DEF CON: Abusing Scripts In Multiplayer Games

Everyone has at least a few games on their computer, and I would assume most of the Hackaday readership would be among the enlightened PC gamer bretheren. At this year’s DEF CON, [Tamas Szakaly] gave a talk about the data these games leak to the Internet, the data they accept from the Internet, and what you can do with that data.

[Tamas]’ talk was entirely about scripting games, like the many games that are scriptable in Lua, or Valve’s Squirrel. Developers have thought about this before and have implemented sandboxes and many anti-cheat mechanisms. However, because these sandboxes are poorly implemented, it’s easy to get outside the game and do some real damage.

[Tamas]’ first target was Crysis 2 and the CryEngine3. This game uses a Lua scripting engine and has no sandbox whatsoever. That means [Tamas] can call os.execute, and from there the entire game is over. Or it’s just begun. Either way you look at it, it’s pretty bad.

CryTek notwithstanding, [Tamas] can also use games with Lua scripting that have a real sandbox. DOTA2 has a leaky sandbox and can be used to call OS I/O routines and execute base 64 encoded executables right over the main executable.

The most impressive example of script abuse in various multiplayer games is from Garry’s Mod. This game has custom implementation of dangerous functions, restricted file IO, and a proper Lua sandbox. This was a wise decision from the developers, but the library is huge. If you create a map or mode used on a server, you can have a full HTTP proxy to the gamer’s home network. During the talk, [Tamas] used this exploit to display an image from a webcam on a Garry’s Mod server. It was on the podium right next him, but this could have been done on a server on the other side of the planet.

Interestingly, these games have anti-cheat mechanisms that look at the memory used by the game and report back ‘irregularities’. This catches players using common cheat techniques such as walking through walls, but [Tamas]’ techniques aren’t detected at all. This shouldn’t be too surprising; the entire point of anti-cheat mechanisms is to make sure someone is cheating, not turning anyone who connects to a game server into a node on a botnet.

When it comes to talks at DEF CON, there is a huge range from, “we used an API as intended” to the most exquisite binary exploits. [Tamas]’ explorations are definitely on the long tail of that continuum, and a great warning of the dangers of playing on shady servers.

11 thoughts on “DEF CON: Abusing Scripts In Multiplayer Games

  1. People actually play Crysis online?

    I signed into that thing once. After I’d finished installing some idiot anti-cheat root kit (“Punkbuster”, which has historically done jack shit when it comes to cheaters) and gotten into a server, I was immediately fragged by some guy with infinite health moving as fast as the engine would let him, with a pair of fists that blew you away in a single hit. I played that game online for about 2 hours and saw the same thing over and over again, then vowed never to bother wasting my time again.

    I later learned that CryTek had zero protection against local file modifications. You could pop open the game archives and edit the variables to your hearts content, zip them back up again and then go play online. The server did jack shit to stop you, and Punkbuster didn’t give a shit either because you weren’t fiddling around with anything in active RAM (but then again, PB never did anything against aimbotters in CoD or CS). So I’m really not surprised to hear the successors are just as poorly programmed, even more so with that kind of OS access.

  2. Rule One of network security design: The server shouldn’t trust the client to play by the rules. (and a client may not be able to trust the server in some cases) In other words, allowing unvalidated and arbitrary commands from the client are inviting the remote user to exercise the full range of options.

  3. Truthfully, I’ve never cared much for “locked down” games, since I know that folks that intend to cheat are going to find ways to do it anyway. My preference has always been for games that you are allowed to modify, but I rarely ever like the “deity mode” mods, much preferring to undo absurd limitations for games like Dragon Age 2’s healing spells being gimped by design.

  4. Games (especially AAA titles) aren’t usually developed with correctness or security in mind, but with meeting unrealistic deadlines and providing features. Security is often an afterthought when things get abused so much that it affects sales. Anti-cheats make the situation worse, e.g. forcing to be run with high privileges, not allowing the apps to be run in sandboxes or easily analyzed.

    I consider multiplayer games a riskware and don’t allow them on my system used for work or private stuff. I keep a separate, unencrypted HDD for my gaming needs.

    1. @MIke,

      Are you involved with (now or previously) with the video gaming industry? I’m not at all surprised by the lack of any level of interest with making a solid product versus meeting some unrealistic deadline. This attitude towards software development is not restricted to the video game industry. While there are always exceptions, in general you have these same unrealistic deadlines/milestones in productivity software. I use to believe that the focus on bells & whistles (upgrades) was because it gave sales/marketing what they needed to generate more sales but as time progressed I saw that there was a deliberate effort to downplay, even ignore, security and stability. The saying (amongst management) is that you can never have perfection so you settle for ‘good enough’ the problem is that these decision makers have very low standards for ‘good enough’.

      I worked in software development doing custom work. I left the company over a decade ago to do my own thing (independent consulting) before getting a similar in house job with a company in a different industry that used the software made by my former employer. This has allowed me to keep in touch with my former employer and the stuff I created over a decade ago (most utility items designed to fix or target very narrow set of conditions) are still in use today by the employees even though they should be years outdated. Its because I took the time to do it right and not ‘good enough’. I just wish those with the power to make these deadlines gave more weight to making something solid that lasts and less on ‘how fast can we get out something we can sell’. I get that when every competitor is doing this you can’t be the stand out and not fear loosing market share but then again if just one vendor would take the initiative I believe they could bring about change.

      Chick-Fila has never opened on Sundays no matter what location and in the retail industry its a no-no to be closed on Sundays yet Chick-Fila gets away with it. They also tend to have great part-time employees who (in general) care about the job they do and that’s because the Chick operates by its own rules and not how the rest of the Food & Beverage industry operates. This has made the Chick the leader in its market and despite its decades of success the rest of the Food & Beverage industry just can’t see how they could do better if they stopped operating like everyone else.

      I’m stepping down from my sandbox now.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.