Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerability Found In Skyrim, Fallout, Other Bethesda Games

Posted by Soulskill on from the beware-meddling-daedra dept.

An anonymous reader writes "The author of this article goes over a format string vulnerability he found in The Elder Scrolls series starting with Morrowind and going all the way up to Skyrim. It's not something that will likely be exploited, but it's interesting that the vulnerability has lasted through a decade of games. 'Functions like printf() and its variants allow us to view and manipulate the program’s running stack frame by specifying certain format string characters. By passing %08x.%08x.%08x.%08x.%08x, we get 5 parameters from the stack and display them in an 8-digit padded hex format. The format string specifier ‘%s’ displays memory from an address that is supplied on the stack. Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack. Powerful stuff.'"

15 of 179 comments (clear)

  1. Those games crash easily by loufoque · · Score: 5, Insightful

    Those games crash easily, isn't that proof enough they're full of vulnerabilities that you could exploit to run arbitrary code?
    Now the question is, why does it matter? It's a game, not a production server.

    1. Re:Those games crash easily by Opportunist · · Score: 4, Insightful

      Because a hijacked machine is a hijacked machine. It can be used to send spam, participate in a DOS or mine bitcoins. And given that it's games we're talking, and power hungry games too, it's likely that you get a machine with a very powerful GPU and CPU.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Re:Whats the purpose of this by gl4ss · · Score: 4, Informative

    getting hits. no other purpose.

    "So far, the only feasible way to exploit the game I’ve come up with is by some sort of hand crafted mod or plugin for the game as that would have access to the scripting console on which the vulnerabilities lie. That said, it would be difficult to exploit in the wild also do in part to the video games having no network capability."

    don't mods or plugins already get to pretty much do whatever they want? that is, I wasn't under the impression that they're in some security sandbox.

    --
    world was created 5 seconds before this post as it is.
  3. Wow, some discovery by Rosco+P.+Coltrane · · Score: 5, Insightful

    stdio functions often lead to stack overflows. News at ten...
    What next? Null pointers are bad, m'kay...?

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:Wow, some discovery by Dunbal · · Score: 5, Insightful

      Null pointers don't kill programs, it's sloppy programmers who kill programs.

      --
      Seven puppies were harmed during the making of this post.
    2. Re:Wow, some discovery by Opportunist · · Score: 5, Insightful

      How about putting a structure you allow the user to specify the length of on the stack? Like it was done in the animated cursor in Windows (and of course exploited for an attack).

      And, unlike games, that was in an OS that has been under attack for years when this was exploited.

      Game developers usually don't consider security when they develop. If anything should be a dead giveaway, it's how DRM is implemented. I think we're going to see a lot more exploits targeting games in the future. For very obvious reasons:

      - Tend to run with admin privileges due to DRM
      - Little to no consideration for security during development
      - AAA-titles usually widely spread, leaving a big attack surface
      - Tend to be used with rather powerful machines due to requirements of the graphics engine

      And those are only the reasons that I could come up with without even thinking.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Re:So? by Tridus · · Score: 4, Informative

    Skyrim doesn't require Admin, and it happens to be the most recent of the games listed here.

    In fact, I'm pretty sure this claim is total bullshit.

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
  5. Re:Whats the purpose of this by The+MAZZTer · · Score: 5, Insightful

    Steam only asks for admin when performing installation steps, as installers often require admin privileges. And this is stuff like DirectX, C++ runtimes, etc so it's understandable since that stuff goes into system32.

    The game itself is not run as admin.

  6. Re:Whats the purpose of this by Sable+Drakon · · Score: 5, Informative

    Just how is Steam bloated? Looking at it's two processes right now, it's barely using 11MB of system RAM... The Dropbox client uses more than that and does a whole lot less... Windows Explorer uses even more than Steam. Browsers? Far more RAM usage.. That's far from bloated considering according to Steam's monthly hardware surveys where the average gaming PC is running a minimum of 4GB or ram or more. Seriously, look at the numbers yourself: 21.85% have 4GB, 23.48% have 8GB, and 9.62% have in excess of 12GB... Soooo 10-12MB of RAM is honestly a drop in the bucket for the average PC gamer. You may want to get your facts straight before posting, but then again posting as AC is there for those who love to troll and comment inaccruacies.

    --
    The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
  7. Re:Am I the only professional C/C++ coder ... by _Shad0w_ · · Score: 4, Informative

    Some of us C# programmers started life as C programmers, became C++ programmers at some point, and have now ended up as C# ones. You go where the money is; that's what being a professional is: doing something for money.

    --

    Yeah, I had a sig once; I got bored of it.

  8. Re:Whats the purpose of this by F.Ultra · · Score: 4

    Please give my access to your magical application store application that uses zero resources.

  9. Re:Whats the purpose of this by Anonymous Coward · · Score: 5, Insightful

    i have several games on steam that require admin rights to run

    Why do you continue to play them?

    Also, please name them so people can know what to avoid.

    Seriously, this is shit that should have died last century.

    --
    BMO

    He can't name them, because he's spouting BS, like most Steam-hating trolls. They're just angry that VAC noticed them being stupid hacking trolls.

  10. Modded to +5 Informative because by benjymouse · · Score: 5, Informative

    It knocks both DRM and Windows in one sentence. Which is popular on slashdot.

    Facts don't matter, accuracy doesn't matter. Comments can be outright lies (like this one) and still achieve the highest ranking as *informative* just because it plays to a popular myth.

    No, games are *not* run with admin rights. No they do *not* need to run with admin privileges, not even to use DRM. Especially not the online DRM variety that steam uses.

    --
    Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
  11. Re:Why does he keep calling it an 0day? by phantomfive · · Score: 4, Informative

    Day 1 = day the vulnerability becomes public knowledge.
    Day 2 = day after the vulnerability becomes public knowledge.
    Day 3 = two days after the vulnerability becomes public knowledge
    Day 4= .....

    It is an important distinction, because once the vulnerability is listed on cert.org, admins can take steps to defend themselves (firewalls, removing the program, setting up honey-pots, etc). If it's a zero-day vulnerability, then no one can defend themselves and the world is wide open for you to use it.

    --
    "First they came for the slanderers and i said nothing."
  12. Re: Am I the only professional C/C++ coder ... by donscarletti · · Score: 5, Interesting

    The reason C++ does not implement format strings is that C libraries work just fine in it.

    There are no prizes for most pure usage of <iostream> or any rule saying C++ programmers must use it at all, it is simply a nifty library that exists that you may use when it suits you. If the code you're writing will be simpler, faster and or more comprehensible to later maintainers if you use <cstdio>, then you should use it. If it can be written better with <iostream> then use that.

    If you get a chance to do some hardcore IO in C++, you will find two functions at the core of your code: select (or epoll on Linux) and mmap. Neither are in either of those two headers and both work on integer file descriptors, rather than FILE or ostream/istream objects. They are about as un-c++ as you can get, they are kernel syscalls, but you can build some truly excellent C++ around them which looks simple, does a lot and runs more efficiently than <fstream> allows.

    C++ is not about purity, Bjarne Stroustrup designed it to allow multiple unrelated paradigms to be used together to allow programmers maximum efficiency and flexibility to write great code, it was never meant to be deconstructivist. Good C++ is not just knowing when to pass by reference, what to declare const, which members to make pure virtual, which STL type to use, which functions and classes should be templates and which shouldn't, etc. Good C++ is also knowing when to use stringstream and when to use strnprintf. And good friend malloc is still there, believe it or not, great C++ programmers know how to use it well in C++ too.

    --
    When Argumentum ad Hominem falls short, try Argumentum ad Matrem