Tweet
Format string vulnerability found in Elder Scrolls series
By Joe
Exploit In Skyrim
Welcome loyal readers!
It’s been a dogs age. I’ve been split on projects and time, playing lots of video games and writing lots of code. Recently I found a format string vulnerability in a video game. A popular one at that. Further research into this video game revealed this vulnerability is not new. I found the same vulnerability in the same series of games dating all the way back to 2001. 12 years is a long time for a vulnerability to stick around.
Ok, I’m done beating around the bush. I found a format string vulnerability in Morrowind, Oblivion, Fallout 3, Fallout New Vegas, and the latest game Skyrim. Further proof that I have too much time on my hands and my 2 hobbies are starting to blend together. Sort of like having a love for running and target shooting then combining the 2 into extreme paintball.
Here’s how it works:
By pressing the tilde key you bring up the console window. Most games have this as a sort of ‘debug’ menu or for administration of game servers such as with Counterstrike or Battlefield. Anyhow, in The Elder Scrolls games/Fallout, you can change character attributes and spawn items with this menu. This is where the format string vulnerability exists.
Do you recall what a format string vulnerability is? Functions like printf() and its variants allow us to view and manipulate the program’s running stack frame by specifying certain format string characters. By passing %08x.%08x.%08x.%08x.%08x, we get 5 parameters from the stack and display them in an 8-digit padded hex format. The format string specifier ‘%s’ displays memory from an address that is supplied on the stack. Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack. Powerful stuff.
And its also not just The Elder Scrolls games that are affected. Since Bethesda produced The Elder scrolls games, its worth mentioning that other games produced by this company are vulnerable to this same attack. I’m of course talking about Fallout 3 and its counterpart, Fallout – New Vegas.
I’m sure you’re all calling BS right now, so I’ve provided some screen shot proof. Have a look see.
By Joe
Exploit In Skyrim
Welcome loyal readers!
It’s been a dogs age. I’ve been split on projects and time, playing lots of video games and writing lots of code. Recently I found a format string vulnerability in a video game. A popular one at that. Further research into this video game revealed this vulnerability is not new. I found the same vulnerability in the same series of games dating all the way back to 2001. 12 years is a long time for a vulnerability to stick around.
Ok, I’m done beating around the bush. I found a format string vulnerability in Morrowind, Oblivion, Fallout 3, Fallout New Vegas, and the latest game Skyrim. Further proof that I have too much time on my hands and my 2 hobbies are starting to blend together. Sort of like having a love for running and target shooting then combining the 2 into extreme paintball.
Here’s how it works:
By pressing the tilde key you bring up the console window. Most games have this as a sort of ‘debug’ menu or for administration of game servers such as with Counterstrike or Battlefield. Anyhow, in The Elder Scrolls games/Fallout, you can change character attributes and spawn items with this menu. This is where the format string vulnerability exists.
Do you recall what a format string vulnerability is? Functions like printf() and its variants allow us to view and manipulate the program’s running stack frame by specifying certain format string characters. By passing %08x.%08x.%08x.%08x.%08x, we get 5 parameters from the stack and display them in an 8-digit padded hex format. The format string specifier ‘%s’ displays memory from an address that is supplied on the stack. Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack. Powerful stuff.
And its also not just The Elder Scrolls games that are affected. Since Bethesda produced The Elder scrolls games, its worth mentioning that other games produced by this company are vulnerable to this same attack. I’m of course talking about Fallout 3 and its counterpart, Fallout – New Vegas.
I’m sure you’re all calling BS right now, so I’ve provided some screen shot proof. Have a look see.