Remote Code Execution in Marvel Rivals Game(shalzuth.com) |
Remote Code Execution in Marvel Rivals Game(shalzuth.com) |
This is the worst possible combination: players are forced to accept first-party invasive rootkits that are disruptive and ineffective, while cheaters still cheat.
IMHO the only sensible solution is to separate out e-sports angle from the game itself. People who want to "go pro" would be free to subject themselves to anti-cheats and drinking verification cans and past some point might as well buy company-authorized computers to play on. Everyone else should just be allowed to play casually and enjoy the game without the anti-cheat nuisance (and a looming threat of false positive).
With main incentive for serious cheating separated out, non-pro players would only have to worry about griefers. Those are a problem too, but they can be dealt with by simpler and less invasive measures than a kernel-level rootkit.
As it is, AAA multiplayer games are basically like if FIFA was to micromanage Town Recreational Leagues and hold them to the World Cup standard, because cheating is a Big Deal so every kid needs to take regular blood tests before the match.
Esports money...? Micro transactions is the money. Publisher driven esports is advertising.
Publishers will pay to have 0level kernel ring on your system but not for software securing their game.
> the game runs with admin privileges for the sake of anti-cheat
Nobody higher than the devs thought “this might be risky?”
Because can assure you, the devs felt it stupid and risky.
Your “Everyone thinks their making doom 3”. As I see this is not the developer fault.
The "yes I really want to do this" confirmations you need to go through when opening up a bucket these days are about 4 deep...
Authn/z issues are real though, they'll never be fixed
I wouldn't expect anything but code that "ships" out of them, and its understandable why.
Now you might say, those companies are irresponsible and that well maintained open source software doesn’t have this issue. That would mean no 0 days for linux [5], and that the most battle tested libraries in the world are immune from basic issues [6][7].
Software engineering is broken, it’s not just games. (Although, if you think physical construction is any better I suggest you stick a T square in the corners of your house and figure out how many of your walls aren’t square ). You
[0] https://mrbruh.com/chattr/
[1] https://news.ycombinator.com/item?id=42849632
[2] https://en.m.wikipedia.org/wiki/2024_CrowdStrike-related_IT_...
[3] https://www.csoonline.com/article/2138177/atlassians-conflue...
[4] https://techcrunch.com/2021/07/22/a-dns-outage-just-took-dow...
[5] https://www.indusface.com/blog/rce-zero-day-vulnerabilities-...
But it is way ahead with regards to efficient hardware utilization!
These are game developers. Not backend developers. Not web guys. Not remotely trained in infosec. They make games. Not security software. And for the longest time this was acceptable.
I think for a GaaS in 2025 it's unacceptable to not have security minded engineers on staff for the backend stuff. Too much money is involved not to. Especially for studios very familiar with shipping online games.
But I'm also kind of disappointed in how much we're forgetting that these people are not infosec nerds. Last year there was a cute fishing game made by a single dude messing around making things. It got popular and a kid found an RCE bug with the multiplayer. The dude got a TON of shit for the flaw, which feels deeply unfair. I don't expect my mom to configure a router correctly. I don't expect video game developers to understand defensive network programming without training.
Maybe I'm just a little frustrated at the Internet largely unable to understand that defensive programming is something that isn't in a game devs trained skills. I would expect better of Netease however
If anything these devs should be more cautious than the others as the risk to the end user is extreme.
Why do game developers get a pass but not "backend developers" or "web guys"? Don't the latter only "make CRUD apps, not security software"?
Nice PoC!
Update: yes, most game client processes don't run in the kernel. My b. I was just thinking that updates and content payloads might be an interesting vector for langsec.
Reminder that all three Dark Souls games allowed full RCE to any users connected to the internet: https://flashpoint.io/blog/rce-vulnerability-dark-souls/
"sake of anti-cheat" should be taken lightly here. There is a reason why all the other sane anti-cheats have at least two applications, the anti cheat service which often runs as admin, and the game, which does not. Running the game as admin is quite frankly inexcusable.
The service often does the network comms and communicates to a kernel-mode driver and/or to the application via IPC or similar. Having defined barriers of separation are good things.
In any case, this POC doesn't have huge implications necessarily for most people, but maybe in SEA or China where LAN cafes are more prevalent, it could be a larger concern.
good writeup! thanks!
Does he mean that this is potentially how one could install custom firmware on their console?
Curious because I remember reading somewhat recently that console vendors have locked their consoles down well enough so as to avoid any vulnerabilities which could be exploited to install custom firmware. It would be amusing if that was invalidated by game dev security and I start hearing about ways to install some modded firmware, which include a step of "install one of these games".
IIRC, the web browser on 3DS systems was exploited to install custom firmware rather than a game so it was rather easily patched with a system update (and, indeed, it actually was patched). I wonder if we'll be seeing Sony/Nintendo/Microsoft start to insist on certain security standards as a result of games being exploited to install custom firmware on the devices they sell, presuming the answer to my first question is affirmative.
Sort of. It's a userland code execution exploit, which is often the first step, but all games run in a locked down VM specifically to protect against things like this, so you still need a kernel/hypervisor exploit to escape the VM and actually mess with the system in any significant way.
Just build a JSON API! It's not that hard! You don't need to RCE your game every time it launches just for microtransactions.
I agree that a JSON API is a better approach, but it's possible for AAA game developers to screw that up too: https://arstechnica.com/gaming/2021/03/developers-to-update-...
It would have been a tiny bit funny if it had been the same company that was just briefly banned that was allowing a remote exploit.
Because game developers are SUPPOSED to be aware of these things?
> It's very hard for security researchers to report bugs to most game dev companies. On top of that, most do not have bug bounty programs
Yet the OP blames the GAME developers…
They already have harder jobs than the majority of us, picking on them for not knowing skills outside of their area is just being mean and OP is targeting frustration at the wrong group.
Essentially all you're asking for them to add is better specs.
In December their revised branding guidelines added a "Powered by SteamOS" badge so presumably 3rd-party boxes with various specs in set-top form factors will be coming before too long:
> The Powered by SteamOS logo indicates that a hardware device will run the SteamOS and boot into SteamOS upon powering on the device. Partners / manufacturers will ship hardware with a Steam image in the form provided by and/or developed in close collaboration with Valve.
I strongly doubt it. Steam already tried releasing a console alternative, Steam boxes, and they massively flopped. By and far the main reason for the Steam deck's success is its portable form factor, not the fact that it's a linux machine that runs games. It succeeded in spite of the software, not because of it.
The overwhelming majority of users are going to want either a "real" (read: Windows) PC, or a "real" (read: the same one their friends have) console.
To not go full Dropbox, but I think if someone wants a Linux PC to run games, it is within the realm for a home PC builder to accomplish. It would otherwise be a tough market to sell, “Buy this gamer PC, less great specs than you would likely pick for yourself and not compatible with the most popular games that have onerous anti-cheat root kits”.
I'm not a Windows guy and trying to figure this out has been extremely frustrating...
Full instructions https://chatgpt.com/share/67a13960-c1b4-8002-a699-7b547c759c...
You can also skip the UAC prompt without editing the registry, by adding the following to the game's launch options in Steam:
cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %command%"
Unfortunately both the executives who buy into these things, and the average consumer, are simply too... simple, to understand or appreciate that.
With all due respect, it’s ironic that you’re calling everyone else simple.
Something doesn’t have to be. 100% effective to be a massive deterrent. Cheat prevention is a game of cat and mouse and anti cheat is one of the levers. Here[0] is an example of a popular game with no anti cheat which was completely ruined by cheaters. Did putting EAC into the game stop every single cheater? No. But it did make the experience better for a significant number of players who were having their games destroyed by cheaters.
[0] https://www.pcgamer.com/fall-guys-adding-anti-cheat-in-the-n...
And this is not a story unique to NetEase. I have multiple other examples that I’ll probably talk about in the future.
> Because game developers are SUPPOSED to be aware of these things?
If a civil engineer amazed people with their lack of structural integrity awareness, they wouldn't be trusted to build a house of cards let alone a bridge open to the general public. Software developers write defective, bug-ridden and unsafe public-facing devices and services that are open to the entire world and we shrug whenever there's a major cybersecurity or software crash catastrophe.
If software engineers were held to the same standards of accountability and liability as real engineers when they apply their signature at the bottom of a design calculations document, maybe we'd stop shoveling trivially wormable garbage onto the Internet without a second thought.
> Any developer who does that should be aware of the security risks they’re taking.
Developer yeah, someone who’s focused on recreating the game probably not
I’ll say this, every single game dev I’ve ever met, has no clue how to navigate bureaucracy. I’m not saying it’s a type, but it’s not random, they have other things to worry about.
Of course I get all the usual garbage non-arguments in response from designers who don't want to take up a challenge and actually design, and instead fall back on a "tried and true" (except it is shit) fashion.
These things are _trivial_ to implement, it's just nobody thinks about the UI as long as it 'works'.
When Steam Machines re-launch with the current generation of Proton compatibility it will be an entirely different story.
While I'm sure that Easy Anti-Cheat is... easier than a reporting system that would require numerous humans working it, I don't think it's the best solution for the player. It's "just enough" at best, and at worst... well see the article we're all commenting under.
> Publisher driven esports is advertising.
Yes, of course. E-sports is advertising. All professional sports are advertising. That's what makes money. Sales of tickets, merch, guides, coverage, etc. A successful sport is a self-sustaining money printing machine. Now, traditional sports are "frozen in time" relative to business timescales; meanwhile, in e-sports, it's entirely possible for a company to introduce a new game and turn it into a worldwide phenomenon over a couple of years, and then keep getting a cut from aforementioned money printer for many more years still, all while trying to introduce a new game to keep the money running.
And it's okay, I honestly don't mind. As far as the advertising-driven economy goes, sports (traditional or otherwise) is one of the more benign fields. The problem I see is the relentless focus on building a game optimized for professional play ruins it for vast majority of players, and I fail to see why companies keep doing it instead of bifurcating the multiplayer aspect into "casual play" and "pro play", allowing for the latter while also letting the former have their fun.
> Nobody wants to play multiplayer (only) games with cheaters.
My point is that most of the cheating comes from structuring the game around pro-play. You get a global ladder, which establishes an ordinal ranking that invites cheaters who just want to score higher for less effort. All those cheaters end up ruining the game for regular people, who don't care that much about the ranking. Most of those cheaters would go away if the ladder was removed - but that ladder is critical to the company and wannabe progamers precisely because the top levels of that ladder are a gateway to pro-level play.
You can't eliminate all cheating - there's always some people who, for whatever reason, enjoy ruining the game for others. Fortunately, such people are a very small fraction of the playerbase, and most of them don't enjoy it enough to bother if you throw some small obstacles their way. It's manageable. Competitive rankings, on the other hand, are something cheaters love much more than regular players, so by adding it, you're basically creating the problem.
This is true for all competitive endeavors - the bigger the reward, the more it attracts competitive players, some of which are going to resort to cheating, and attempts at fighting cheating further ruin things for those who don't care about competing in the first place. And yes, it applies to the market economy too.
I wanted to address the same point txpl did. As someone who's made multiplayer games, I'm stunned that so many players cheat, even when the stakes are low. It's not just the pro-players; it's at every level.
Some are optimizing their experience because they don't have as much time to play as they'd like. Some feel they deserve the enjoyment of winning without the effort. Some justify it with the belief that everyone else is doing it. And the really difficult ones to deal with feel rewarded by behaving badly (anonymously, of course).
So every design decision comes with an evaluation of how players will abuse the system, and there are no easy answers. And that's why you see companies adding (invasive and ineffective) anti-cheat solutions to band-aid the problem that developers were unable to anticipate or solve.
This is incorrect. Both selling cheats and cheating are big businesses.
In Escape from Tarkov, cheaters bought the game (50€), cheated to get in-game items, sold in-game items for money, got banned, and bought the game again. It's literally profitable to keep buying a 50€ game after getting banned.
Same happened with Diablo 3 when it had the real money auction house. A mate of mine earned around 10k in 3 months and went through a dozen accounts a week.
Team Fortress 2 basically has no competitive scene, but the casual games are full of cheaters anyway. And you can't even make money through it, unlike the previous two examples.
The bottom line about cheating is, it's relatively easy to prevent with manual moderation. But humans doing stuff dOeSn'T sCaLe, even though banning cheaters that will re-buy the game has a positive RoI.
You can blame in-game microtransactions and the idea that in-game inventory is worth money on that one.
Also, half of their shaders are broken on some configurations. Also they used a function call wrong so their game tries to render something a bunch of times instead of once.
A huge portion of NVidia and AMD GPU drivers is literally hacks to make games actually run well. Both Nvidia and AMD patch game shaders at runtime to keep things from being unusable, and hack around broken behavior or wrong usage of APIs. It's exactly reminiscent of the situation Windows 95 had when all sorts of popular programs couldn't even save interrupt flags properly because they straight up did not read the manual which had many sentences and code fragments demonstrating that what they wrote would not work.
Also, Titanfall 1 shipped with like 30gb of uncompressed audio. They did this to "reduce CPU load". In 2014.
> in modern gaming you just make every texture max size even though it only covers a tiny surface
This completely false. Not even hyperbole, just plain false. We have budgets, we have tools. You need higher res textures for things that are smaller because you can get close to them. Is there waste? Sure, but no more so than in any other field. My local newspaper takes 15 seconds to load on gigabit WiFi, and hangs on scroll. Reddit can’t handle more than one tab open. Slack uses more ram than the game im developing sometimes. Even HN still falls flat on its face with a “moderately” popular link, and can’t handle it if you perform too many operations.
> A huge portion of NVidia and AMD GPU drivers is literally hacks to make games actually run well.
This is because nvidia and AMD offer this as service but without access to your codebase. The days of them being required to function are long behind us.
> Titanfall 1 shipped with like 30gb of uncompressed audio. They did this to "reduce CPU load". In 2014.
As I’ve said many times, you might disagree but it was intentional. The Xbox one was an 8x1. 75GHz CPU, and some of that was reserved for system use
All software is shit, and held together by duct tape. All industries have products that we can point at and call a disgrace - it’s not games that are the problem.
I think this should be said more often: the ratio of content to non-content is absurd in some electron-based apps.
Look at it this way: the average video game probably has about 30GB (uncompressed) of content and uses about 10GB-12GB of RAM.
In a busy slack, with hundreds of messages, we're still only looking at maybe <5MB of content while the app chews up 800MB - 100MB of RAM.
I think the video game devs are doing a much better job at writing desktop software than the Slack/Postman/etc guys.
Additionally, security in video games (it's poorest metric) has, over the last 10 years or so, improved considerably, while efficiency in desktop software (it's poorest metric) has gotten worse!
It's unfair to single out video game developers for poor software considering that they are making gains in their weakest measurement while those doing the criticising are happily using software that is losing points in it's weakest metric.
I'm sorry, the Xbox One was a what CPU?
Doesn't matter, it's possible that loading in uncompressed audio takes more CPU and RAM resources than just decompressing good MP3 audio. Nobody else ships uncompressed audio, and Titanfall 2 did not release with uncompressed audio.
Mind you, this was like 30gb of uncompressed audio, including several different audio languages. No matter how you played the game, most of that 30gb was unused.
Am i bitter? Nah
> I believe they don’t get it/don’t care.
You’re right, anything that’s not obstructive is never worried about.
To me that says you’re doing a good job giving permissions, it’s also your job to manage those permissions, not the developers..
> It's just not their wheelhouse.
Your absolute bang on. And I can say from experience, it’s good you guys are there.
If someone can run a python script on your machine, it’s game over whether it’s running as admin or not.
> they all expect local admin and admin access to everything
It practically doesn't matter on a single user system. You're screwed whether you're running as an admin or not. My machine has credentials in AppData stored to basically every internal service of my company. On a linux machine, they're all in my home dir - even my ssh keys are compromised.
>> If someone can run a python script on your machine, it’s game over whether it’s running as admin or not.
> Yeah, that's why you don't do it that way. You're making my point.
I have to admit, I don't get your point here. If I am correct (and, if I am not, I welcome a correction):
1. Your original point was "Devs want local admin or admin access to everything.
2. GP's response was that even without any admin access of any type, he's hosed if his machine is compromised.
How does #2 above support or prove #1 above?
If you're a game dev, you were taught to write optimized code that runs locally on a computer.
Not everything you do will run on the network, and networking/multiplayer might not be relevant every single time you ship a game. So it's less relevant (if still important)
The impact ie: RCE vs just ruining the game experience may be different but the concepts are all the same- adversarial clients.
The excuses you listed aren't any different for business apps.
I'm not arguing that it's "not their job", I'm saying they are less likely to have been trained in security because of the nature of their job...
Like I said in the other reply, I am not arguing against the need for security, I am saying a lot of game developers don't get, or seek out, security training because single player local games don't have the same network-driven risks.
Only if doing nothing else at the same time!
I was there; I had a 486 that could decode 96kbps mp3.
But, like the P1, if you tried to do anything else while decoding mp3s, the entire computer, including the sound output, would stutter.
I'm not defending 30GB of uncompressed audio (obviously they could have compressed it a little, at least), but to claim that a P1@80MHz could indeed decode mp3s@320kbps is a bit of a stretch.
It could do so only if you weren't doing anything else at the time.
If League of Legends needs super admin mode, it's no longer my computer. I'm sharing it with Tencent. I can't trust them ( specifically a disgruntled employee) to not install key loggers and other really nasty things.
I treat it as though there's a random russian dude watching my every move through RDP keylogging all my inputs (and for how many one-off cracked programs have been installed on there over the years, it's not impossible).
I can't imagine keeping my password manager and primary accounts logged-in on the same computer I have rootkits like Riot Anticheat and technical disasters like Marvel Rivals installed on.
This is a terrible idea if you think this will keep you secure. Windows provides direct access to update motherboard firmware and CPU microcode/management engine.
Seems like an insanely difficult thing to do to target like .5% of users.
Firstly that a game developers main concern is getting their product functional, keeping that way, and that they can make money on it to make the whole endeavour worthwhile. There's already a lot of game releases where it comes across getting their idea working out the door is a lot higher up the list than the 'details' and attention to working great on the PC platform. Then that gamers will come in a wide range of skill/knowledge levels for their PCs, from those that treat them as glorified consoles to others that know every detail of their workstation.
Dual booting adds more admin and complexity, and in a way it's admitting that the trust level in software is so low your OS can't sandbox things out, that stuff you're running is taking liberties or just enough effort to fulfill its task, and you're going to the extent of running a console in a separate partition but running it is mutually exclusive with the serious OS. I'd guess a lot of people who felt strong enough would just have 'serious OS' be another device, most likely a phone but alternatively laptop, which would seem to marginalize what they use the windows install for.
We might have better computer security than with Windows 95, but the level of isolation we need to have a semblance of security is very rare and it's very easy for people to slip.
Arguably they could have already gotten all sensitive user data without that privilege if their program was hacked
im not sure if a gaming os would help there.
it would be helpful if OSes wouldnt allow things like malicious drivers but this is an extremely hard problem in light of people loading known vulnerable drivers and exploiting those...
you could argue that a lot of drivers could live in ring 1 or 2 rather than ring0, but that no OS implements.
working on an OS to try and think of solutions to this types of issues, but u know... if u can wait like 40 years maybe it will be done (and likely it will be vulnerable in different ways :(( )
ultimately a combination would be best, hardware tailored to be secure and allow secure software to be developed for it, but the same can be said for phones and pc's etc .
most modern cpus have quite a lot of hardware security features which are often not ideally implemented or not used. they also offer features that can allow software to enhance security, bit that is also rare. for example you _could_ use certain extended cpu registers to allow for taint tracking etc, but this likely kills game performance, and is not even done for trivial applications despite being proven to mitigate entire classes of vulnerabilities. (its quite complicated to implement too as the hardware isnt taking into account such features for such purposes)
relevant: https://xkcd.com/1200/
kernel/root/ring0 might sound super scary, but if there's any sort of code execution on linux/windows, practically speaking it's already game over.
https://github.com/google/security-research/security/advisor...
u can allow linux to do it, u can also not allow it.. depends on what u allow really :'). tho, ofc vuls exist and ppl might yet find a way. also u can edit ur kernel etc. to stop certain features. disalow kmods being loaded etc. etc. its not as easy to find holes on a properly configured system as windows. tho its quite hard to do a proper config especially if u want to do gaming and want wine to run etc.