Vulnerability Found In Skyrim, Fallout, Other Bethesda Games 179
An anonymous reader writes "The author of this article goes over a format string vulnerability he found in The Elder Scrolls series starting with Morrowind and going all the way up to Skyrim. It's not something that will likely be exploited, but it's interesting that the vulnerability has lasted through a decade of games. 'Functions like printf() and its variants allow us to view and manipulate the program’s running stack frame by specifying certain format string characters. By passing %08x.%08x.%08x.%08x.%08x, we get 5 parameters from the stack and display them in an 8-digit padded hex format. The format string specifier ‘%s’ displays memory from an address that is supplied on the stack. Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack. Powerful stuff.'"
Those games crash easily (Score:5, Insightful)
Those games crash easily, isn't that proof enough they're full of vulnerabilities that you could exploit to run arbitrary code?
Now the question is, why does it matter? It's a game, not a production server.
Wow, some discovery (Score:5, Insightful)
stdio functions often lead to stack overflows. News at ten...
What next? Null pointers are bad, m'kay...?
Re:Wow, some discovery (Score:5, Insightful)
Re:Did we really need (Score:3, Insightful)
Every time something many people understand in the summary isn't explained, people complain.
Every time something many people understand in the summary is explained, people complain.
Re:Those games crash easily (Score:5, Insightful)
Because a hijacked machine is a hijacked machine. It can be used to send spam, participate in a DOS or mine bitcoins. And given that it's games we're talking, and power hungry games too, it's likely that you get a machine with a very powerful GPU and CPU.
Re:Wow, some discovery (Score:5, Insightful)
How about putting a structure you allow the user to specify the length of on the stack [offensive-security.com]? Like it was done in the animated cursor in Windows (and of course exploited for an attack).
And, unlike games, that was in an OS that has been under attack for years when this was exploited.
Game developers usually don't consider security when they develop. If anything should be a dead giveaway, it's how DRM is implemented. I think we're going to see a lot more exploits targeting games in the future. For very obvious reasons:
- Tend to run with admin privileges due to DRM
- Little to no consideration for security during development
- AAA-titles usually widely spread, leaving a big attack surface
- Tend to be used with rather powerful machines due to requirements of the graphics engine
And those are only the reasons that I could come up with without even thinking.
Re:Third Party Content. (Score:2, Insightful)
Certainly. But that's just the tip of the ice berg.
Not every game allows modding, but a lot of them make very interesting attack vectors. Imagine WoW having an exploitable angle. Aside of the obvious target (getting access to the WoW account and stripping it), what do you think would happen if there was a way to infect machines running WoW by, say, slipping an infected version of a popular mod into one of the download areas?
And then we're really talking about some serious attack surface. Skyrim is a fairly small one, actually. Yes, it was a popular game, and it has a very active modder scene, but the amount of people modding the game is not as big as it may seem at first. While OTOH I don't know anyone playing WoW who doesn't use certain "must have" plugins.
And I'm pretty sure one could come up with more "interesting" vectors. How about infected servers for multiplayer FPS games? Do you know the servers you play CoG, CS or TF2 on well enough to know that they will be ok, in case there is a vector for your game?
Re:Those games crash easily (Score:3, Insightful)
How would you even exploit this for hijacking? You have to inject malformed strings into a vsprintf() function that's called for console error output. Sure, load the code file, craft a string full of %x and ... call vsprintf() ??? I mean, what do you get this way that you don't by just calling into libc's function directly? And to hack the running game you need to attach as a debugger ... what privileges did your hacking process have again? If you're already at system level why bother with hacking skyrim? and if not, you're not going to get anything more than you already have. You could hack it from some mod I suppose, but that'd be like deciding to pick the lock for your own door while it's standing open.
That said, it's really sloppy code for the console command parser. It's not like the rest of the game is doing anything at the time so you absolutely can't afford to have an input validator active in there.
Re:Whats the purpose of this (Score:1, Insightful)
As much as I'd love to not use bloated junk like Steam, it's just no longer an option. Almost all newly released big games require Steam/Origin/Uplay. Even more and more indie games are exclusively released on Steam. Unfortunately they have a near-monopoly on the PC.
Re:Am I the only professional C/C++ coder ... (Score:2, Insightful)
Says a whiny C# "programmer"
Re:Whats the purpose of this (Score:5, Insightful)
Steam only asks for admin when performing installation steps, as installers often require admin privileges. And this is stuff like DirectX, C++ runtimes, etc so it's understandable since that stuff goes into system32.
The game itself is not run as admin.
Re:Wow, some discovery (Score:2, Insightful)
But you've got to admit, null pointers do make it a hell of a lot easier to find the bug. Dangling and uninitialized pointers, those are the dangerous ones.
Re:Whats the purpose of this (Score:5, Insightful)
i have several games on steam that require admin rights to run
Why do you continue to play them?
Also, please name them so people can know what to avoid.
Seriously, this is shit that should have died last century.
--
BMO
He can't name them, because he's spouting BS, like most Steam-hating trolls. They're just angry that VAC noticed them being stupid hacking trolls.
Re: Whats the purpose of this (Score:0, Insightful)
The problem with Stream is not the bloat, but the spying.
Re:Whats the purpose of this (Score:0, Insightful)
Just how is Steam bloated?
I was at my friend's house earlier and he wanted to show me the new Bioshock. So he attempted to launch it but Steam insisted on updating itself. The update was a 60MB download which took 20 minutes to download and install. I'd call that bloated.