Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Bug Security Games

Vulnerability Found In Skyrim, Fallout, Other Bethesda Games 179

An anonymous reader writes "The author of this article goes over a format string vulnerability he found in The Elder Scrolls series starting with Morrowind and going all the way up to Skyrim. It's not something that will likely be exploited, but it's interesting that the vulnerability has lasted through a decade of games. 'Functions like printf() and its variants allow us to view and manipulate the program’s running stack frame by specifying certain format string characters. By passing %08x.%08x.%08x.%08x.%08x, we get 5 parameters from the stack and display them in an 8-digit padded hex format. The format string specifier ‘%s’ displays memory from an address that is supplied on the stack. Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack. Powerful stuff.'"
This discussion has been archived. No new comments can be posted.

Vulnerability Found In Skyrim, Fallout, Other Bethesda Games

Comments Filter:
  • by gl4ss ( 559668 ) on Sunday May 12, 2013 @05:47AM (#43701017) Homepage Journal

    getting hits. no other purpose.

    "So far, the only feasible way to exploit the game I’ve come up with is by some sort of hand crafted mod or plugin for the game as that would have access to the scripting console on which the vulnerabilities lie. That said, it would be difficult to exploit in the wild also do in part to the video games having no network capability."

    don't mods or plugins already get to pretty much do whatever they want? that is, I wasn't under the impression that they're in some security sandbox.

  • by Anonymous Coward on Sunday May 12, 2013 @06:51AM (#43701201)

    These games require Steam as DRM. Steam very often asks for admin privileges when starting games. With some games it's only once. With others it's every single time you start the game. It's really annoying. Plus, Steam has a background process with admin rights running. No idea how much access games have there but it's there. DRM is definitely an added security risk.

  • Re:So? (Score:5, Informative)

    by Tridus ( 79566 ) on Sunday May 12, 2013 @07:24AM (#43701267) Homepage

    Skyrim doesn't require Admin, and it happens to be the most recent of the games listed here.

    In fact, I'm pretty sure this claim is total bullshit.

  • by maweki ( 999634 ) on Sunday May 12, 2013 @08:11AM (#43701391) Homepage
    No. The link I posted explains that they licensed the HeroEngine but will not use it.
    "We started ZeniMax Online from scratch, with no employees and no technology. We had to build everything ourselves. It takes a long time to write game engines, especially MMO engines, which are inherently more complicated than typical single-player ones. So, we decided to license the HeroEngine to give us a headstart. It was a useful tool for us to use to prototype areas and game design concepts, and it provided us the ability to get art into the game that was visible, so we could work on the game’s art style." []
    Or as the title of the article says: "Why The Elder Scrolls Online Isn't Using HeroEngine"
  • by Pembers ( 250842 ) on Sunday May 12, 2013 @09:13AM (#43701601) Homepage

    "Zero day" refers to a vulnerability for which no patch exists, presumably because the vendor wasn't aware of it. It's the amount of time between when the vendor becomes aware of the vulnerability and when the black hats can start exploiting it, not the amount of time that it's existed.

    See Prof Wikipedia [] for more details.

  • by Sable Drakon ( 831800 ) on Sunday May 12, 2013 @09:50AM (#43701729)
    Just how is Steam bloated? Looking at it's two processes right now, it's barely using 11MB of system RAM... The Dropbox client uses more than that and does a whole lot less... Windows Explorer uses even more than Steam. Browsers? Far more RAM usage.. That's far from bloated considering according to Steam's monthly hardware surveys where the average gaming PC is running a minimum of 4GB or ram or more. Seriously, look at the numbers yourself: 21.85% have 4GB, 23.48% have 8GB, and 9.62% have in excess of 12GB... Soooo 10-12MB of RAM is honestly a drop in the bucket for the average PC gamer. You may want to get your facts straight before posting, but then again posting as AC is there for those who love to troll and comment inaccruacies.
  • by Impy the Impiuos Imp ( 442658 ) on Sunday May 12, 2013 @10:14AM (#43701811) Journal

    Actually it's for use further down the road in the same printf string, IIRC. You %n something, then use the value in some later argument, not in a completely different printf. Indeed, the purpose is to keep you from needing multiple printfs when outpit depends on dynamic calculation of lengths of what went before on the same line.

  • by _Shad0w_ ( 127912 ) on Sunday May 12, 2013 @10:32AM (#43701901)

    Some of us C# programmers started life as C programmers, became C++ programmers at some point, and have now ended up as C# ones. You go where the money is; that's what being a professional is: doing something for money.

  • by Anonymous Coward on Sunday May 12, 2013 @10:58AM (#43701995) []

  • by benjymouse ( 756774 ) on Sunday May 12, 2013 @11:44AM (#43702221)

    It knocks both DRM and Windows in one sentence. Which is popular on slashdot.

    Facts don't matter, accuracy doesn't matter. Comments can be outright lies (like this one) and still achieve the highest ranking as *informative* just because it plays to a popular myth.

    No, games are *not* run with admin rights. No they do *not* need to run with admin privileges, not even to use DRM. Especially not the online DRM variety that steam uses.

  • by phantomfive ( 622387 ) on Sunday May 12, 2013 @12:47PM (#43702573) Journal

    I love it how you include "mine bitcoins" in your list of online criminal activities.

    Because botnets have been observed in the wild mining bitcoins. That is something we know they are used for.

  • by phantomfive ( 622387 ) on Sunday May 12, 2013 @12:57PM (#43702627) Journal
    Day 1 = day the vulnerability becomes public knowledge.
    Day 2 = day after the vulnerability becomes public knowledge.
    Day 3 = two days after the vulnerability becomes public knowledge
    Day 4= .....

    It is an important distinction, because once the vulnerability is listed on, admins can take steps to defend themselves (firewalls, removing the program, setting up honey-pots, etc). If it's a zero-day vulnerability, then no one can defend themselves and the world is wide open for you to use it.
  • Calling printf() with an un-sanitized user supplied format string is an exploitable security vulnerability

    I don't usually say this, but FTFY. There are only three limits on the security impact of a program that passes a user-supplied format string to a .*[print|scan]f function:
    1) What privileges the program runs as. If it's not sandboxed, it can probably run rampant over your user profile. If it runs as Admin/root, that's seriously bad news.
    2) What privileges are required to specify that format string. If it can only be done by a local user, and the program only runs as local user, you're mostly OK (and that's the case here). If the source of the format string is external, such as a message from another user in a game, you're in serious trouble.
    3) Exploit mitigations in use. The MS Visual C/C++ runtime (MSVCRT.DLL) disables the %n format specifier by default, because using %n and a reasonably long format string, you can write pretty much arbitrary values into memory (one unaligned byte at a time). DEP and ASLR help, but due to the way that printf can be used to extract pointers as well as use them, it can be used to leak info needed for bypassing ASLR.

    Format string vulns are a serious threat. Fortunately, they're also dead trivial to avoid: DON'T EVER PROVIDE A USER-CONTROLLED FORMAT STRING. If for some reason is is every absolutely necessary to do this (I can't think of a single situation fitting this bill; anybody care to fill me in?) you can ensure the string has no un-escaped % characters, but that's a terrible way to go about it.

  • by gman003 ( 1693318 ) on Sunday May 12, 2013 @09:46PM (#43705745)

    What spying?

    Seriously, what do they spy on? There's the hardware survey, which is anonymous, and at least as I recall, opt-in. There's "recording amount of time in games", which a) isn't particularly useful information, b) isn't particularly accurate, and c) can be routed around via offline mode if it really bugs you.

    Compared to even the spying Firefox does (if you opt in), that's really not much.

  • by Dimensio ( 311070 ) <> on Monday May 13, 2013 @01:02PM (#43711629)

    Some games do in fact request Administrator rights when run from Steam on every launch. Typically, this is a consequence of a bugged launch condition check that fails to accurately detect that needed libraries are often installed; choosing not to authenticate will still allow those games to run properly, and workarounds exist to eliminate the incorrect detection entirely.

Trap full -- please empty.