect that needed libraries are often installed; choosing not to authenticate will still allow those games to run properly, and workarounds exist to eliminate the incorrect detection entirely.
Re: Whats the purpose of this (Score:1)
I think maybe Rome total war? I cant recall personally, but older games that write config into they're folder is my assumption of the cause. Though windows handles that somehow now, so maybe not.
The app that most surprises me is super requiring it.
Re: (Score:2)
I regularly run Rome TW on Win7 as an admin-enabled user but without elevating it via UAC and it works just fine.
Re: (Score:1, Insightful)
As much as I'd love to not use bloated junk like Steam, it's just no longer an option. Almost all newly released big games require Steam/Origin/Uplay. Even more and more indie games are exclusively released on Steam. Unfortunately they have a near-monopoly on the PC.
Re:Whats the purpose of this (Score:5, Informative)
Re:Whats the purpose of this (Score:5)
Re: (Score:3, Informative)
gog.com [gog.com]
Re: (Score:1)
Re: (Score:2)
All applications use zero resources when they're not running. Why does Steam run constantly?
Re: (Score:2)
Re: (Score:2)
So you have some new storage technology that don't require resources, whats the price per GiB for that one?
And what is this constantly running thing? I have Steam installed on my box but:
fultra@ubuntu:~$ sudo ps ax | grep -i steam
9003 pts/0 S+ 0:00 grep --color=auto -i steam
fultra@ubuntu:~$
Or do you mean that it runs when you ask it to by double clicking it and then quits completely when you click in File->Exit?
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: Whats the purpose of this (Score:4, Funny)
Re: Whats the purpose of this (Score:4, Informative)
What spying?
Seriously, what do they spy on? There's the hardware survey, which is anonymous, and at least as I recall, opt-in. There's "recording amount of time in games", which a) isn't particularly useful information, b) isn't particularly accurate, and c) can be routed around via offline mode if it really bugs you.
Compared to even the spying Firefox does (if you opt in), that's really not much.
Re: (Score:2)
Right now, Steam is using 5.5MB of RAM, sitting between "Bluetooth tray" and SSHFS. DWM is using 29MB, Explorer 38MB, and Firefox 335MB (five tabs). Opening a Steam window brings it up to 23MB, still an absolutely tiny amount. Even when doing multiple simultaneous downloads, I've never seen it go over 200MB of RAM.
As for disk space, my Steam folder is currently 346GB. However, 345GB of that is the steamapps folder, which contains all game data. Everything else - executable, graphics, crash dumps, resources,
Re: (Score:2)
As much as I'd love to not use bloated junk like Steam...
Really? In any case, I suppose, secure institutions don't as a rule allow random software installations, espiecally games, so, unless you want to p0wn your friend's pc, we're probably ok here.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Insightful)
Certainly. But that's just the tip of the ice berg.
Not every game allows modding, but a lot of them make very interesting attack vectors. Imagine WoW having an exploitable angle. Aside of the obvious target (getting access to the WoW account and stripping it), what do you think would happen if there was a way to infect machines running WoW by, say, slipping an infected version of a popular mod into one of the download areas?
And then we're really talking about some serious attack surface. Skyrim is a fairly
Re: (Score:1)
Not every game allows modding, but a lot of them make very interesting attack vectors. Imagine WoW having an exploitable angle. Aside of the obvious target (getting access to the WoW account and stripping it), what do you think would happen if there was a way to infect machines running WoW by, say, slipping an infected version of a popular mod into one of the download areas?
There almost is, actually. Look up what "Warden" is. The game server sends a binary blob to the client which is then loaded into the game and can communicate with the server to check for cheats.
If the modules weren't encrypted with Blizzard's private key then anyone who plays on a private server could potentially get owned. If you want to run a private server and take advantage of the system, you need to use Blizzard's modules in their already-encrypted form because it isn't possible to sign your own module
Re: (Score:2)
what do you think would happen if there was a way to infect machines running WoW by, say, slipping an infected version of a popular mod into one of the download areas?
Seriously - do you think people download and install WoW mods who wouldn't run executable code from the same source? For all I know, WoW mods *are* executable code... I know they're (usually) written in LUA, which I believe is a general purpose language, and I've no idea whether there's any kind of sandbox involved. And I've never installed one, but I'm going to guess they're at least sometimes distributed either as .exe files or as .msi files, both of which are executable or can trivially contain executa
Re: (Score:3, Insightful)
Every time something many people understand in the summary isn't explained, people complain.
Every time something many people understand in the summary is explained, people complain.
Re: (Score:2)
I don't recall seeing people complain when a summary is explicit about something, only when it is not explicit.
Readers are trained to skim over information with which they are familiar. It comes from years of textbook use. It's much more frustrating when an important bit of information is left out.
Re: (Score:2)
I don't recall seeing people complain when a summary is explicit about something, only when it is not explicit.
Read the subthread with anon comments. You'll find that GP is a response to someone complaining about an explanation of the function in the summary.
Re: (Score:2)
*"The Fucking Article"
Re: (Score:2)
One of those writes to stdout and one of them writes to a string, they're not really interchangeable if your aim is to display something on screen...
I think you're getting confused with the fact that using ?sprintf(), ?scanf(), etc. is discouraged in favour of using their ?sn* counterparts, due to buffer overrun possibilities, but I could be wrong. Calling printf() with an un-sanitized user supplied format string is also discouraged, because it may contain a %.
printf() is just a wrapper for vfprintf() with
Re:Did we really need (Score:4, Informative)
I don't usually say this, but FTFY. There are only three limits on the security impact of a program that passes a user-supplied format string to a .*[print|scan]f function:
1) What privileges the program runs as. If it's not sandboxed, it can probably run rampant over your user profile. If it runs as Admin/root, that's seriously bad news.
2) What privileges are required to specify that format string. If it can only be done by a local user, and the program only runs as local user, you're mostly OK (and that's the case here). If the source of the format string is external, such as a message from another user in a game, you're in serious trouble.
3) Exploit mitigations in use. The MS Visual C/C++ runtime (MSVCRT.DLL) disables the %n format specifier by default, because using %n and a reasonably long format string, you can write pretty much arbitrary values into memory (one unaligned byte at a time). DEP and ASLR help, but due to the way that printf can be used to extract pointers as well as use them, it can be used to leak info needed for bypassing ASLR.
Format string vulns are a serious threat. Fortunately, they're also dead trivial to avoid: DON'T EVER PROVIDE A USER-CONTROLLED FORMAT STRING. If for some reason is is every absolutely necessary to do this (I can't think of a single situation fitting this bill; anybody care to fill me in?) you can ensure the string has no un-escaped % characters, but that's a terrible way to go about it.
Re: (Score:2)
Calling printf() with an un-sanitized user supplied format string is an exploitable security vulnerability
Disagree.
It is only a security vulnerability if it allows the user to perform an action they are not authorized to perform. Just allowing them to execute code in the context of your application doesn't count, because frankly they could just open up the application's .exe file in a binary editor and inject the code they wanted to run. In order to be a vulnerability, there must be some security guarantee (or just expectation) that is violated.
Possibilities are:
1. The program runs with greater privileges tha
Re:So? (Score:5, Informative)
Skyrim doesn't require Admin, and it happens to be the most recent of the games listed here.
In fact, I'm pretty sure this claim is total bullshit.
Re: (Score:3)
Just playing the games and seeing all the glitches everywhere is an apt display of that.
Cripes I know of several places where there are glaring, insane glaring bugs in skyrim. The freaking game engine has been around for ever but the same bugs exist in it through both fallouts, and then finally Skyrim.
Re: (Score:2)
Let's zoom out, mmkay? The game is incredibly vast, and that the engine can handle it (and your saves are not 800mb each) is something that deserves a little respect.
Re: (Score:2)
But there's never been a requirement for the games to be rock solid so that no user can cause them to crash by using an obscure method. The requirements are to get the game out on time and make some money. Preventing crashes in the debug console that users are told they can use only at their own risk is a luxury.
Re: (Score:2)
9 out of 10 AAA-titles on Windows require admin privileges due to their DRM scheme.
Bullshit.
Re:Why does he keep calling it an 0day? (Score:4, Informative)
"Zero day" refers to a vulnerability for which no patch exists, presumably because the vendor wasn't aware of it. It's the amount of time between when the vendor becomes aware of the vulnerability and when the black hats can start exploiting it, not the amount of time that it's existed.
See Prof Wikipedia [wikipedia.org] for more details.
Re:Why does he keep calling it an 0day? (Score:5, Informative)
Day 2 = day after the vulnerability becomes public knowledge.
Day 3 = two days after the vulnerability becomes public knowledge
Day 4=
It is an important distinction, because once the vulnerability is listed on cert.org, admins can take steps to defend themselves (firewalls, removing the program, setting up honey-pots, etc). If it's a zero-day vulnerability, then no one can defend themselves and the world is wide open for you to use it.
Re: (Score:2)
Yep. "0-day" is just security talk for "newly discovered" and tends to get a bit overused. Nonetheless, it's a useful and sometimes very interesting categorization. A lot of the famous worms of the past were not 0-days, but actually exploited vulnerabilites which had been known (and mitigated) weeks or month prior to the worm's release into the wild. People don't always patch in a manner that can even vaguely be called timely. I wish I could say they'd learned their lesson already, but I still see outdated
Re: (Score:3)
Yep. "0-day" is just security talk for "newly discovered"
No, you are wrong. It means, "not public knowledge." The difference is crucial. I would explain it to you but I don't know how I can explain it more simply than my previous post.
Re: (Score:2)
Yep. "0-day" is just security talk for "newly discovered"
No, you are wrong. It means, "not public knowledge." The difference is crucial. I would explain it to you but I don't know how I can explain it more simply than my previous post.
All vulnerabilities are not public knowledge when they are newly discovered. You're drawing distinctions that don't make a difference.
Re: (Score:2)
You're drawing distinctions that don't make a difference.
Read the above posts for an explanation of why it is a distinction that matters.
Reading the thread that you are replying to, before replying, is a good way to make yourself look less ignorant.