Vulnerability Found In Skyrim, Fallout, Other Bethesda Games

An anonymous reader writes "The author of this article goes over a format string vulnerability he found in The Elder Scrolls series starting with Morrowind and going all the way up to Skyrim. It's not something that will likely be exploited, but it's interesting that the vulnerability has lasted through a decade of games. 'Functions like printf() and its variants allow us to view and manipulate the program’s running stack frame by specifying certain format string characters. By passing %08x.%08x.%08x.%08x.%08x, we get 5 parameters from the stack and display them in an 8-digit padded hex format. The format string specifier ‘%s’ displays memory from an address that is supplied on the stack. Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack. Powerful stuff.'"

Whats the purpose of this

[tratraa]

You can read and manipulate stack in debuggers like Ollydbg. It's much better way than trying to do so via games console. And you can modify the code too. I just don't see whats the use of this.

Re:Whats the purpose of this

[gl4ss]

getting hits. no other purpose.

"So far, the only feasible way to exploit the game I’ve come up with is by some sort of hand crafted mod or plugin for the game as that would have access to the scripting console on which the vulnerabilities lie. That said, it would be difficult to exploit in the wild also do in part to the video games having no network capability."

don't mods or plugins already get to pretty much do whatever they want? that is, I wasn't under the impression that they're in some security sandbox.

Re:Whats the purpose of this

[Opportunist]

Well, considering how games tend to run with admin privileges on Windows because of DRM, I could well see some attack vector here.

Re:Whats the purpose of this

This is just plain false.

Re:Whats the purpose of this

These games require Steam as DRM. Steam very often asks for admin privileges when starting games. With some games it's only once. With others it's every single time you start the game. It's really annoying. Plus, Steam has a background process with admin rights running. No idea how much access games have there but it's there. DRM is definitely an added security risk.

Re:Whats the purpose of this

Morrowind and Oblivion don't require Steam.

Re:Whats the purpose of this

As much as I'd love to not use bloated junk like Steam, it's just no longer an option. Almost all newly released big games require Steam/Origin/Uplay. Even more and more indie games are exclusively released on Steam. Unfortunately they have a near-monopoly on the PC.

Re:Whats the purpose of this

[gl4ss]

Well, considering how games tend to run with admin privileges on Windows because of DRM, I could well see some attack vector here.

I don't remember these games requiring that.

but my point was that you're already pretty much accepted the risk when using a mod - a mod that has potentially whatever code in it.

Re:Whats the purpose of this

[The+MAZZTer]

Steam only asks for admin when performing installation steps, as installers often require admin privileges. And this is stuff like DirectX, C++ runtimes, etc so it's understandable since that stuff goes into system32.

The game itself is not run as admin.

Re:Whats the purpose of this

[Sable+Drakon]

Just how is Steam bloated? Looking at it's two processes right now, it's barely using 11MB of system RAM... The Dropbox client uses more than that and does a whole lot less... Windows Explorer uses even more than Steam. Browsers? Far more RAM usage.. That's far from bloated considering according to Steam's monthly hardware surveys where the average gaming PC is running a minimum of 4GB or ram or more. Seriously, look at the numbers yourself: 21.85% have 4GB, 23.48% have 8GB, and 9.62% have in excess of 12GB... Soooo 10-12MB of RAM is honestly a drop in the bucket for the average PC gamer. You may want to get your facts straight before posting, but then again posting as AC is there for those who love to troll and comment inaccruacies.

Re:Whats the purpose of this

i have several games on steam that require admin rights to run -- not just to install or update, but to simply play the game. no bethesda titles in my library, but fact is, some games insist on admin rights to play.

Re:Whats the purpose of this

That's odd, I still play lots of PC games and none of them need Steam, Origin or Uplay. I'm not finding it difficult to avoid them at all.

Re:Whats the purpose of this

If a game needs admin rights, it's either malware/spyware or it's poorly programmed. There is absolutely no reason a game or any non-system maintenance application should need admin. If you do have games that require it and it's not stated on the box or the download page, then I'd demand a refund.

Re:Whats the purpose of this

[bmo]

i have several games on steam that require admin rights to run

Why do you continue to play them?

Also, please name them so people can know what to avoid.

Seriously, this is shit that should have died last century.

--
BMO

Re:Whats the purpose of this

[F.Ultra]

Please give my access to your magical application store application that uses zero resources.

Re:Whats the purpose of this

gog.com

Re:Whats the purpose of this

And this is a great example of how misinformed and delusional Slashdot users are. +5, Informative? More like -5, Clueless.

Re:Whats the purpose of this

you know windows removed the %n format specifier years ago right? its still going to be exploitable in theory because of pop/pop/.../ret sequences, but the person reporting, like you, obviously has never exploited this bug based on the premise one can write to arbitrary locations with a %n, which just isn't true sans security-brain-dead OSs like Linux. Anyways, cool story bro.

Re:Whats the purpose of this

"barely using 11MB of system RAM"

My first computer had 5kB of RAM, you insensitive clod!

Re:Whats the purpose of this

i have several games on steam that require admin rights to run

Why do you continue to play them?

Also, please name them so people can know what to avoid.

Seriously, this is shit that should have died last century.

--
BMO

He can't name them, because he's spouting BS, like most Steam-hating trolls. They're just angry that VAC noticed them being stupid hacking trolls.

Re:Whats the purpose of this

Can you throw some examples? I don't have a single steam game that requires admin rights to play.

I bet this happens because you installed steam in "program files" directory (which is the default). Program Files is a protected directory and normally only an administrator can write there. The problem will probably go away if you install steam in different location where non-admins have right to write too (c:\games or something like that). Or alternatively, if you grant modify access to steam folder for normal users.

Well behaving programs or games should not write under application directory. Unfortunately many (especially older) games aren't well behaving in this regard. There are %appdata%, %programdata% etc folders for this kind of stuff.

Re: Whats the purpose of this

[AvitarX]

I think maybe Rome total war? I cant recall personally, but older games that write config into they're folder is my assumption of the cause. Though windows handles that somehow now, so maybe not.

The app that most surprises me is super requiring it.

Re:Whats the purpose of this

don't mods or plugins already get to pretty much do whatever they want? that is, I wasn't under the impression that they're in some security sandbox.

At least in Morrowind and Oblivion, mods are "sandboxed" in the sense that they do not contain any native code, and use a scripting language that only gives them access to game state, not permission to open files, etc.

So though I doubt we'll see a deluge of trojan Morrowind mods, it's a "real" exploit in the sense that mods can do more than was intended.

I'm sure you could find any number of buffer overflows if you looked, too. The security awareness in the industry is abysmal, all the way from the drivers to even simple game launchers.

Re:Whats the purpose of this

[interval1066]

As much as I'd love to not use bloated junk like Steam...

Really? In any case, I suppose, secure institutions don't as a rule allow random software installations, espiecally games, so, unless you want to p0wn your friend's pc, we're probably ok here.

Re:Whats the purpose of this

Would you name some of these games that require admin privileges? I would like to check them out to see if it's true.

Re:Whats the purpose of this

[Sable+Drakon]

Actually, my library consists of over 100 titles, most of thel installed. The difference may be as simple as the skin you're using (I run an exceedingly minimal one) and that I keep Steam in 'Small view' instead of the full and pointless window. May want to try a few things. But even at 110MB usage, that's still minimum compared to the average gaming PC's RAM loadout of 4GB+. People complaining about memory usage of a software platform that uses less than 5% of total RAM have nothing better to do.

Re:Whats the purpose of this

It all adds up. Having applications constantly running due to artificial limitations is about as stupid as it gets.

Re:Whats the purpose of this

AFAIK SW:TOR requires admin or you jumping through hoops to not use admin: http://www.swtor.com/community/showthread.php?t=503015

Someone who played swtor stayed over at my place for a few weeks and my guest computer had to be "compromised" so that swtor could run.

Maybe they've changed it in recent times.

Re:Whats the purpose of this

[Deathspawner]

I have over 1,000 games on Steam (102 installed), and it's using 72.2MB of RAM on fresh start-up. I'm using the basic skin, no customizations at all.

Re: Whats the purpose of this

[x1n933k]

Yeah, but can it run Crysis?

Re:Whats the purpose of this

[hairyfeet]

Its clickbait, its a sensational headline to make everyone think "ZOMFG if I have Fallout or Skyrim i could get teh viruz!" when IRL probably the most that will come of this will be some +whatever trainers.

That doesn't mean we shouldn't keep an eye on games, personally I'm waiting for it to come out some big FTP MMO has a backdoor the size of Kansas because they wanted the ability to insert ads later but this? The guy is using the console to manipulate the program...and?

Re:Whats the purpose of this

Well, considering how games tend to run with admin privileges on Windows because of DRM, I could well see some attack vector here.

But Vista fixed all that.

Re: Whats the purpose of this

The problem with Stream is not the bloat, but the spying.

Re:Whats the purpose of this

Did you check the Application Store application store? I hear it has its own application now.

Re:Whats the purpose of this

Just how is Steam bloated?

I was at my friend's house earlier and he wanted to show me the new Bioshock. So he attempted to launch it but Steam insisted on updating itself. The update was a 60MB download which took 20 minutes to download and install. I'd call that bloated.

Re:Whats the purpose of this

Please see previous comment, application size has nothing to do with its memory allocation. Your logic - Windows 3gb size of a dvd, you better have 4gb ram... what?

Re:Whats the purpose of this

Bloat can refer to both memory usage and file size. Basically any program that uses more than it actually needs.

Re:Whats the purpose of this

[hermitdev]

The 110MB usage is the GUI, not the service/DRM component. The service is all that's need to launch a game (if you've created shortcuts either on the desktop or start menu for the installed game). The services needed run a game use around a combined 12MB. The memory usage has nothing to do with the size of your library, or the number of installed games. Personally, I've 46 games and 66 utilities in my library. I don't notice the 110MB usage on either my current gaming desktop, or my last. My last had 4GB of memory, current has 64GB. With that much memory, I've a few VMs running in the background, and I don't even notice. Without a pagefile, typical total system memory usage is under 16GB (most of that due to the VMs, which have multiple GBs allocated each). On a system consuming 16GB of RAM, 110MB is roughly 0.5% of total usage.

Re: Whats the purpose of this

[gman003]

What spying?

Seriously, what do they spy on? There's the hardware survey, which is anonymous, and at least as I recall, opt-in. There's "recording amount of time in games", which a) isn't particularly useful information, b) isn't particularly accurate, and c) can be routed around via offline mode if it really bugs you.

Compared to even the spying Firefox does (if you opt in), that's really not much.

Re:Whats the purpose of this

[gman003]

Right now, Steam is using 5.5MB of RAM, sitting between "Bluetooth tray" and SSHFS. DWM is using 29MB, Explorer 38MB, and Firefox 335MB (five tabs). Opening a Steam window brings it up to 23MB, still an absolutely tiny amount. Even when doing multiple simultaneous downloads, I've never seen it go over 200MB of RAM.

As for disk space, my Steam folder is currently 346GB. However, 345GB of that is the steamapps folder, which contains all game data. Everything else - executable, graphics, crash dumps, resources, cache - is a mere 787MB. Considering how many game icons that has to include (I kind of have a lot of games), that's pretty impressive.

Re:Whats the purpose of this

[gman003]

I do have to run UT2004 as admin in order for LAN play to work. I'm not sure why. There's probably another way, that doesn't involve blanket admin access, but "run as admin" is easier.

Runs perfectly fine singleplayer without admin rights, though. And it's hardly a "recent" game (and it's not even the Steam version - CD from the Unreal Anthology). I've never encountered a game that requires admin rights just to run.

Re:Whats the purpose of this

[julesh]

All applications use zero resources when they're not running. Why does Steam run constantly?

Re: Whats the purpose of this

[julesh]

I regularly run Rome TW on Win7 as an admin-enabled user but without elevating it via UAC and it works just fine.

Re:Whats the purpose of this

All applications use zero resources when they're not running. Why does Steam run constantly?

Because someone doesn't shut it down when not using it?

Re:Whats the purpose of this

[Dimensio]

Some games do in fact request Administrator rights when run from Steam on every launch. Typically, this is a consequence of a bugged launch condition check that fails to accurately detect that needed libraries are often installed; choosing not to authenticate will still allow those games to run properly, and workarounds exist to eliminate the incorrect detection entirely.

Re:Whats the purpose of this

[TheOneFreeman]

"Anonymous coward" or not, you sir/madame have just done the internet a great service. More GoG is always good, even Time magazine thinks so! Proof: http://techland.time.com/2013/05/06/50-best-websites-2013/slide/gog-com/

Re:Whats the purpose of this

[F.Ultra]

In which way does a website not use any resources? Oh wait, you are using the magical resource free web browser!!! Sorry I forgot...

Re:Whats the purpose of this

[F.Ultra]

So you have some new storage technology that don't require resources, whats the price per GiB for that one?

And what is this constantly running thing? I have Steam installed on my box but:

fultra@ubuntu:~$ sudo ps ax | grep -i steam
9003 pts/0 S+ 0:00 grep --color=auto -i steam
fultra@ubuntu:~$

Or do you mean that it runs when you ask it to by double clicking it and then quits completely when you click in File->Exit?

Re:Whats the purpose of this

[chuckybucky]

What's wrong with Steam? I don't see it as bloated at all. Actually, I enjoy the format much better than individual installers and updaters.

Re: Whats the purpose of this

[AvitarX]

OK, I was just guessing, not OP.

The main app I can think of that wants admin for what I assume is shadiness is Super, but that's not steam. I'm pretty sure an old steam game I purchased asks, but I wouldn't bet to n it.

Those games crash easily

[loufoque]

Those games crash easily, isn't that proof enough they're full of vulnerabilities that you could exploit to run arbitrary code?
Now the question is, why does it matter? It's a game, not a production server.

Re:Those games crash easily

[muphin]

isnt this what "Trainers" do ?

Re:Those games crash easily

[Opportunist]

Because a hijacked machine is a hijacked machine. It can be used to send spam, participate in a DOS or mine bitcoins. And given that it's games we're talking, and power hungry games too, it's likely that you get a machine with a very powerful GPU and CPU.

Re:Those games crash easily

How would you even exploit this for hijacking? You have to inject malformed strings into a vsprintf() function that's called for console error output. Sure, load the code file, craft a string full of %x and ... call vsprintf() ??? I mean, what do you get this way that you don't by just calling into libc's function directly? And to hack the running game you need to attach as a debugger ... what privileges did your hacking process have again? If you're already at system level why bother with hacking skyrim? and if not, you're not going to get anything more than you already have. You could hack it from some mod I suppose, but that'd be like deciding to pick the lock for your own door while it's standing open.

That said, it's really sloppy code for the console command parser. It's not like the rest of the game is doing anything at the time so you absolutely can't afford to have an input validator active in there.

Re:Those games crash easily

[jareth-0205]

Because http://xkcd.com/1200/

Don't you care about your personal security?

Re:Those games crash easily

I love it how you include "mine bitcoins" in your list of online criminal activities. As if it were relevant enough to people's interests here. It isn't. A few editors have likely invested in one of the exchanges judging by the spam that gets posted here, but apart from that it's exactly as you classified it, online criminal activity.

Re:Those games crash easily

That comic makes no sense. How would someone who stole your laptop magically know your passwords?

Re:Those games crash easily

[countach74]

Because sessions don't exist. Granted PayPal/bank accounts probably require authentication every time, but I imagine many people use their favorite web browser's "save password information" feature on those sites. I think the comic makes plenty of sense: for most people, if their user account on their laptop is compromised, bad things can/will happen.

Re:Those games crash easily

[phantomfive]

I love it how you include "mine bitcoins" in your list of online criminal activities.

Because botnets have been observed in the wild mining bitcoins. That is something we know they are used for.

Re:Those games crash easily

Sessions expire when you close the browser and if you're saving passwords in the browser, then you deserve what you get.

KeePass or a password hasher are just as easy to use, but they protect your passwords.

Re:Those games crash easily

http://tech.slashdot.org/story/13/05/01/217230/e-sports-league-stuffed-bitcoin-mining-code-inside-client-software

Did we really need

An explanation of printf format syntax in the summary?

Re:Did we really need

[liamevo]

Every time something many people understand in the summary isn't explained, people complain.
Every time something many people understand in the summary is explained, people complain.

Re:Did we really need

[NoNonAlphaCharsHere]

It's a direct quote from TFA*.

*"The Fucking Article"

Re:Did we really need

[PopeRatzo]

Every time something many people understand in the summary is explained, people complain.

I don't recall seeing people complain when a summary is explicit about something, only when it is not explicit.

Readers are trained to skim over information with which they are familiar. It comes from years of textbook use. It's much more frustrating when an important bit of information is left out.

Re:Did we really need

Apparently. I'm not a particularly good programmer, but I thought that people weren't supposed to use printf() any more in favor of sprintf()

Re:Did we really need

[_Shad0w_]

One of those writes to stdout and one of them writes to a string, they're not really interchangeable if your aim is to display something on screen...

I think you're getting confused with the fact that using ?sprintf(), ?scanf(), etc. is discouraged in favour of using their ?sn* counterparts, due to buffer overrun possibilities, but I could be wrong. Calling printf() with an un-sanitized user supplied format string is also discouraged, because it may contain a %.

printf() is just a wrapper for vfprintf() with the FILE paramter as stdout, I believe (it is in glibc anyway).

Re:Did we really need

[cbhacking]

Calling printf() with an un-sanitized user supplied format string is an exploitable security vulnerability

I don't usually say this, but FTFY. There are only three limits on the security impact of a program that passes a user-supplied format string to a .*[print|scan]f function:
1) What privileges the program runs as. If it's not sandboxed, it can probably run rampant over your user profile. If it runs as Admin/root, that's seriously bad news.
2) What privileges are required to specify that format string. If it can only be done by a local user, and the program only runs as local user, you're mostly OK (and that's the case here). If the source of the format string is external, such as a message from another user in a game, you're in serious trouble.
3) Exploit mitigations in use. The MS Visual C/C++ runtime (MSVCRT.DLL) disables the %n format specifier by default, because using %n and a reasonably long format string, you can write pretty much arbitrary values into memory (one unaligned byte at a time). DEP and ASLR help, but due to the way that printf can be used to extract pointers as well as use them, it can be used to leak info needed for bypassing ASLR.

Format string vulns are a serious threat. Fortunately, they're also dead trivial to avoid: DON'T EVER PROVIDE A USER-CONTROLLED FORMAT STRING. If for some reason is is every absolutely necessary to do this (I can't think of a single situation fitting this bill; anybody care to fill me in?) you can ensure the string has no un-escaped % characters, but that's a terrible way to go about it.

Re:Did we really need

[geminidomino]

I don't recall seeing people complain when a summary is explicit about something, only when it is not explicit.

Read the subthread with anon comments. You'll find that GP is a response to someone complaining about an explanation of the function in the summary.

Re:Did we really need

[julesh]

Calling printf() with an un-sanitized user supplied format string is an exploitable security vulnerability

Disagree.

It is only a security vulnerability if it allows the user to perform an action they are not authorized to perform. Just allowing them to execute code in the context of your application doesn't count, because frankly they could just open up the application's .exe file in a binary editor and inject the code they wanted to run. In order to be a vulnerability, there must be some security guarantee (or just expectation) that is violated.

Possibilities are:

1. The program runs with greater privileges than the user would normally have (e.g. setuid on a Unix system, or on a public-facing kiosk system)
2. The program accepts input from an external source, e.g. over a network connection from a user that has not been authenticated to have permission to execute code on the local system
3. The program accepts input from a source that would normally be considered a "safe" file that a user is likely to download from the Internet, e.g. document files.

If none of these 3 conditions are true, then IMO it is not a security vulnerability. It's just a different way for the user to make their application do something unexpected. Which, honestly, appears to be the case for the "exploit" presented in TFA: games don't typically run in a privileged environment that their user does not have access to, do not generally accept console commands over their network connections, and people don't usually consider game mods as safe files, because they often (or even usually) include executable content that would have access to fuck their system over if the designer wanted anyway.

DON'T EVER PROVIDE A USER-CONTROLLED FORMAT STRING. If for some reason is is every absolutely necessary to do this (I can't think of a single situation fitting this bill; anybody care to fill me in?) you can ensure the string has no un-escaped % characters, but that's a terrible way to go about it.

Situation fitting the bill: you're writing a quick utility command-line program that is intended for local non-setuid use, and which needs to generate a sequence of files, but you need the user to be able to control the formatting of the filenames. Filenames are generated using the following approach:

for (int file = 0; [...]; file ++)
{
      char filename[MAXPATH];
      snprintf (filename, MAXPATH, argv[1], file);
      [...]
}

User uses the program with a command like "generatefiles output%04d.dat". Providing this kind of flexibility *without* using snprintf is rather time consuming and is not worth it for the majority of cases. Sure, the user could potentially exploit the program to make it execute whatever code they want, but they could just execute whatever code they want... it would be somewhat simpler.

Oh, and your idea of not allowing unescaped '%' characters completely negates the only point in ever doing this, so it seems a little ridiculous on the face of it.

Am I the only professional C/C++ coder ...

[Viol8]

.... who has never used the %n formatter? I'd heard of it but I had to go and google it to find out what it did because I couldn't even remember.

The only use I can see for it is for figuring out single line formatting lentghs after you've printed some string but thats pushing it a bit since surely any half decent coder would preformat a string before outputting it?

Are there any "killer app" uses for %n that anyone can think of?

Re:Am I the only professional C/C++ coder ...

It's used for sscanf():
http://stackoverflow.com/questions/353614/are-there-any-practical-applications-for-the-format-n-in-printf-scanf-family

Re: Am I the only professional C/C++ coder ...

Are there any "killer app" uses for %n that anyone can think of?

%no

Re:Am I the only professional C/C++ coder ...

Making it easy to create backdoors.

Re:Am I the only professional C/C++ coder ...

Step 1: Make a mod for one of those games. Something simple that requires no exe files. Simple copy/pasta type install.
Step 2: Mod abuses this vulnerability.
Step 3: Mod sets up a botnet rootkit on the host machine, to lie dormant until fed orders.
Step 4: Have the FBI partyvan show up at your house for participating in a DDOS.

Re:Am I the only professional C/C++ coder ...

Pre-formatting strings requires extra memory (an amount which could be significant on the systems C was originally designed for), and the buffer has to be sized for the worst possible case if you only have C89 (snprintf wasn't added until C99).

Re:Am I the only professional C/C++ coder ...

[garutnivore]

Are there any "killer app" uses for %n that anyone can think of?

According to the summary, with %n you can write a killer app that kills other apps:

"Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack."

Re:Am I the only professional C/C++ coder ...

[Lumpy]

Says a whiny C# "programmer"

Re:Am I the only professional C/C++ coder ...

No he has a valid point. There are very few people who know c++ and that I would consider professional, probably .02% and the rest are just people who think they are c++ programmers. Even in extremely high quality c++ apps there are many bugs, I can only imagine how bad it is out in the field at companies that don't employ anywhere near the top rung of intelligence. I'd suspect you yourself are the type that should be writing code with a helmet.

Re:Am I the only professional C/C++ coder ...

A professional is someone getting paid to code.
It has nothing to do with what you condiser them to be, or wether they meet your standards.

Re:Am I the only professional C/C++ coder ...

[jones_supa]

the rest are just people who think they are c++ programmers

That's enough for many jobs.

Re:Am I the only professional C/C++ coder ...

I'm a professional C coder, I have professionally done C++ as well. And I have news for you. Not everything is a webpage, and most of the platform software you work in was written in either C or in C++, and guess what, it typically isn't that buggy. Maybe it's a surprise to you, but at some level you actually have to program at a level below the virtual machine, and if you're say, interacting directly with hardware, then all your trendy high level languages go right out the window, and C/C++, the work horses of industry come out to play. Or say you have some performance critical work, again, the overhead of a managed language is just not acceptable.

Now I need to go off and point out where it's been found that a C coder writes better java than a java programmer, and a C coder writes better C# that a C# programmer.

Re:Am I the only professional C/C++ coder ...

Which is why Most OS and embedded stuff is written in C.

Re: Am I the only professional C/C++ coder ...

[Greyfox]

The printf family of functions is really the most convenient way to format output in C. Anything else you have to write yourself, or bring in an external library for. And it's perfectly safe as long as you don't directly printf or sprintf a string a user has input. Or screw up the number of parameters you pass it.

My current project is in C++ and I still find myself missing printf/sprintf. iostream operations are a bit more work to get the same stuff done. So far I haven't run into an instance where I've HAD to fall back to the old school library calls for that, so I'm trying to be good.

Re:Am I the only professional C/C++ coder ...

[Impy+the+Impiuos+Imp]

Actually it's for use further down the road in the same printf string, IIRC. You %n something, then use the value in some later argument, not in a completely different printf. Indeed, the purpose is to keep you from needing multiple printfs when outpit depends on dynamic calculation of lengths of what went before on the same line.

Re:Am I the only professional C/C++ coder ...

[_Shad0w_]

Some of us C# programmers started life as C programmers, became C++ programmers at some point, and have now ended up as C# ones. You go where the money is; that's what being a professional is: doing something for money.

Re:Am I the only professional C/C++ coder ...

[Guru80]

You seem to be confusing Professional (basically just a fancy word stating I get paid for what I do) and Expertise (expert skill or knowledge in a particular field). Neither require the other to be true.

Re:Am I the only professional C/C++ coder ...

the only way to really get mods out there to the few hundred or so that mod their es/fallout games is to put it on something like nexus, with a registered username(and ip address). So if you followed this through all the way to step 4, it would be pretty easy to follow the steps backwards to find out who you are or at least establish how the activity happened.

Re:Am I the only professional C/C++ coder ...

There are very few people who know $LANGUAGE and that I would consider professional, probably .02% and the rest are just people who think they are $LANGUAGE programmers.

True for any value of $LANGUAGE.

Re:Am I the only professional C/C++ coder ...

And some of us have never done C/C++ outside of college but still try to write clean, efficient code. It has almost nothing to do with the language and almost everything to do with skill.

Blaming the tools implies that you lack skill. The best way to solve this is to not lack skill. Sadly, most take the easy way rather than the best way.

Re:Am I the only professional C/C++ coder ...

I prefer the terms "code whore" or "prostitute programmer", thankyouverymuch.

Re: Am I the only professional C/C++ coder ...

[donscarletti]

The reason C++ does not implement format strings is that C libraries work just fine in it.

There are no prizes for most pure usage of <iostream> or any rule saying C++ programmers must use it at all, it is simply a nifty library that exists that you may use when it suits you. If the code you're writing will be simpler, faster and or more comprehensible to later maintainers if you use <cstdio>, then you should use it. If it can be written better with <iostream> then use that.

If you get a chance to do some hardcore IO in C++, you will find two functions at the core of your code: select (or epoll on Linux) and mmap. Neither are in either of those two headers and both work on integer file descriptors, rather than FILE or ostream/istream objects. They are about as un-c++ as you can get, they are kernel syscalls, but you can build some truly excellent C++ around them which looks simple, does a lot and runs more efficiently than <fstream> allows.

C++ is not about purity, Bjarne Stroustrup designed it to allow multiple unrelated paradigms to be used together to allow programmers maximum efficiency and flexibility to write great code, it was never meant to be deconstructivist. Good C++ is not just knowing when to pass by reference, what to declare const, which members to make pure virtual, which STL type to use, which functions and classes should be templates and which shouldn't, etc. Good C++ is also knowing when to use stringstream and when to use strnprintf. And good friend malloc is still there, believe it or not, great C++ programmers know how to use it well in C++ too.

Re:Am I the only professional C/C++ coder ...

There are many high traffic sites out there that cater to game mods and it's easy to submit something via proxy like Tor.

Re:Am I the only professional C/C++ coder ...

No, you're not. The entire windows code base was found to not use %n once, so they removed %n from their libc for security reasons. Also, I've never once used nor encountered that format specifier in ~7-10 years of professional (security) code review, inclusive of multiple products you (all) definitely use ranging from OSs to processors and the stuff that powers your cities, etc.

Re:Am I the only professional C/C++ coder ...

[ceoyoyo]

Not sure about C++, but most of the decent C programmers I know don't consider themselves "C programmers." They're "programmers." I've heard with some of the new fangled languages you only learn one.

Re:Am I the only professional C/C++ coder ...

[OrangeTide]

I'm a C Programmer. It's the only language where I'm paid to program.

Re:Am I the only professional C/C++ coder ...

[cbhacking]

"crashes applications" is the least of what you can do with %n. In fact, heavy misuse of the other format string specifiers is usually enough to crash the program; just keep reading strings (or doubles, or whatever) until you wander into unallocated memory and trigger a Read AV / segfault.

No, %n is what you do when you want arbitrary code execution in the vulnerable process. Format string vulnerabilites are as serious as buffer overflows, and as stupid (as in, no excuse for having them) as using gets() (which is itself guaranteed unsafe).

Re: Am I the only professional C/C++ coder ...

[Greyfox]

I feel like if you want to use std::string you should stick to things that can use std::string. On a side note C++11 finally allows the iostream functions to use std::strings for file names. If you use char *s everywhere, that's somewhat less safe than not, but you can do that. If you want to use std::strings, you can take advantage of the cool things that work with strings. If you try to mix the two, it's a lot more work and a lot more complexity that I really don't care to add. So I stick with std::strings. 'Course I could just write my own damn string class, but that's just crazy talk.

I did C for a couple decades before delving into C++. I still have Lex and Yacc (Not even Flex and Bison) in my toolkit. I can be pretty damn effective in either language, but I'm still trying to un-learn a bunch of java-isms too. For the scientific computing I'm doing at the moment I'd much rather use C++ than anything else. I always feel like it's Grandpa's sword sitting up on the mantle. My weapon of choice, and a surprisingly effective one in the right hands. Kids these days, think they know how to program...

Re:Am I the only professional C/C++ coder ...

[hermitdev]

This. As a senior C++ developer (who also does Python, C, a little bit of C# and even less Java) on linux, C++ is my goto language for anything that is performance critical, and general the systems I work on are performance critical. I also use Python a fair amount because it so easily integrates with C++ (and C) using either the built-in module ctypes or Boost Python (for C++). Being a quality developer/engineer is all about having the right tools in the toolbox, and knowing when to use each tool. Software development is not a one-size-fits-all world. One of the things I love about Python is it's inherently cross platform, until I make an assumption about the environment. i.e. choose to use a library that is posix or Windows only. As to your point where a C(/C++) developer tends to do a better job in developing in other high-level languages such as java & C#: it's easy to turn off writing memory management, when you know the garbage collector will take care of it. It's harder to learn how/when to free memory when you've never had to. C/C++ developers should be inherently conscious of memory lifetime issues, where as a java/C# (and to some extent Python/Perl developers) don't need to be aware. (C) Python is strictly reference counted, so you have the ability to create cycles, which would never be destroyed unless explicit action is taken. (which is why we have weakref and del).

Re:Am I the only professional C/C++ coder ...

[inquist]

or in bourne shell, any value of LANGUAGE

Re:Am I the only professional C/C++ coder ...

[inquist]

... inclusive of multiple products you (all) definitely use ranging from OSs to processors and the stuff that powers your cities, etc.

Should this be "we" definitely use, and that powers "our" cities? Or the more exciting possibility, that you exist outside the framework of normal life?

bfd

[jimmydevice]

wtf

Wow, some discovery

[Rosco+P.+Coltrane]

stdio functions often lead to stack overflows. News at ten...
What next? Null pointers are bad, m'kay...?

Re:Wow, some discovery

[Dunbal]

Null pointers don't kill programs, it's sloppy programmers who kill programs.

Re:Wow, some discovery

[Opportunist]

How about putting a structure you allow the user to specify the length of on the stack? Like it was done in the animated cursor in Windows (and of course exploited for an attack).

And, unlike games, that was in an OS that has been under attack for years when this was exploited.

Game developers usually don't consider security when they develop. If anything should be a dead giveaway, it's how DRM is implemented. I think we're going to see a lot more exploits targeting games in the future. For very obvious reasons:

- Tend to run with admin privileges due to DRM
- Little to no consideration for security during development
- AAA-titles usually widely spread, leaving a big attack surface
- Tend to be used with rather powerful machines due to requirements of the graphics engine

And those are only the reasons that I could come up with without even thinking.

Re:Wow, some discovery

[jones_supa]

What next? Null pointers are bad, m'kay...?

Well, then there is a recommendation of replacing fopen() with fopen_s() for improved safety. It was previously a Microsoft extension, but now is part of the C11 standard (Annex K).

Re:Wow, some discovery

[am+2k]

stdio functions often lead to stack overflows. News at ten...

Well, it's interesting insofar that this is a rookie mistake you usually fall into in your first year of programming in C, and never again afterwards. It's amazing that such programmers are working in a very high profile gaming company.

Re:Wow, some discovery

[Impy+the+Impiuos+Imp]

Because this can be exploited by changing printf strings, if you can change string tables, rather than running code or even executable files -- string tables are regularly manipulated by design for language translations -- you can get your foot in the door, first for examining and programming stacks.

Re:Wow, some discovery

I've been doing C for three decades and Null pointers still kill my programs.
As for my sloppy-ness, I've written a bug-free kernel driver on paper napkin with a pencil and poorly translated specs I had faxed over on vacation just the other week.
You'd imagine me not bringing a laptop on vacation would be a big enough deterrent to leave me be on my first week off in 2 years. Next time I won't take my cellular...

Re:Wow, some discovery

Now that's actually a good one. Why did they need a new function for it though?

Re:Wow, some discovery

[mlookaba]

Null pointers don't kill programs, it's sloppy programmers who kill programs.

There is no legitimate use for null pointer exceptions. We should ban them. Think of the children.

Re:Wow, some discovery

But you've got to admit, null pointers do make it a hell of a lot easier to find the bug. Dangling and uninitialized pointers, those are the dangerous ones.

Re:Wow, some discovery

[jones_supa]

There is always the possibility that some application depends on the exact behavior of fopen() related to such cases so it would be too dangerous to go tampering with it.

Re:Wow, some discovery

...it's sloppy programmers who kill programs.

This is a very bad perspective. One if the biggest challenges programmers face is our brains are not designed to be able to hold an entire program in memory and understand it all at the same time. It doesn't matter how smart or careful the programmer or how good the code is, the human race has these limitations. Any programming technique we can use to reduce how much the brain has to keep track of is a good thing.

Null pointers are nasty. I have worked in programming languages that have them but have undefined behavior when using them (C / C++), languages that throw exceptions when using Null pointers (C# / Java), and languages that either don't have them or make them very difficult (Haskell / F#). It takes using a language without them or at least makes them optional to realize how big of a mistake they are.

Re:Wow, some discovery

- Tend to run with admin privileges due to DRM

Do you have any recent examples of this? That is, do you have any concrete examples of a popular, widespread game that needs to run with administrative privileges at all, with or without DRM?

You're only hurting the anti-DRM cause by using an example that users clearly do not experience.

...without even thinking.

Clearly.

Re:Wow, some discovery

[Darinbob]

Sloppy programmers don't kill programs, curious users who open up the console and type in malformed commands kill programs!

Re:Wow, some discovery

[Darinbob]

But you can already examine the stack of these games. They're not closed up tight (well, Skyrim sort of is being a Steam game). Poke around in memory all you want, crash it when you want.

Re:Wow, some discovery

[Darinbob]

Why amazing? High profile gaming companies do more thorough process of interviewing than other high profile companies? Game programmers are not necessarily better skilled than others, in some parts of the gaming developer world the stress levels are very high and it's not at all a glamorous job like the kids imagine.

Re:Wow, some discovery

- Tend to run with admin privileges due to DRM

Why does DRM require admin priveleges?

Re:Wow, some discovery

[inquist]

I write watchdog routines to kill my programs using null pointers, in case of misbehavior. My latest creation,

*(char **)0 = "description of an error condition";

This causes the prog to dump a core, letting me analyze the stack and find deadlocks, etc.

Re:Wow, some discovery

[julesh]

Have you considered using abort()? It should send your process a SIGABRT, which unless you've configured it otherwise will generate a core dump, and is rather more readable to other programmers.

Re:Wow, some discovery

[inquist]

Hmm, good point. I will try that.

So?

Why would anyone care to exploit a game which is running on their local computer (Unless they want to bypass a drm scheme)?

Re:So?

[Tridus]

Skyrim doesn't require Admin, and it happens to be the most recent of the games listed here.

In fact, I'm pretty sure this claim is total bullshit.

Re:So?

No you could DoS Skyrim quite easily, granted it would be easy to fix, but it's still an apt display of how shit Bethesda's programming is.

Re:So?

[Lumpy]

Just playing the games and seeing all the glitches everywhere is an apt display of that.

Cripes I know of several places where there are glaring, insane glaring bugs in skyrim. The freaking game engine has been around for ever but the same bugs exist in it through both fallouts, and then finally Skyrim.

Re:So?

[flimflammer]

9 out of 10 AAA-titles on Windows require admin privileges due to their DRM scheme.

Bullshit.

Re:So?

[Darinbob]

But there's never been a requirement for the games to be rock solid so that no user can cause them to crash by using an obscure method. The requirements are to get the game out on time and make some money. Preventing crashes in the debug console that users are told they can use only at their own risk is a luxury.

Re:So?

[X0563511]

Let's zoom out, mmkay? The game is incredibly vast, and that the engine can handle it (and your saves are not 800mb each) is something that deserves a little respect.

Re:So?

your saves are not 800mb each

800 millibits? How can you have a piece of information smaller than a bit?

Third Party Content.

Question is, can this be exploited by third party content such as mods? The Elder Scrolls modding scene has only grown since Skyrim and could become an interesting malware vector.

Re:Third Party Content.

[Dunbal]

There are far simpler ways of installing malware on your machine than by going through an exploit in the game. Like, having the installer for your mod install it for you.

Re:Third Party Content.

[Opportunist]

Certainly. But that's just the tip of the ice berg.

Not every game allows modding, but a lot of them make very interesting attack vectors. Imagine WoW having an exploitable angle. Aside of the obvious target (getting access to the WoW account and stripping it), what do you think would happen if there was a way to infect machines running WoW by, say, slipping an infected version of a popular mod into one of the download areas?

And then we're really talking about some serious attack surface. Skyrim is a fairly small one, actually. Yes, it was a popular game, and it has a very active modder scene, but the amount of people modding the game is not as big as it may seem at first. While OTOH I don't know anyone playing WoW who doesn't use certain "must have" plugins.

And I'm pretty sure one could come up with more "interesting" vectors. How about infected servers for multiplayer FPS games? Do you know the servers you play CoG, CS or TF2 on well enough to know that they will be ok, in case there is a vector for your game?

Re:Third Party Content.

Like, having the installer for your mod install it for you.

Speaking of which... I haven't looked into Morrowind or Skyrim yet, but Oblivion allows running batch files from inside the game. Mods can install and launch such things as well.

Re:Third Party Content.

[Patman64]

Not every game allows modding, but a lot of them make very interesting attack vectors. Imagine WoW having an exploitable angle. Aside of the obvious target (getting access to the WoW account and stripping it), what do you think would happen if there was a way to infect machines running WoW by, say, slipping an infected version of a popular mod into one of the download areas?

There almost is, actually. Look up what "Warden" is. The game server sends a binary blob to the client which is then loaded into the game and can communicate with the server to check for cheats.

If the modules weren't encrypted with Blizzard's private key then anyone who plays on a private server could potentially get owned. If you want to run a private server and take advantage of the system, you need to use Blizzard's modules in their already-encrypted form because it isn't possible to sign your own modules and use them with a non-modded client.

Re:Third Party Content.

[julesh]

what do you think would happen if there was a way to infect machines running WoW by, say, slipping an infected version of a popular mod into one of the download areas?

Seriously - do you think people download and install WoW mods who wouldn't run executable code from the same source? For all I know, WoW mods *are* executable code... I know they're (usually) written in LUA, which I believe is a general purpose language, and I've no idea whether there's any kind of sandbox involved. And I've never installed one, but I'm going to guess they're at least sometimes distributed either as .exe files or as .msi files, both of which are executable or can trivially contain executable code. Here's an example of an apparently popular WoW mod whose installation instructions suggest the user runs a .bat file -- how many do you think read that file first?

Elder Scrolls online is not coded by Bethesda

[maweki]

"One thing I am looking forward to is the newest Elder Scrolls game by Bethesda – The Elder Scrolls Online. This online capability might just make remote exploitation of my 0day feasible. Why? If the same vulnerability is present in Morrowind released in 2002 is still present in Skyrim (released 2012), the odds are in my favor that the same vulnerability will be in the latest game release."
Odds are, Zenimax, the company actually developing The Elder Scrolls Online, is using a different engine than Skyrim.

http://www.gameinformer.com/b/features/archive/2012/05/25/why-the-elder-scrolls-online-isn-39-t-using-heroengine.aspx
"We started ZeniMax Online from scratch [...]. It takes a long time to write game engines, especially MMO engines, which are inherently more complicated than typical single-player ones."

Re:Elder Scrolls online is not coded by Bethesda

[MachDelta]

TESO is slated to be using the HeroEngine (the same one that powers TOR) and not the infamous (and crash happy) GameBryo engine that Bethesda used for so long.

Re:Elder Scrolls online is not coded by Bethesda

[maweki]

No. The link I posted explains that they licensed the HeroEngine but will not use it.
"We started ZeniMax Online from scratch, with no employees and no technology. We had to build everything ourselves. It takes a long time to write game engines, especially MMO engines, which are inherently more complicated than typical single-player ones. So, we decided to license the HeroEngine to give us a headstart. It was a useful tool for us to use to prototype areas and game design concepts, and it provided us the ability to get art into the game that was visible, so we could work on the game’s art style."
http://www.gameinformer.com/b/features/archive/2012/05/25/why-the-elder-scrolls-online-isn-39-t-using-heroengine.aspx
Or as the title of the article says: "Why The Elder Scrolls Online Isn't Using HeroEngine"

Why does he keep calling it an 0day?

Why does he keep calling it an 0day if it's about a decade old game?

Re:Why does he keep calling it an 0day?

[Pembers]

"Zero day" refers to a vulnerability for which no patch exists, presumably because the vendor wasn't aware of it. It's the amount of time between when the vendor becomes aware of the vulnerability and when the black hats can start exploiting it, not the amount of time that it's existed.

See Prof Wikipedia for more details.

Re:Why does he keep calling it an 0day?

[phantomfive]

Day 1 = day the vulnerability becomes public knowledge.
Day 2 = day after the vulnerability becomes public knowledge.
Day 3 = two days after the vulnerability becomes public knowledge
Day 4= .....

It is an important distinction, because once the vulnerability is listed on cert.org, admins can take steps to defend themselves (firewalls, removing the program, setting up honey-pots, etc). If it's a zero-day vulnerability, then no one can defend themselves and the world is wide open for you to use it.

Re:Why does he keep calling it an 0day?

Parent here.

Thank you for the information, I did not know that. I thought x-day referred to the day of release.

Re:Why does he keep calling it an 0day?

[cbhacking]

Yep. "0-day" is just security talk for "newly discovered" and tends to get a bit overused. Nonetheless, it's a useful and sometimes very interesting categorization. A lot of the famous worms of the past were not 0-days, but actually exploited vulnerabilites which had been known (and mitigated) weeks or month prior to the worm's release into the wild. People don't always patch in a manner that can even vaguely be called timely. I wish I could say they'd learned their lesson already, but I still see outdated web servers, SSH servers, database servers, etc. all the time.

Re:Why does he keep calling it an 0day?

[phantomfive]

Yep. "0-day" is just security talk for "newly discovered"

No, you are wrong. It means, "not public knowledge." The difference is crucial. I would explain it to you but I don't know how I can explain it more simply than my previous post.

Re:Why does he keep calling it an 0day?

[julesh]

Yep. "0-day" is just security talk for "newly discovered"

No, you are wrong. It means, "not public knowledge." The difference is crucial. I would explain it to you but I don't know how I can explain it more simply than my previous post.

All vulnerabilities are not public knowledge when they are newly discovered. You're drawing distinctions that don't make a difference.

Re:Why does he keep calling it an 0day?

[phantomfive]

You're drawing distinctions that don't make a difference.

Read the above posts for an explanation of why it is a distinction that matters.

Reading the thread that you are replying to, before replying, is a good way to make yourself look less ignorant.

Re:Why does he keep calling it an 0day?

In computer science, we index from 0.

Not really a vulnerability

[Hentes]

If you have access to a machine, you can cause it to crash. What's exactly surprising about this?

Re:Not really a vulnerability

That you can potentially execute arbitrary code from a mod within a game couldn't be just a little surprising or at least interesting to some people? I'm sure most gamers don't choose mods from the Steam Workshop with the threat of malware in the back of their minds.

Windows doesn't have the %n format specifier

Windows removed the %n format specifier years ago for security reasons, now if the more dense libc authors would follow suit and make their OS' more secure. I'm talking to you drepper and your retarded strfry() but no strlcpy() because its bloat. Also, glibc, fix youre damned fastlist's in the free() code path, you're formerly exploitable asprintf() in setuid libc code (no longer exploitable due to kernel modifications that prevent setuid() from failing), and well get off youre retarded OSS/FS "many eyes make us more secure" high-horses, because those eyes need to be competent and they're quite obviously not.

Re:Windows doesn't have the %n format specifier

Its bloat what?
Also %n is only a problem for programmers who directly pass non constant strings to printf type functions, rather than as second argument along with "%s".
Every C programmer should know this is standard practice.

Re:Windows doesn't have the %n format specifier

Geez, just use a programming language with a real string class (e.g. std::string) and screw this crazy libc shit.

No they do not

Throwing false claims around? Software (games included) often require Admin to *install*. As it should. Nothing should install on my machine without requiring some form of elevated privileges.

Games no longer require admin to run. I challenge you to come up with a single recent AAA-title that must be run under an admin account.

Vista basically took care of that. The UAC prompt taught game developers to behave and use regular user accounts. Even if you launch steam running as administrator, not steam nor titles run with administrator privileges. That's because Windows strips admin privileges from process tokens.

Quit FUDing, please

Modded to +5 Informative because

[benjymouse]

It knocks both DRM and Windows in one sentence. Which is popular on slashdot.

Facts don't matter, accuracy doesn't matter. Comments can be outright lies (like this one) and still achieve the highest ranking as *informative* just because it plays to a popular myth.

No, games are *not* run with admin rights. No they do *not* need to run with admin privileges, not even to use DRM. Especially not the online DRM variety that steam uses.

Re:Modded to +5 Informative because

That's as untrue as saying that they "tend" to. There are games that do, and there are games that don't. Many of the console ports I've bought through Steam run for shit or not at all without admin privileges. Two I can name off the top of my head are Fable 3 and Overlord -- and "well, stop buying crappy games blah blah" is not an appropriate response.

It doesn't help that pretty much the first thing that Steam support tells you to do, right after making sure your machine is on and Steam is installed, when troubleshooting an issue is to run the game as admin.

Don't get me wrong: I love Steam and online distribution in general, but you're a fool if you believe it's a flawless system.

Re:Modded to +5 Informative because

BS, neither of those games need admin access. It's like the other poster said, it's most likely trying to run an installer for DX or VC, not the game itself.

LOL

BBQ?

Skyrim is Steam only.

So you'll need internet access and to connect at least on a regular basis, though almost all Steamers will be continually on.

And then what happens?

Will you change?

No.

Will you reconsider Steam?

No.

Will you complain next time someone makes a claim you don't know is false, but think (because you like steam) it is?

Yes.

SO

[wisnoskij]

A single player game whit extensive mod suppose is "hackable", colour me surprised.

How is this not just a bug? How can you hack a program where nothing was put in to prevent anyone from doing pretty much anything they wanted to do with it in the first place?

Re:SO

[julesh]

+1

It's only a vulnerability if it allows you to do something that you wouldn't normally be able to do. AFAICT, there are no security guarantees involved here that can be violated, so this is not a vulnerability. It's a bug.

We've all been sloppy programmers

[OrangeTide]

Null pointers are great, assuming you actually write tests for code coverage. Otherwise you potentially have many of the typical C bugs lurking, not just null pointer dereference.

I remember using sentinel structures for a linked list in Pascal, just like it was recommend in my old computer science texts. And I had a bug where I would sometimes return the sentinel and the rest of my program would happily write to it. So instead of a crash, It would silently write data and lose track of it. I don't remember how many days it too me to track that bug down.

Re: We've all been sloppy programmers

My mother was killed by a null pointer, you insensitive clod.

Ahhh Morrowind

Now that was a quality game...

cheap jordan shoes jordan shoes wholesale handbag

[koanoiuv]

YOU MUST NOT MISS IT! The website cheap wholesale and retail for many kinds of fashion shoes, like the nike,jordan, also including the handbags,sunglasses,jeans,shirts,hat,belt and the watch, All the products are free shipping, and the price is competitive, after the payment, can ship within short time. the goods are shipping by air express, such as EMS,DHL,the shipping time is in 5-7 business days! http://www.sport3trade.net/ cheap jordan for $40, Air Max 90 for $41, air shox for $40, best handbags for $39, Sunglasses for $18, wallet for $19, belt for $18, T-shirts for $20, Jeans for $39, NFL/MLB/NBA jersey for $25, Top Rolex watch,jordan for cheap, http://www.sport3trade.net/

Useful?

Scenario:
>>You run a program e.g code on your computer
>>You interact with said program to crash program and gain "code" execution from stack manipulation
>>Now you run more code from within the context of your original code (skyrim)
>>you now have code executing ability (which you already had)

Whats the point?

Now what i am seeing is that local code errors are only valuable if remotely exploitable. If there was a creative mechanism by which you could trigger the debug console from a remote source you would have already found a much more valuable vulnerability in the program.

Maybe if you could guarantee this was running on a box with admin privileges (not sure of how likely that is) and you had just exploited the box and needed some priv escalation then you could theoretically use this vulnerability to gain admin. But like everything i have said you need a real exploit first to doing anything.

cheap jordan shoes,Air max shoes,handbags sale

[poiuweng]

YOU MUST NOT MISS IT! The website cheap wholesale and retail for many kinds of fashion shoes, like the nike,jordan, also including the handbags,sunglasses,jeans,shirts,hat,belt and the watch, All the products are free shipping, and the price is competitive, after the payment, can ship within short time. the goods are shipping by air express, such as EMS,DHL,the shipping time is in 5-7 business days! http://www.sport3trade.net/ cheap jordan for $40, Air Max 90 for $41, air shox for $40, best handbags for $39, Sunglasses for $18, wallet for $19, belt for $18, T-shirts for $20, Jeans for $39, NFL/MLB/NBA jersey for $25, Top Rolex watch,jordan for cheap, http://www.sport3trade.net/