Vulnerability Found In Skyrim, Fallout, Other Bethesda Games

An anonymous reader writes "The author of this article goes over a format string vulnerability he found in The Elder Scrolls series starting with Morrowind and going all the way up to Skyrim. It's not something that will likely be exploited, but it's interesting that the vulnerability has lasted through a decade of games. 'Functions like printf() and its variants allow us to view and manipulate the program’s running stack frame by specifying certain format string characters. By passing %08x.%08x.%08x.%08x.%08x, we get 5 parameters from the stack and display them in an 8-digit padded hex format. The format string specifier ‘%s’ displays memory from an address that is supplied on the stack. Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack. Powerful stuff.'"

Those games crash easily

[loufoque]

Those games crash easily, isn't that proof enough they're full of vulnerabilities that you could exploit to run arbitrary code?
Now the question is, why does it matter? It's a game, not a production server.

Wow, some discovery

[Rosco+P.+Coltrane]

stdio functions often lead to stack overflows. News at ten...
What next? Null pointers are bad, m'kay...?

Re:Wow, some discovery

[Dunbal]

Null pointers don't kill programs, it's sloppy programmers who kill programs.

Re:Wow, some discovery

[Opportunist]

How about putting a structure you allow the user to specify the length of on the stack? Like it was done in the animated cursor in Windows (and of course exploited for an attack).

And, unlike games, that was in an OS that has been under attack for years when this was exploited.

Game developers usually don't consider security when they develop. If anything should be a dead giveaway, it's how DRM is implemented. I think we're going to see a lot more exploits targeting games in the future. For very obvious reasons:

- Tend to run with admin privileges due to DRM
- Little to no consideration for security during development
- AAA-titles usually widely spread, leaving a big attack surface
- Tend to be used with rather powerful machines due to requirements of the graphics engine

And those are only the reasons that I could come up with without even thinking.

Re:Whats the purpose of this

[The+MAZZTer]

Steam only asks for admin when performing installation steps, as installers often require admin privileges. And this is stuff like DirectX, C++ runtimes, etc so it's understandable since that stuff goes into system32.

The game itself is not run as admin.

Re:Whats the purpose of this

[Sable+Drakon]

Just how is Steam bloated? Looking at it's two processes right now, it's barely using 11MB of system RAM... The Dropbox client uses more than that and does a whole lot less... Windows Explorer uses even more than Steam. Browsers? Far more RAM usage.. That's far from bloated considering according to Steam's monthly hardware surveys where the average gaming PC is running a minimum of 4GB or ram or more. Seriously, look at the numbers yourself: 21.85% have 4GB, 23.48% have 8GB, and 9.62% have in excess of 12GB... Soooo 10-12MB of RAM is honestly a drop in the bucket for the average PC gamer. You may want to get your facts straight before posting, but then again posting as AC is there for those who love to troll and comment inaccruacies.

Re:Whats the purpose of this

i have several games on steam that require admin rights to run

Why do you continue to play them?

Also, please name them so people can know what to avoid.

Seriously, this is shit that should have died last century.

--
BMO

He can't name them, because he's spouting BS, like most Steam-hating trolls. They're just angry that VAC noticed them being stupid hacking trolls.

Modded to +5 Informative because

[benjymouse]

It knocks both DRM and Windows in one sentence. Which is popular on slashdot.

Facts don't matter, accuracy doesn't matter. Comments can be outright lies (like this one) and still achieve the highest ranking as *informative* just because it plays to a popular myth.

No, games are *not* run with admin rights. No they do *not* need to run with admin privileges, not even to use DRM. Especially not the online DRM variety that steam uses.

Re: Am I the only professional C/C++ coder ...

[donscarletti]

The reason C++ does not implement format strings is that C libraries work just fine in it.

There are no prizes for most pure usage of <iostream> or any rule saying C++ programmers must use it at all, it is simply a nifty library that exists that you may use when it suits you. If the code you're writing will be simpler, faster and or more comprehensible to later maintainers if you use <cstdio>, then you should use it. If it can be written better with <iostream> then use that.

If you get a chance to do some hardcore IO in C++, you will find two functions at the core of your code: select (or epoll on Linux) and mmap. Neither are in either of those two headers and both work on integer file descriptors, rather than FILE or ostream/istream objects. They are about as un-c++ as you can get, they are kernel syscalls, but you can build some truly excellent C++ around them which looks simple, does a lot and runs more efficiently than <fstream> allows.

C++ is not about purity, Bjarne Stroustrup designed it to allow multiple unrelated paradigms to be used together to allow programmers maximum efficiency and flexibility to write great code, it was never meant to be deconstructivist. Good C++ is not just knowing when to pass by reference, what to declare const, which members to make pure virtual, which STL type to use, which functions and classes should be templates and which shouldn't, etc. Good C++ is also knowing when to use stringstream and when to use strnprintf. And good friend malloc is still there, believe it or not, great C++ programmers know how to use it well in C++ too.