Vulnerability Found In Skyrim, Fallout, Other Bethesda Games

← Back to Stories (view on slashdot.org)

Vulnerability Found In Skyrim, Fallout, Other Bethesda Games

Posted by Soulskill on Saturday May 11, 2013 @09:19PM from the beware-meddling-daedra dept.

An anonymous reader writes "The author of this article goes over a format string vulnerability he found in The Elder Scrolls series starting with Morrowind and going all the way up to Skyrim. It's not something that will likely be exploited, but it's interesting that the vulnerability has lasted through a decade of games. 'Functions like printf() and its variants allow us to view and manipulate the program’s running stack frame by specifying certain format string characters. By passing %08x.%08x.%08x.%08x.%08x, we get 5 parameters from the stack and display them in an 8-digit padded hex format. The format string specifier ‘%s’ displays memory from an address that is supplied on the stack. Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack. Powerful stuff.'"

15 of 179 comments (clear)

Min score:

Reason:

Sort:

Those games crash easily by loufoque · 2013-05-11 21:37 · Score: 5, Insightful

Those games crash easily, isn't that proof enough they're full of vulnerabilities that you could exploit to run arbitrary code?
Now the question is, why does it matter? It's a game, not a production server.
1. Re:Those games crash easily by Opportunist · 2013-05-11 22:20 · Score: 4, Insightful
  
  Because a hijacked machine is a hijacked machine. It can be used to send spam, participate in a DOS or mine bitcoins. And given that it's games we're talking, and power hungry games too, it's likely that you get a machine with a very powerful GPU and CPU.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:Those games crash easily by Anonymous Coward · 2013-05-11 22:46 · Score: 3, Insightful
  
  How would you even exploit this for hijacking? You have to inject malformed strings into a vsprintf() function that's called for console error output. Sure, load the code file, craft a string full of %x and ... call vsprintf() ??? I mean, what do you get this way that you don't by just calling into libc's function directly? And to hack the running game you need to attach as a debugger ... what privileges did your hacking process have again? If you're already at system level why bother with hacking skyrim? and if not, you're not going to get anything more than you already have. You could hack it from some mod I suppose, but that'd be like deciding to pick the lock for your own door while it's standing open.
  That said, it's really sloppy code for the console command parser. It's not like the rest of the game is doing anything at the time so you absolutely can't afford to have an input validator active in there.
Wow, some discovery by Rosco+P.+Coltrane · 2013-05-11 21:48 · Score: 5, Insightful

stdio functions often lead to stack overflows. News at ten...
What next? Null pointers are bad, m'kay...?

--
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
1. Re:Wow, some discovery by Dunbal · 2013-05-11 21:55 · Score: 5, Insightful
  
  Null pointers don't kill programs, it's sloppy programmers who kill programs.
  
  --
  Seven puppies were harmed during the making of this post.
2. Re:Wow, some discovery by Opportunist · 2013-05-11 22:27 · Score: 5, Insightful
  
  How about putting a structure you allow the user to specify the length of on the stack? Like it was done in the animated cursor in Windows (and of course exploited for an attack).
  And, unlike games, that was in an OS that has been under attack for years when this was exploited.
  Game developers usually don't consider security when they develop. If anything should be a dead giveaway, it's how DRM is implemented. I think we're going to see a lot more exploits targeting games in the future. For very obvious reasons:
  - Tend to run with admin privileges due to DRM
  - Little to no consideration for security during development
  - AAA-titles usually widely spread, leaving a big attack surface
  - Tend to be used with rather powerful machines due to requirements of the graphics engine
  And those are only the reasons that I could come up with without even thinking.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
3. Re:Wow, some discovery by Anonymous Coward · 2013-05-12 02:47 · Score: 2, Insightful
  
  But you've got to admit, null pointers do make it a hell of a lot easier to find the bug. Dangling and uninitialized pointers, those are the dangerous ones.
Re:Did we really need by liamevo · 2013-05-11 22:07 · Score: 3, Insightful

Every time something many people understand in the summary isn't explained, people complain.
Every time something many people understand in the summary is explained, people complain.
Re:Third Party Content. by Opportunist · 2013-05-11 22:35 · Score: 1, Insightful

Certainly. But that's just the tip of the ice berg.
Not every game allows modding, but a lot of them make very interesting attack vectors. Imagine WoW having an exploitable angle. Aside of the obvious target (getting access to the WoW account and stripping it), what do you think would happen if there was a way to infect machines running WoW by, say, slipping an infected version of a popular mod into one of the download areas?
And then we're really talking about some serious attack surface. Skyrim is a fairly small one, actually. Yes, it was a popular game, and it has a very active modder scene, but the amount of people modding the game is not as big as it may seem at first. While OTOH I don't know anyone playing WoW who doesn't use certain "must have" plugins.
And I'm pretty sure one could come up with more "interesting" vectors. How about infected servers for multiplayer FPS games? Do you know the servers you play CoG, CS or TF2 on well enough to know that they will be ok, in case there is a vector for your game?

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re:Whats the purpose of this by Anonymous Coward · 2013-05-12 00:17 · Score: 1, Insightful

As much as I'd love to not use bloated junk like Steam, it's just no longer an option. Almost all newly released big games require Steam/Origin/Uplay. Even more and more indie games are exclusively released on Steam. Unfortunately they have a near-monopoly on the PC.
Re:Am I the only professional C/C++ coder ... by Lumpy · 2013-05-12 00:37 · Score: 1, Insightful

Says a whiny C# "programmer"

--
Do not look at laser with remaining good eye.
Re:Whats the purpose of this by The+MAZZTer · 2013-05-12 01:16 · Score: 5, Insightful

Steam only asks for admin when performing installation steps, as installers often require admin privileges. And this is stuff like DirectX, C++ runtimes, etc so it's understandable since that stuff goes into system32.
The game itself is not run as admin.
Re:Whats the purpose of this by Anonymous Coward · 2013-05-12 03:23 · Score: 5, Insightful

i have several games on steam that require admin rights to run
Why do you continue to play them?
Also, please name them so people can know what to avoid.
Seriously, this is shit that should have died last century.
--
BMO
He can't name them, because he's spouting BS, like most Steam-hating trolls. They're just angry that VAC noticed them being stupid hacking trolls.
Re: Whats the purpose of this by Anonymous Coward · 2013-05-12 09:38 · Score: 0, Insightful

The problem with Stream is not the bloat, but the spying.
Re:Whats the purpose of this by Anonymous Coward · 2013-05-12 10:53 · Score: 0, Insightful

Just how is Steam bloated?
I was at my friend's house earlier and he wanted to show me the new Bioshock. So he attempted to launch it but Steam insisted on updating itself. The update was a 60MB download which took 20 minutes to download and install. I'd call that bloated.