Tweet
Brian Benchoff
Everyone has at least a few games on their computer, and I would assume most of the Hackaday readership would be among the enlightened PC gamer bretheren. At this year’s DEF CON, Tamas Szakaly gave a talk about the data these games leak to the Internet, the data they accept from the Internet, and what you can do with that data.
Tamas’ talk was entirely about scripting games, like the many games that are scriptable in Lua, or Valve’s Squirrel. Developers have thought about this before and have implemented sandboxes and many anti-cheat mechanisms. However, because these sandboxes are poorly implemented, it’s easy to get outside the game and do some real damage.
Tamas’ first target was Crysis 2 and the CryEngine3. This game uses a Lua scripting engine and has no sandbox whatsoever. That means Tamas can call os.execute, and from there the entire game is over. Or it’s just begun. Either way you look at it, it’s pretty bad.
CryTek notwithstanding, Tamas can also use games with Lua scripting that have a real sandbox. DOTA2 has a leaky sandbox and can be used to call OS I/O routines and execute base 64 encoded executables right over the main executable.
The most impressive example of script abuse in various multiplayer games is from Garry’s Mod. This game has custom implementation of dangerous functions, restricted file IO, and a proper Lua sandbox. This was a wise decision from the developers, but the library is huge.
If you create a map or mode used on a server, you can have a full HTTP proxy to the gamer’s home network. During the talk, Tamas used this exploit to display an image from a webcam on a Garry’s Mod server. It was on the podium right next him, but this could have been done on a server on the other side of the planet.
Interestingly, these games have anti-cheat mechanisms that look at the memory used by the game and report back ‘irregularities’. This catches players using common cheat techniques such as walking through walls, but Tamas’ techniques aren’t detected at all. This shouldn’t be too surprising; the entire point of anti-cheat mechanisms is to make sure someone is cheating, not turning anyone who connects to a game server into a node on a botnet.
When it comes to talks at DEF CON, there is a huge range from, “we used an API as intended” to the most exquisite binary exploits. Tamas’ explorations are definitely on the long tail of that continuum, and a great warning of the dangers of playing on shady servers.
Everyone has at least a few games on their computer, and I would assume most of the Hackaday readership would be among the enlightened PC gamer bretheren. At this year’s DEF CON, Tamas Szakaly gave a talk about the data these games leak to the Internet, the data they accept from the Internet, and what you can do with that data.
Tamas’ talk was entirely about scripting games, like the many games that are scriptable in Lua, or Valve’s Squirrel. Developers have thought about this before and have implemented sandboxes and many anti-cheat mechanisms. However, because these sandboxes are poorly implemented, it’s easy to get outside the game and do some real damage.
Tamas’ first target was Crysis 2 and the CryEngine3. This game uses a Lua scripting engine and has no sandbox whatsoever. That means Tamas can call os.execute, and from there the entire game is over. Or it’s just begun. Either way you look at it, it’s pretty bad.
CryTek notwithstanding, Tamas can also use games with Lua scripting that have a real sandbox. DOTA2 has a leaky sandbox and can be used to call OS I/O routines and execute base 64 encoded executables right over the main executable.
The most impressive example of script abuse in various multiplayer games is from Garry’s Mod. This game has custom implementation of dangerous functions, restricted file IO, and a proper Lua sandbox. This was a wise decision from the developers, but the library is huge.
If you create a map or mode used on a server, you can have a full HTTP proxy to the gamer’s home network. During the talk, Tamas used this exploit to display an image from a webcam on a Garry’s Mod server. It was on the podium right next him, but this could have been done on a server on the other side of the planet.
Interestingly, these games have anti-cheat mechanisms that look at the memory used by the game and report back ‘irregularities’. This catches players using common cheat techniques such as walking through walls, but Tamas’ techniques aren’t detected at all. This shouldn’t be too surprising; the entire point of anti-cheat mechanisms is to make sure someone is cheating, not turning anyone who connects to a game server into a node on a botnet.
When it comes to talks at DEF CON, there is a huge range from, “we used an API as intended” to the most exquisite binary exploits. Tamas’ explorations are definitely on the long tail of that continuum, and a great warning of the dangers of playing on shady servers.