Hacker News new | ask | show | jobs
by misnome 2253 days ago
That was 2004, so not a very busy agent...

I’m slightly shocked with the phrasing in that post “It is definitely possible that someone could install a virus on your machine by just being in the same server.”

That.... seems like a pretty shocking security hole, unless they are talking about unknown possibilities, in which case the term “definitely” is a bad choice. If this can be done with the source, it could have been done before, no?
4 comments
MayeulC 2253 days ago
That sounds pretty reasonable to assume for any game, even those that are singleplayer, if they access the network.

Game code is particularly known to be "spaghetti", "code cowoy"-style, where the result is more important than the form or correctness. I mean, that's art, after all, so that seems obvious.

And do you think a lot of companies update their games after they are out? Most often, the code is definitive, refactors are out of the question, etc. I've never seen a bug that fixes a security issue (CVE), let alone for old titles.

And that's when RCE is not by design. It is in Garry's mod, but that's for client-side mode scripted with lua, so theoretically sandboxed. Unreal Tournament 99 though, has plenty of servers that put some dlls for "anti-cheat" software on your computer before you join. That one probably sn't sandboxed.

While we talk about anti-cheat software, can we think a moment about everything that could go wrong with a piece of software that has a very deep access to the system, is sometimes in-house, and not necessarily audited, and whose functionality often includes:

* downloading challenges from servers, patch them into RAM and see what happens

* scan the RAM of the whole system, plus the filesystem, for known exploits

* upload parts of that RAM and filesystem to random servers for analysis

* take screenshots, log keypresses, monitor the system and upload all of this.

Takeaway: sandbox your games. There's a reason I run Steam in a flatpak, on Wayland... Convenience is part of it, but that's not the main one.

link
ccouzens 2253 days ago
> sandbox your games. There's a reason I run Steam in a flatpak, on Wayland

If flatpak works perfectly, I suppose an attacker could still steal the "cookie" that automatically logs you into Steam.

Ideally you want Steam to be sandboxed, and then Steam to in turn run all the games in individual sandboxes.

link
MayeulC 2253 days ago
I agree, and that's unfortunate, but I value it far less than I value the integrity of my computer and the data on it.

Steam itself has an interesting "Linux runtime" option for games, but it is unclear if that isolates things more than the status quo.

I don't know what I could do, short of replacing every executable in the steam directory with something that uses a mount namespace or a similar restrictive mechanism before launching the actual executable. Inject a modified libc to perform this on steam's exec call? I think the ball is in Valve's camp to improve this.

link
gbrown 2253 days ago
> Unreal Tournament 99 though, has plenty of servers that put some dlls for "anti-cheat" software on your computer before you join.

D:

People put up with that?

link
therealidiot 2253 days ago
For reference, the anti-cheat plugin usually used by Unreal Tournament servers is AntiCheatEngine ("ACE")

https://ace.ut-files.com/index1a8f.html?p=about

link
d1zzy 2253 days ago
Battle.net has been doing that since day 1, so if you played any game on Battle.net you have downloaded server provided code and executed locally with the privileges of the user running the game.

(when a client connects to a battle.net server, one of the early handshake steps is to download a fixed named MPQ file, which is a Blizzard proprietary archive protocol which contains a DLL that is loaded and a certain fixed named function runs from it, which will checksum your client binary and send the result to the server to compare and allow you to progress further)

link
AgentME 2253 days ago
I think there's a big difference between the game downloading a DLL straight from the game developers (not all that different from an update) and a game downloading a DLL from a random server you join (that could be run by anyone that you have no reason to trust and that you don't realize you're giving them full read-write access to your computer).
link
gbrown 2253 days ago
Exactly. Neither is ideal, but they're not exactly equivalent...
link
Kaze404 2253 days ago
People are defending Riot Games installing an anti cheat driver, so that's not very surprising if you ask me.
link
gruez 2253 days ago
Not just that, the driver starts on boot and stays running even when the game isn't running.
link
Kaze404 2253 days ago
And removing the game doesn't remove the driver. You have to remove it separately.
link
ThrowawayR2 2253 days ago
Better than putting up with cheaters ruining the game.
link
Karunamon 2253 days ago
Even if you actually believe this, Riot is not known for their high-quality code. This sounds a bit snarky but is entirely serious: Giving games root rights is bad enough, I absolutely don't want to run anything in kernel space from the same people who wrote the client for League of Legends.

And it's not even about trusting that Riot are not bad actors, tencent conspiracy nonsense aside, it's about leaving that trash running with that level of access in a way that some malicious process could use to elevate its permissions. That is the (ab)use case that worries me.

link
bzb3 2252 days ago
As someone who plays CSGO, I agree with you. I wish valve did something like this. I'm tired of matches getting ruined by cheaters, which happens very often.
link
eswat 2253 days ago
There are a few RCE disclosures for Valve games related to this previously

- https://hackerone.com/reports/542180

- https://nvd.nist.gov/vuln/detail/CVE-2020-9005

- https://nvd.nist.gov/vuln/detail/CVE-2020-7952

- https://nvd.nist.gov/vuln/detail/CVE-2020-7951

- https://nvd.nist.gov/vuln/detail/CVE-2020-7950

- https://nvd.nist.gov/vuln/detail/CVE-2020-7949

link
MisterTea 2253 days ago
Servers can distribute custom maps and assets to players so there's a mechanism to download files to a users computer.

As for uploads, players used to be able to set custom models in quake 2 which were distributed to other players on the server. Though I am not sure if that was done by server admins in special cases for clan payers or members or if there was an actual upload mechanism in the game engine.

link
MayeulC 2253 days ago
> If this can be done with the source, it could have been done before, no?

This analysis is on-point, and something a lot of sources seem to miss. A determined actor can find the exact same exploits with and without access to the source code, though I admit it is much more complicated without ("determined").

link