Slashdot Mirror
Vulnerability Found In Skyrim, Fallout, Other Bethesda Games
An anonymous reader writes "The author of this article goes over a format string vulnerability he found in The Elder Scrolls series starting with Morrowind and going all the way up to Skyrim. It's not something that will likely be exploited, but it's interesting that the vulnerability has lasted through a decade of games. 'Functions like printf() and its variants allow us to view and manipulate the program’s running stack frame by specifying certain format string characters. By passing %08x.%08x.%08x.%08x.%08x, we get 5 parameters from the stack and display them in an 8-digit padded hex format. The format string specifier ‘%s’ displays memory from an address that is supplied on the stack. Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack. Powerful stuff.'"
Those games crash easily, isn't that proof enough they're full of vulnerabilities that you could exploit to run arbitrary code?
Now the question is, why does it matter? It's a game, not a production server.
.... who has never used the %n formatter? I'd heard of it but I had to go and google it to find out what it did because I couldn't even remember.
The only use I can see for it is for figuring out single line formatting lentghs after you've printed some string but thats pushing it a bit since surely any half decent coder would preformat a string before outputting it?
Are there any "killer app" uses for %n that anyone can think of?
getting hits. no other purpose.
"So far, the only feasible way to exploit the game I’ve come up with is by some sort of hand crafted mod or plugin for the game as that would have access to the scripting console on which the vulnerabilities lie. That said, it would be difficult to exploit in the wild also do in part to the video games having no network capability."
don't mods or plugins already get to pretty much do whatever they want? that is, I wasn't under the impression that they're in some security sandbox.
world was created 5 seconds before this post as it is.
stdio functions often lead to stack overflows. News at ten...
What next? Null pointers are bad, m'kay...?
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
There are far simpler ways of installing malware on your machine than by going through an exploit in the game. Like, having the installer for your mod install it for you.
Seven puppies were harmed during the making of this post.
Every time something many people understand in the summary isn't explained, people complain.
Every time something many people understand in the summary is explained, people complain.
Certainly. But that's just the tip of the ice berg.
Not every game allows modding, but a lot of them make very interesting attack vectors. Imagine WoW having an exploitable angle. Aside of the obvious target (getting access to the WoW account and stripping it), what do you think would happen if there was a way to infect machines running WoW by, say, slipping an infected version of a popular mod into one of the download areas?
And then we're really talking about some serious attack surface. Skyrim is a fairly small one, actually. Yes, it was a popular game, and it has a very active modder scene, but the amount of people modding the game is not as big as it may seem at first. While OTOH I don't know anyone playing WoW who doesn't use certain "must have" plugins.
And I'm pretty sure one could come up with more "interesting" vectors. How about infected servers for multiplayer FPS games? Do you know the servers you play CoG, CS or TF2 on well enough to know that they will be ok, in case there is a vector for your game?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
These games require Steam as DRM. Steam very often asks for admin privileges when starting games. With some games it's only once. With others it's every single time you start the game. It's really annoying. Plus, Steam has a background process with admin rights running. No idea how much access games have there but it's there. DRM is definitely an added security risk.
Morrowind and Oblivion don't require Steam.
Skyrim doesn't require Admin, and it happens to be the most recent of the games listed here.
In fact, I'm pretty sure this claim is total bullshit.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
"One thing I am looking forward to is the newest Elder Scrolls game by Bethesda – The Elder Scrolls Online. This online capability might just make remote exploitation of my 0day feasible. Why? If the same vulnerability is present in Morrowind released in 2002 is still present in Skyrim (released 2012), the odds are in my favor that the same vulnerability will be in the latest game release."
Odds are, Zenimax, the company actually developing The Elder Scrolls Online, is using a different engine than Skyrim.
http://www.gameinformer.com/b/features/archive/2012/05/25/why-the-elder-scrolls-online-isn-39-t-using-heroengine.aspx
"We started ZeniMax Online from scratch [...]. It takes a long time to write game engines, especially MMO engines, which are inherently more complicated than typical single-player ones."
It's a direct quote from TFA*.
*"The Fucking Article"
I don't recall seeing people complain when a summary is explicit about something, only when it is not explicit.
Readers are trained to skim over information with which they are familiar. It comes from years of textbook use. It's much more frustrating when an important bit of information is left out.
You are welcome on my lawn.
As much as I'd love to not use bloated junk like Steam, it's just no longer an option. Almost all newly released big games require Steam/Origin/Uplay. Even more and more indie games are exclusively released on Steam. Unfortunately they have a near-monopoly on the PC.
Just playing the games and seeing all the glitches everywhere is an apt display of that.
Cripes I know of several places where there are glaring, insane glaring bugs in skyrim. The freaking game engine has been around for ever but the same bugs exist in it through both fallouts, and then finally Skyrim.
Do not look at laser with remaining good eye.
Well, considering how games tend to run with admin privileges on Windows because of DRM, I could well see some attack vector here.
I don't remember these games requiring that.
but my point was that you're already pretty much accepted the risk when using a mod - a mod that has potentially whatever code in it.
world was created 5 seconds before this post as it is.
"Zero day" refers to a vulnerability for which no patch exists, presumably because the vendor wasn't aware of it. It's the amount of time between when the vendor becomes aware of the vulnerability and when the black hats can start exploiting it, not the amount of time that it's existed.
See Prof Wikipedia for more details.
Just another wannabe fantasy novelist...
Steam only asks for admin when performing installation steps, as installers often require admin privileges. And this is stuff like DirectX, C++ runtimes, etc so it's understandable since that stuff goes into system32.
The game itself is not run as admin.
Just how is Steam bloated? Looking at it's two processes right now, it's barely using 11MB of system RAM... The Dropbox client uses more than that and does a whole lot less... Windows Explorer uses even more than Steam. Browsers? Far more RAM usage.. That's far from bloated considering according to Steam's monthly hardware surveys where the average gaming PC is running a minimum of 4GB or ram or more. Seriously, look at the numbers yourself: 21.85% have 4GB, 23.48% have 8GB, and 9.62% have in excess of 12GB... Soooo 10-12MB of RAM is honestly a drop in the bucket for the average PC gamer. You may want to get your facts straight before posting, but then again posting as AC is there for those who love to troll and comment inaccruacies.
The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
If you have access to a machine, you can cause it to crash. What's exactly surprising about this?
9 out of 10 AAA-titles on Windows require admin privileges due to their DRM scheme.
Bullshit.
If a game needs admin rights, it's either malware/spyware or it's poorly programmed. There is absolutely no reason a game or any non-system maintenance application should need admin. If you do have games that require it and it's not stated on the box or the download page, then I'd demand a refund.
i have several games on steam that require admin rights to run
Why do you continue to play them?
Also, please name them so people can know what to avoid.
Seriously, this is shit that should have died last century.
--
BMO
One of those writes to stdout and one of them writes to a string, they're not really interchangeable if your aim is to display something on screen...
I think you're getting confused with the fact that using ?sprintf(), ?scanf(), etc. is discouraged in favour of using their ?sn* counterparts, due to buffer overrun possibilities, but I could be wrong. Calling printf() with an un-sanitized user supplied format string is also discouraged, because it may contain a %.
printf() is just a wrapper for vfprintf() with the FILE paramter as stdout, I believe (it is in glibc anyway).
Yeah, I had a sig once; I got bored of it.
Please give my access to your magical application store application that uses zero resources.
gog.com
i have several games on steam that require admin rights to run
Why do you continue to play them?
Also, please name them so people can know what to avoid.
Seriously, this is shit that should have died last century.
--
BMO
He can't name them, because he's spouting BS, like most Steam-hating trolls. They're just angry that VAC noticed them being stupid hacking trolls.
I think maybe Rome total war? I cant recall personally, but older games that write config into they're folder is my assumption of the cause. Though windows handles that somehow now, so maybe not.
The app that most surprises me is super requiring it.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
As much as I'd love to not use bloated junk like Steam...
Really? In any case, I suppose, secure institutions don't as a rule allow random software installations, espiecally games, so, unless you want to p0wn your friend's pc, we're probably ok here.
Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
It knocks both DRM and Windows in one sentence. Which is popular on slashdot.
Facts don't matter, accuracy doesn't matter. Comments can be outright lies (like this one) and still achieve the highest ranking as *informative* just because it plays to a popular myth.
No, games are *not* run with admin rights. No they do *not* need to run with admin privileges, not even to use DRM. Especially not the online DRM variety that steam uses.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Actually, my library consists of over 100 titles, most of thel installed. The difference may be as simple as the skin you're using (I run an exceedingly minimal one) and that I keep Steam in 'Small view' instead of the full and pointless window. May want to try a few things. But even at 110MB usage, that's still minimum compared to the average gaming PC's RAM loadout of 4GB+. People complaining about memory usage of a software platform that uses less than 5% of total RAM have nothing better to do.
The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
Day 1 = day the vulnerability becomes public knowledge. .....
Day 2 = day after the vulnerability becomes public knowledge.
Day 3 = two days after the vulnerability becomes public knowledge
Day 4=
It is an important distinction, because once the vulnerability is listed on cert.org, admins can take steps to defend themselves (firewalls, removing the program, setting up honey-pots, etc). If it's a zero-day vulnerability, then no one can defend themselves and the world is wide open for you to use it.
"First they came for the slanderers and i said nothing."
I have over 1,000 games on Steam (102 installed), and it's using 72.2MB of RAM on fresh start-up. I'm using the basic skin, no customizations at all.
Yeah, but can it run Crysis?
Its clickbait, its a sensational headline to make everyone think "ZOMFG if I have Fallout or Skyrim i could get teh viruz!" when IRL probably the most that will come of this will be some +whatever trainers.
That doesn't mean we shouldn't keep an eye on games, personally I'm waiting for it to come out some big FTP MMO has a backdoor the size of Kansas because they wanted the ability to insert ads later but this? The guy is using the console to manipulate the program...and?
ACs don't waste your time replying, your posts are never seen by me.
A single player game whit extensive mod suppose is "hackable", colour me surprised.
How is this not just a bug? How can you hack a program where nothing was put in to prevent anyone from doing pretty much anything they wanted to do with it in the first place?
Troll is not a replacement for I disagree.
Null pointers are great, assuming you actually write tests for code coverage. Otherwise you potentially have many of the typical C bugs lurking, not just null pointer dereference.
I remember using sentinel structures for a linked list in Pascal, just like it was recommend in my old computer science texts. And I had a bug where I would sometimes return the sentinel and the rest of my program would happily write to it. So instead of a crash, It would silently write data and lose track of it. I don't remember how many days it too me to track that bug down.
“Common sense is not so common.” — Voltaire
But there's never been a requirement for the games to be rock solid so that no user can cause them to crash by using an obscure method. The requirements are to get the game out on time and make some money. Preventing crashes in the debug console that users are told they can use only at their own risk is a luxury.
Did you check the Application Store application store? I hear it has its own application now.
I don't usually say this, but FTFY. There are only three limits on the security impact of a program that passes a user-supplied format string to a .*[print|scan]f function:
1) What privileges the program runs as. If it's not sandboxed, it can probably run rampant over your user profile. If it runs as Admin/root, that's seriously bad news.
2) What privileges are required to specify that format string. If it can only be done by a local user, and the program only runs as local user, you're mostly OK (and that's the case here). If the source of the format string is external, such as a message from another user in a game, you're in serious trouble.
3) Exploit mitigations in use. The MS Visual C/C++ runtime (MSVCRT.DLL) disables the %n format specifier by default, because using %n and a reasonably long format string, you can write pretty much arbitrary values into memory (one unaligned byte at a time). DEP and ASLR help, but due to the way that printf can be used to extract pointers as well as use them, it can be used to leak info needed for bypassing ASLR.
Format string vulns are a serious threat. Fortunately, they're also dead trivial to avoid: DON'T EVER PROVIDE A USER-CONTROLLED FORMAT STRING. If for some reason is is every absolutely necessary to do this (I can't think of a single situation fitting this bill; anybody care to fill me in?) you can ensure the string has no un-escaped % characters, but that's a terrible way to go about it.
There's no place I could be, since I've found Serenity...
Yep. "0-day" is just security talk for "newly discovered" and tends to get a bit overused. Nonetheless, it's a useful and sometimes very interesting categorization. A lot of the famous worms of the past were not 0-days, but actually exploited vulnerabilites which had been known (and mitigated) weeks or month prior to the worm's release into the wild. People don't always patch in a manner that can even vaguely be called timely. I wish I could say they'd learned their lesson already, but I still see outdated web servers, SSH servers, database servers, etc. all the time.
There's no place I could be, since I've found Serenity...
Yep. "0-day" is just security talk for "newly discovered"
No, you are wrong. It means, "not public knowledge." The difference is crucial. I would explain it to you but I don't know how I can explain it more simply than my previous post.
"First they came for the slanderers and i said nothing."
The 110MB usage is the GUI, not the service/DRM component. The service is all that's need to launch a game (if you've created shortcuts either on the desktop or start menu for the installed game). The services needed run a game use around a combined 12MB. The memory usage has nothing to do with the size of your library, or the number of installed games. Personally, I've 46 games and 66 utilities in my library. I don't notice the 110MB usage on either my current gaming desktop, or my last. My last had 4GB of memory, current has 64GB. With that much memory, I've a few VMs running in the background, and I don't even notice. Without a pagefile, typical total system memory usage is under 16GB (most of that due to the VMs, which have multiple GBs allocated each). On a system consuming 16GB of RAM, 110MB is roughly 0.5% of total usage.
What spying?
Seriously, what do they spy on? There's the hardware survey, which is anonymous, and at least as I recall, opt-in. There's "recording amount of time in games", which a) isn't particularly useful information, b) isn't particularly accurate, and c) can be routed around via offline mode if it really bugs you.
Compared to even the spying Firefox does (if you opt in), that's really not much.
Right now, Steam is using 5.5MB of RAM, sitting between "Bluetooth tray" and SSHFS. DWM is using 29MB, Explorer 38MB, and Firefox 335MB (five tabs). Opening a Steam window brings it up to 23MB, still an absolutely tiny amount. Even when doing multiple simultaneous downloads, I've never seen it go over 200MB of RAM.
As for disk space, my Steam folder is currently 346GB. However, 345GB of that is the steamapps folder, which contains all game data. Everything else - executable, graphics, crash dumps, resources, cache - is a mere 787MB. Considering how many game icons that has to include (I kind of have a lot of games), that's pretty impressive.
I do have to run UT2004 as admin in order for LAN play to work. I'm not sure why. There's probably another way, that doesn't involve blanket admin access, but "run as admin" is easier.
Runs perfectly fine singleplayer without admin rights, though. And it's hardly a "recent" game (and it's not even the Steam version - CD from the Unreal Anthology). I've never encountered a game that requires admin rights just to run.
I don't recall seeing people complain when a summary is explicit about something, only when it is not explicit.
Read the subthread with anon comments. You'll find that GP is a response to someone complaining about an explanation of the function in the summary.
All applications use zero resources when they're not running. Why does Steam run constantly?
I regularly run Rome TW on Win7 as an admin-enabled user but without elevating it via UAC and it works just fine.
Not every game allows modding, but a lot of them make very interesting attack vectors. Imagine WoW having an exploitable angle. Aside of the obvious target (getting access to the WoW account and stripping it), what do you think would happen if there was a way to infect machines running WoW by, say, slipping an infected version of a popular mod into one of the download areas?
There almost is, actually. Look up what "Warden" is. The game server sends a binary blob to the client which is then loaded into the game and can communicate with the server to check for cheats.
If the modules weren't encrypted with Blizzard's private key then anyone who plays on a private server could potentially get owned. If you want to run a private server and take advantage of the system, you need to use Blizzard's modules in their already-encrypted form because it isn't possible to sign your own modules and use them with a non-modded client.
Calling printf() with an un-sanitized user supplied format string is an exploitable security vulnerability
Disagree.
It is only a security vulnerability if it allows the user to perform an action they are not authorized to perform. Just allowing them to execute code in the context of your application doesn't count, because frankly they could just open up the application's .exe file in a binary editor and inject the code they wanted to run. In order to be a vulnerability, there must be some security guarantee (or just expectation) that is violated.
Possibilities are:
1. The program runs with greater privileges than the user would normally have (e.g. setuid on a Unix system, or on a public-facing kiosk system)
2. The program accepts input from an external source, e.g. over a network connection from a user that has not been authenticated to have permission to execute code on the local system
3. The program accepts input from a source that would normally be considered a "safe" file that a user is likely to download from the Internet, e.g. document files.
If none of these 3 conditions are true, then IMO it is not a security vulnerability. It's just a different way for the user to make their application do something unexpected. Which, honestly, appears to be the case for the "exploit" presented in TFA: games don't typically run in a privileged environment that their user does not have access to, do not generally accept console commands over their network connections, and people don't usually consider game mods as safe files, because they often (or even usually) include executable content that would have access to fuck their system over if the designer wanted anyway.
DON'T EVER PROVIDE A USER-CONTROLLED FORMAT STRING. If for some reason is is every absolutely necessary to do this (I can't think of a single situation fitting this bill; anybody care to fill me in?) you can ensure the string has no un-escaped % characters, but that's a terrible way to go about it.
Situation fitting the bill: you're writing a quick utility command-line program that is intended for local non-setuid use, and which needs to generate a sequence of files, but you need the user to be able to control the formatting of the filenames. Filenames are generated using the following approach:
for (int file = 0; [...]; file ++)
{
char filename[MAXPATH];
snprintf (filename, MAXPATH, argv[1], file);
[...]
}
User uses the program with a command like "generatefiles output%04d.dat". Providing this kind of flexibility *without* using snprintf is rather time consuming and is not worth it for the majority of cases. Sure, the user could potentially exploit the program to make it execute whatever code they want, but they could just execute whatever code they want... it would be somewhat simpler.
Oh, and your idea of not allowing unescaped '%' characters completely negates the only point in ever doing this, so it seems a little ridiculous on the face of it.
what do you think would happen if there was a way to infect machines running WoW by, say, slipping an infected version of a popular mod into one of the download areas?
Seriously - do you think people download and install WoW mods who wouldn't run executable code from the same source? For all I know, WoW mods *are* executable code... I know they're (usually) written in LUA, which I believe is a general purpose language, and I've no idea whether there's any kind of sandbox involved. And I've never installed one, but I'm going to guess they're at least sometimes distributed either as .exe files or as .msi files, both of which are executable or can trivially contain executable code. Here's an example of an apparently popular WoW mod whose installation instructions suggest the user runs a .bat file -- how many do you think read that file first?
Yep. "0-day" is just security talk for "newly discovered"
No, you are wrong. It means, "not public knowledge." The difference is crucial. I would explain it to you but I don't know how I can explain it more simply than my previous post.
All vulnerabilities are not public knowledge when they are newly discovered. You're drawing distinctions that don't make a difference.
You're drawing distinctions that don't make a difference.
Read the above posts for an explanation of why it is a distinction that matters.
Reading the thread that you are replying to, before replying, is a good way to make yourself look less ignorant.
"First they came for the slanderers and i said nothing."
Let's zoom out, mmkay? The game is incredibly vast, and that the engine can handle it (and your saves are not 800mb each) is something that deserves a little respect.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Some games do in fact request Administrator rights when run from Steam on every launch. Typically, this is a consequence of a bugged launch condition check that fails to accurately detect that needed libraries are often installed; choosing not to authenticate will still allow those games to run properly, and workarounds exist to eliminate the incorrect detection entirely.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
"Anonymous coward" or not, you sir/madame have just done the internet a great service. More GoG is always good, even Time magazine thinks so! Proof: http://techland.time.com/2013/05/06/50-best-websites-2013/slide/gog-com/
In which way does a website not use any resources? Oh wait, you are using the magical resource free web browser!!! Sorry I forgot...
So you have some new storage technology that don't require resources, whats the price per GiB for that one?
And what is this constantly running thing? I have Steam installed on my box but:
fultra@ubuntu:~$ sudo ps ax | grep -i steam
9003 pts/0 S+ 0:00 grep --color=auto -i steam
fultra@ubuntu:~$
Or do you mean that it runs when you ask it to by double clicking it and then quits completely when you click in File->Exit?
What's wrong with Steam? I don't see it as bloated at all. Actually, I enjoy the format much better than individual installers and updaters.
OK, I was just guessing, not OP.
The main app I can think of that wants admin for what I assume is shadiness is Super, but that's not steam. I'm pretty sure an old steam game I purchased asks, but I wouldn't bet to n it.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
YOU MUST NOT MISS IT! The website cheap wholesale and retail for many kinds of fashion shoes, like the nike,jordan, also including the handbags,sunglasses,jeans,shirts,hat,belt and the watch, All the products are free shipping, and the price is competitive, after the payment, can ship within short time. the goods are shipping by air express, such as EMS,DHL,the shipping time is in 5-7 business days! http://www.sport3trade.net/ cheap jordan for $40, Air Max 90 for $41, air shox for $40, best handbags for $39, Sunglasses for $18, wallet for $19, belt for $18, T-shirts for $20, Jeans for $39, NFL/MLB/NBA jersey for $25, Top Rolex watch,jordan for cheap, http://www.sport3trade.net/
YOU MUST NOT MISS IT! The website cheap wholesale and retail for many kinds of fashion shoes, like the nike,jordan, also including the handbags,sunglasses,jeans,shirts,hat,belt and the watch, All the products are free shipping, and the price is competitive, after the payment, can ship within short time. the goods are shipping by air express, such as EMS,DHL,the shipping time is in 5-7 business days! http://www.sport3trade.net/ cheap jordan for $40, Air Max 90 for $41, air shox for $40, best handbags for $39, Sunglasses for $18, wallet for $19, belt for $18, T-shirts for $20, Jeans for $39, NFL/MLB/NBA jersey for $25, Top Rolex watch,jordan for cheap, http://www.sport3trade.net/