Vulnerability Found In Skyrim, Fallout, Other Bethesda Games

← Back to Stories (view on slashdot.org)

Vulnerability Found In Skyrim, Fallout, Other Bethesda Games

Posted by Soulskill on Saturday May 11, 2013 @09:19PM from the beware-meddling-daedra dept.

An anonymous reader writes "The author of this article goes over a format string vulnerability he found in The Elder Scrolls series starting with Morrowind and going all the way up to Skyrim. It's not something that will likely be exploited, but it's interesting that the vulnerability has lasted through a decade of games. 'Functions like printf() and its variants allow us to view and manipulate the program’s running stack frame by specifying certain format string characters. By passing %08x.%08x.%08x.%08x.%08x, we get 5 parameters from the stack and display them in an 8-digit padded hex format. The format string specifier ‘%s’ displays memory from an address that is supplied on the stack. Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack. Powerful stuff.'"

34 of 179 comments (clear)

Min score:

Reason:

Sort:

Those games crash easily by loufoque · 2013-05-11 21:37 · Score: 5, Insightful

Those games crash easily, isn't that proof enough they're full of vulnerabilities that you could exploit to run arbitrary code?
Now the question is, why does it matter? It's a game, not a production server.
1. Re:Those games crash easily by Opportunist · 2013-05-11 22:20 · Score: 4, Insightful
  
  Because a hijacked machine is a hijacked machine. It can be used to send spam, participate in a DOS or mine bitcoins. And given that it's games we're talking, and power hungry games too, it's likely that you get a machine with a very powerful GPU and CPU.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:Those games crash easily by Anonymous Coward · 2013-05-11 22:46 · Score: 3, Insightful
  
  How would you even exploit this for hijacking? You have to inject malformed strings into a vsprintf() function that's called for console error output. Sure, load the code file, craft a string full of %x and ... call vsprintf() ??? I mean, what do you get this way that you don't by just calling into libc's function directly? And to hack the running game you need to attach as a debugger ... what privileges did your hacking process have again? If you're already at system level why bother with hacking skyrim? and if not, you're not going to get anything more than you already have. You could hack it from some mod I suppose, but that'd be like deciding to pick the lock for your own door while it's standing open.
  That said, it's really sloppy code for the console command parser. It's not like the rest of the game is doing anything at the time so you absolutely can't afford to have an input validator active in there.
3. Re:Those games crash easily by phantomfive · 2013-05-12 04:47 · Score: 3, Informative
  
  I love it how you include "mine bitcoins" in your list of online criminal activities.
  Because botnets have been observed in the wild mining bitcoins. That is something we know they are used for.
  
  --
  "First they came for the slanderers and i said nothing."
Am I the only professional C/C++ coder ... by Viol8 · 2013-05-11 21:42 · Score: 2

.... who has never used the %n formatter? I'd heard of it but I had to go and google it to find out what it did because I couldn't even remember.
The only use I can see for it is for figuring out single line formatting lentghs after you've printed some string but thats pushing it a bit since surely any half decent coder would preformat a string before outputting it?
Are there any "killer app" uses for %n that anyone can think of?
1. Re:Am I the only professional C/C++ coder ... by garutnivore · 2013-05-11 23:25 · Score: 2
  
  Are there any "killer app" uses for %n that anyone can think of?
  According to the summary, with %n you can write a killer app that kills other apps:
  "Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack."
2. Re:Am I the only professional C/C++ coder ... by Impy+the+Impiuos+Imp · 2013-05-12 02:14 · Score: 3, Informative
  
  Actually it's for use further down the road in the same printf string, IIRC. You %n something, then use the value in some later argument, not in a completely different printf. Indeed, the purpose is to keep you from needing multiple printfs when outpit depends on dynamic calculation of lengths of what went before on the same line.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
3. Re:Am I the only professional C/C++ coder ... by _Shad0w_ · 2013-05-12 02:32 · Score: 4, Informative
  
  Some of us C# programmers started life as C programmers, became C++ programmers at some point, and have now ended up as C# ones. You go where the money is; that's what being a professional is: doing something for money.
  
  --
  Yeah, I had a sig once; I got bored of it.
4. Re: Am I the only professional C/C++ coder ... by donscarletti · 2013-05-12 05:03 · Score: 5, Interesting
  
  The reason C++ does not implement format strings is that C libraries work just fine in it.
  There are no prizes for most pure usage of <iostream> or any rule saying C++ programmers must use it at all, it is simply a nifty library that exists that you may use when it suits you. If the code you're writing will be simpler, faster and or more comprehensible to later maintainers if you use <cstdio>, then you should use it. If it can be written better with <iostream> then use that.
  If you get a chance to do some hardcore IO in C++, you will find two functions at the core of your code: select (or epoll on Linux) and mmap. Neither are in either of those two headers and both work on integer file descriptors, rather than FILE or ostream/istream objects. They are about as un-c++ as you can get, they are kernel syscalls, but you can build some truly excellent C++ around them which looks simple, does a lot and runs more efficiently than <fstream> allows.
  C++ is not about purity, Bjarne Stroustrup designed it to allow multiple unrelated paradigms to be used together to allow programmers maximum efficiency and flexibility to write great code, it was never meant to be deconstructivist. Good C++ is not just knowing when to pass by reference, what to declare const, which members to make pure virtual, which STL type to use, which functions and classes should be templates and which shouldn't, etc. Good C++ is also knowing when to use stringstream and when to use strnprintf. And good friend malloc is still there, believe it or not, great C++ programmers know how to use it well in C++ too.
  
  --
  When Argumentum ad Hominem falls short, try Argumentum ad Matrem
Re:Whats the purpose of this by gl4ss · 2013-05-11 21:47 · Score: 4, Informative

getting hits. no other purpose.
"So far, the only feasible way to exploit the game I’ve come up with is by some sort of hand crafted mod or plugin for the game as that would have access to the scripting console on which the vulnerabilities lie. That said, it would be difficult to exploit in the wild also do in part to the video games having no network capability."
don't mods or plugins already get to pretty much do whatever they want? that is, I wasn't under the impression that they're in some security sandbox.

--
world was created 5 seconds before this post as it is.
Wow, some discovery by Rosco+P.+Coltrane · 2013-05-11 21:48 · Score: 5, Insightful

stdio functions often lead to stack overflows. News at ten...
What next? Null pointers are bad, m'kay...?

--
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
1. Re:Wow, some discovery by Dunbal · 2013-05-11 21:55 · Score: 5, Insightful
  
  Null pointers don't kill programs, it's sloppy programmers who kill programs.
  
  --
  Seven puppies were harmed during the making of this post.
2. Re:Wow, some discovery by Opportunist · 2013-05-11 22:27 · Score: 5, Insightful
  
  How about putting a structure you allow the user to specify the length of on the stack? Like it was done in the animated cursor in Windows (and of course exploited for an attack).
  And, unlike games, that was in an OS that has been under attack for years when this was exploited.
  Game developers usually don't consider security when they develop. If anything should be a dead giveaway, it's how DRM is implemented. I think we're going to see a lot more exploits targeting games in the future. For very obvious reasons:
  - Tend to run with admin privileges due to DRM
  - Little to no consideration for security during development
  - AAA-titles usually widely spread, leaving a big attack surface
  - Tend to be used with rather powerful machines due to requirements of the graphics engine
  And those are only the reasons that I could come up with without even thinking.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
3. Re:Wow, some discovery by Anonymous Coward · 2013-05-12 02:47 · Score: 2, Insightful
  
  But you've got to admit, null pointers do make it a hell of a lot easier to find the bug. Dangling and uninitialized pointers, those are the dangerous ones.
Re:Did we really need by liamevo · 2013-05-11 22:07 · Score: 3, Insightful

Every time something many people understand in the summary isn't explained, people complain.
Every time something many people understand in the summary is explained, people complain.
Re:So? by Tridus · 2013-05-11 23:24 · Score: 4, Informative

Skyrim doesn't require Admin, and it happens to be the most recent of the games listed here.
In fact, I'm pretty sure this claim is total bullshit.

--
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
Elder Scrolls online is not coded by Bethesda by maweki · 2013-05-11 23:43 · Score: 2

"One thing I am looking forward to is the newest Elder Scrolls game by Bethesda – The Elder Scrolls Online. This online capability might just make remote exploitation of my 0day feasible. Why? If the same vulnerability is present in Morrowind released in 2002 is still present in Skyrim (released 2012), the odds are in my favor that the same vulnerability will be in the latest game release."
Odds are, Zenimax, the company actually developing The Elder Scrolls Online, is using a different engine than Skyrim.

http://www.gameinformer.com/b/features/archive/2012/05/25/why-the-elder-scrolls-online-isn-39-t-using-heroengine.aspx
"We started ZeniMax Online from scratch [...]. It takes a long time to write game engines, especially MMO engines, which are inherently more complicated than typical single-player ones."
1. Re:Elder Scrolls online is not coded by Bethesda by maweki · 2013-05-12 00:11 · Score: 3, Informative
  
  No. The link I posted explains that they licensed the HeroEngine but will not use it.
  "We started ZeniMax Online from scratch, with no employees and no technology. We had to build everything ourselves. It takes a long time to write game engines, especially MMO engines, which are inherently more complicated than typical single-player ones. So, we decided to license the HeroEngine to give us a headstart. It was a useful tool for us to use to prototype areas and game design concepts, and it provided us the ability to get art into the game that was visible, so we could work on the game’s art style."
  http://www.gameinformer.com/b/features/archive/2012/05/25/why-the-elder-scrolls-online-isn-39-t-using-heroengine.aspx
  Or as the title of the article says: "Why The Elder Scrolls Online Isn't Using HeroEngine"
Re:So? by Lumpy · 2013-05-12 00:40 · Score: 2

Just playing the games and seeing all the glitches everywhere is an apt display of that.
Cripes I know of several places where there are glaring, insane glaring bugs in skyrim. The freaking game engine has been around for ever but the same bugs exist in it through both fallouts, and then finally Skyrim.

--
Do not look at laser with remaining good eye.
Re:Why does he keep calling it an 0day? by Pembers · 2013-05-12 01:13 · Score: 3, Informative

"Zero day" refers to a vulnerability for which no patch exists, presumably because the vendor wasn't aware of it. It's the amount of time between when the vendor becomes aware of the vulnerability and when the black hats can start exploiting it, not the amount of time that it's existed.
See Prof Wikipedia for more details.

--
Just another wannabe fantasy novelist...
Re:Whats the purpose of this by The+MAZZTer · 2013-05-12 01:16 · Score: 5, Insightful

Steam only asks for admin when performing installation steps, as installers often require admin privileges. And this is stuff like DirectX, C++ runtimes, etc so it's understandable since that stuff goes into system32.
The game itself is not run as admin.
Re:Whats the purpose of this by Sable+Drakon · 2013-05-12 01:50 · Score: 5, Informative

Just how is Steam bloated? Looking at it's two processes right now, it's barely using 11MB of system RAM... The Dropbox client uses more than that and does a whole lot less... Windows Explorer uses even more than Steam. Browsers? Far more RAM usage.. That's far from bloated considering according to Steam's monthly hardware surveys where the average gaming PC is running a minimum of 4GB or ram or more. Seriously, look at the numbers yourself: 21.85% have 4GB, 23.48% have 8GB, and 9.62% have in excess of 12GB... Soooo 10-12MB of RAM is honestly a drop in the bucket for the average PC gamer. You may want to get your facts straight before posting, but then again posting as AC is there for those who love to troll and comment inaccruacies.

--
The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
Re:Whats the purpose of this by F.Ultra · 2013-05-12 02:42 · Score: 4

Please give my access to your magical application store application that uses zero resources.
Re:Whats the purpose of this by Anonymous Coward · 2013-05-12 02:58 · Score: 3, Informative

gog.com
Re:Whats the purpose of this by Anonymous Coward · 2013-05-12 03:23 · Score: 5, Insightful

i have several games on steam that require admin rights to run
Why do you continue to play them?
Also, please name them so people can know what to avoid.
Seriously, this is shit that should have died last century.
--
BMO
He can't name them, because he's spouting BS, like most Steam-hating trolls. They're just angry that VAC noticed them being stupid hacking trolls.
Modded to +5 Informative because by benjymouse · 2013-05-12 03:44 · Score: 5, Informative

It knocks both DRM and Windows in one sentence. Which is popular on slashdot.
Facts don't matter, accuracy doesn't matter. Comments can be outright lies (like this one) and still achieve the highest ranking as *informative* just because it plays to a popular myth.
No, games are *not* run with admin rights. No they do *not* need to run with admin privileges, not even to use DRM. Especially not the online DRM variety that steam uses.

--
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Re:Whats the purpose of this by Sable+Drakon · 2013-05-12 04:21 · Score: 2

Actually, my library consists of over 100 titles, most of thel installed. The difference may be as simple as the skin you're using (I run an exceedingly minimal one) and that I keep Steam in 'Small view' instead of the full and pointless window. May want to try a few things. But even at 110MB usage, that's still minimum compared to the average gaming PC's RAM loadout of 4GB+. People complaining about memory usage of a software platform that uses less than 5% of total RAM have nothing better to do.

--
The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
Re:Why does he keep calling it an 0day? by phantomfive · 2013-05-12 04:57 · Score: 4, Informative

Day 1 = day the vulnerability becomes public knowledge.
Day 2 = day after the vulnerability becomes public knowledge.
Day 3 = two days after the vulnerability becomes public knowledge
Day 4= .....

It is an important distinction, because once the vulnerability is listed on cert.org, admins can take steps to defend themselves (firewalls, removing the program, setting up honey-pots, etc). If it's a zero-day vulnerability, then no one can defend themselves and the world is wide open for you to use it.

--
"First they came for the slanderers and i said nothing."
Re: Whats the purpose of this by x1n933k · 2013-05-12 06:00 · Score: 3, Funny

Yeah, but can it run Crysis?
Re:Did we really need by cbhacking · 2013-05-12 10:37 · Score: 3, Informative

Calling printf() with an un-sanitized user supplied format string is an exploitable security vulnerability

I don't usually say this, but FTFY. There are only three limits on the security impact of a program that passes a user-supplied format string to a .*[print|scan]f function:
1) What privileges the program runs as. If it's not sandboxed, it can probably run rampant over your user profile. If it runs as Admin/root, that's seriously bad news.
2) What privileges are required to specify that format string. If it can only be done by a local user, and the program only runs as local user, you're mostly OK (and that's the case here). If the source of the format string is external, such as a message from another user in a game, you're in serious trouble.
3) Exploit mitigations in use. The MS Visual C/C++ runtime (MSVCRT.DLL) disables the %n format specifier by default, because using %n and a reasonably long format string, you can write pretty much arbitrary values into memory (one unaligned byte at a time). DEP and ASLR help, but due to the way that printf can be used to extract pointers as well as use them, it can be used to leak info needed for bypassing ASLR.
Format string vulns are a serious threat. Fortunately, they're also dead trivial to avoid: DON'T EVER PROVIDE A USER-CONTROLLED FORMAT STRING. If for some reason is is every absolutely necessary to do this (I can't think of a single situation fitting this bill; anybody care to fill me in?) you can ensure the string has no un-escaped % characters, but that's a terrible way to go about it.

--
There's no place I could be, since I've found Serenity...
Re:Why does he keep calling it an 0day? by phantomfive · 2013-05-12 12:00 · Score: 2

Yep. "0-day" is just security talk for "newly discovered"

No, you are wrong. It means, "not public knowledge." The difference is crucial. I would explain it to you but I don't know how I can explain it more simply than my previous post.

--
"First they came for the slanderers and i said nothing."
Re: Whats the purpose of this by gman003 · 2013-05-12 13:46 · Score: 3, Informative

What spying?
Seriously, what do they spy on? There's the hardware survey, which is anonymous, and at least as I recall, opt-in. There's "recording amount of time in games", which a) isn't particularly useful information, b) isn't particularly accurate, and c) can be routed around via offline mode if it really bugs you.
Compared to even the spying Firefox does (if you opt in), that's really not much.
Re:Whats the purpose of this by gman003 · 2013-05-12 14:01 · Score: 2

I do have to run UT2004 as admin in order for LAN play to work. I'm not sure why. There's probably another way, that doesn't involve blanket admin access, but "run as admin" is easier.
Runs perfectly fine singleplayer without admin rights, though. And it's hardly a "recent" game (and it's not even the Steam version - CD from the Unreal Anthology). I've never encountered a game that requires admin rights just to run.
Re:Whats the purpose of this by Dimensio · 2013-05-13 05:02 · Score: 3, Informative

Some games do in fact request Administrator rights when run from Steam on every launch. Typically, this is a consequence of a bugged launch condition check that fails to accurately detect that needed libraries are often installed; choosing not to authenticate will still allow those games to run properly, and workarounds exist to eliminate the incorrect detection entirely.

--
STOP MISUSING APOSTROPHES, YOU MORONS!!!