Zero-day vulnerabilities in first-person shooter game engines allow attackers to pwn your PC

Are you are gamer? If the answer is also “yes” to playing first-person shooters, then listen up. “Thousands of potential attack vectors” in game engines, open the way to “millions of potential targets” aka players, explained ReVuln Security researchers Luigi Auriemma and Donato Ferrante. At NoSuchCon, they presented “Exploiting Game Engines For Fun & Profit” [pdf]. The researchers found zero-day vulnerabilities to exploit game engines such as CryEngine 3, Unreal Engine 3, id Tech 4 and Hydrogen Engine.

0-day vulnerabilities in FPS game engines allow attackers to pwn your PC, Counter Strike screenshot

These vulnerabilities were not previously disclosed before the presentation at NoSuchCon, meaning there are no current patches for protection. ReVuln doesn’t report security holes to affected vendors; instead the company “sells the newly discovered vulnerabilities to third-party companies and government agencies.” They warned that before you assume your game has no game engine, realize that every game, even PONG has a game engine. “It’s a matter of how many other games share the same engine.” Some of ReVuln’s exploits go after the game servers and other go after game clients. “Any attacker can exploit them without any user interaction or additional requirements.” ReVuln even wrote cross-game zero-day exploits.

Games that run on the Unreal Engine 3 include titles like Unreal Tournament 3, Gears of War, Tom Clancy's Rainbow Six Vegas and EndWar, Robert Ludlum's The Bourne Conspiracy, Mortal Kombat, Mass Effect, Lost Planet 3, BioShock Infinite, and various Batman Arkham titles. In ReVuln’s Game Engines: A 0-Day’s Tale [pdf], the researchers wrote, “Monday Night Combat is based on Unreal Engine 3, and like other games supporting the Steam platform, this game supports some custom Steam related commands via Unreal Engine Control channel.” It also looked at Homefront, The Haunted: Hells Reach and Sanctum, all of which do not use the standard Unreal Engine 3 protocol before exploring attacks on them.

id Tech 4, better known as the Doom 3 engine, runs games such as Quake 4, Prey 2, Doom 3 and Brink. According to the research paper, Doom 3 is not affected by the same id Tech 4 engine issues that allow customized versions for Enemy Territory: Quake Wars and Brink. “In Quake Wars, the function is called in a bad way on the client-side,” but “in Brink the function is called in a bad way on the server-side.” The Id Tech 4 game engine for Doom 4 could allow a server-side stack-based overflow. It also showed a code example that could exploit Nexuiz Classic that “uses DarkPlaces engine, a significantly modified Quake engine."

The presentation slides dived into zero-day vulnerabilities to exploit CryEngine 3, which runs games like Crysis (2 & 3). The research paper states [pdf], “There are two vulnerabilities in CryEngine 3 due to improper handling of fragmented packets via CryEngine.” And Atomic Games Hydrogen Engine ironically runs games such as Breach. “There are four different issues affecting the Hydrogen Engine,” they wrote, before discussing flaws to exploit Breach.

An attacker could setup a rogue server that shows up in the database of available game servers. If you joined that server, it “would allow him to compromise the computers of any players that join his rogue server by exploiting one of the remote code execution vulnerabilities present in the game engine.” Other times, just querying that server would allow an attacker to exploit vulnerabilities. Download a new map from the server? Bam! An attacker might have maliciously “customized” the map. Denial-of-service flaws can be exploited to crash servers at regular intervals for large gaming communities. An attacker can also send malicious, fragmented packets from a client to crash or compromise the servers.

In the ReVuln video below, highlighting proof-of-concept attacks against Crysis 2 and Quake 4 servers, the dropdown selection box shows Valve Source engine FPS games from the series of titles for Call of Duty, Counter Strike, DOTA 2, Half-Life, Left 4 Dead, Medal of Honor, Star Wars, Team Fortress, among others, and even the real-time voice chat software Ventrilio.

ReVuln - Mastering the Masters (Game Servers) from ReVuln on Vimeo.

The researchers said, "Game companies usually tend to give more importance to anti-cheating solutions than to improving the security aspects of games. In other words, they tend to care more about cheaters than people exploiting vulnerabilities on their users' systems."

Gamers work in all kinds of industries, but the common variable is [pdf] that when gamers go “home, they play games. When they play games, they become targets. And most importantly, their Companies become targets.” In conclusion, the researchers added “game engine issues affect sets of games. Master servers can be used to conduct distributed/targeted attacks against Companies or Players.” So before you kick back, relax, and start your favorite FPS game, be sure to check out ReVuln’s slides [pdf] and research paper [pdf]. By then you might really be in a mood to work off frustration and shoot other digital players. Boom! Headshot!

FREE Computerworld Insider Guide: Five IT certifications that won’t break you
Join the discussion
Be the first to comment on this article. Our Commenting Policies