Welcome loyal readers!

It’s been a dogs age. I’ve been split on projects and time, playing lots of video games and writing lots of code. Recently I found a format string vulnerability in a video game. A popular one at that. Further research into this video game revealed this vulnerability is not new. I found the same vulnerability in the same series of games dating all the way back to 2001. 12 years is a long time for a vulnerability to stick around.

Ok, I’m done beating around the bush. I found a format string vulnerability in Morrowind, Oblivion, Fallout 3, Fallout New Vegas, and the latest game Skyrim. Further proof that I have too much time on my hands and my 2 hobbies are starting to blend together. Sort of like having a love for running and target shooting then combining the 2 into extreme paintball.

Here’s how it works:

By pressing the tilde key you bring up the console window. Most games have this as a sort of ‘debug’ menu or for administration of game servers such as with Counterstrike or Battlefield. Anywho, in The Elder Scrolls games / Fallout, you can change character attributes and spawn items with this menu. This is where the format string vulnerability exists.

Do you recall what a format string vulnerability is? Functions like printf() and its variants allow us to view and manipulate the program’s running stack frame by specifying certain format string characters. By passing %08x.%08x.%08x.%08x.%08x, we get 5 parameters from the stack and display them in an 8-digit padded hex format. The format string specifier ‘%s’ displays memory from an address that is supplied on the stack. Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack. Powerful stuff.

And its also not just The Elder Scrolls games that are affected. Since Bethesda produced The Elder scrolls games, its worth mentioning that other games produced by this company are vulnerable to this same attack. I’m of course talking about Fallout 3 and its counterpart, Fallout – New Vegas.

I’m sure you’re all calling BS right now, so I’ve provided some screen shot proof. Have a look see.

The first game is Skyrim.

In this example, I am just printing 3 values from the stack in hexadecimal format.

And now I’m writing the value of whatever was stored in the previous buffer to the stack which is in turn crashing the program.

Here’s Fallout inside the ‘Great Khan’s longhouse’ testing with ‘%x’ again.

And another crash after writing BS contents to the stack frame.

This is from Morrowind, released in 2001, the same vulnerability is found involving the scripting module.

And once again, crashed for writing BS to the stack.

I’m certain the same vulnerability lies in Fallout 3 and Oblivion however I was too lazy to install to show you all, but you get the idea. Same vulnerable scripting module.
Why stop at screen shots? I’m sure you’re all dying to see some static binary analysis and the root cause.

After some digging around inside Morrowind, I found out where the call was being made for the syntax error handler since this is where the format string vulnerability lies:

; at offset 004FCD10
mov eax, [ebp+64h]
mov edx, [ebp+50h]
lea ecx, [eax+ebp+6Ch]
push ecx
push edx
lea eax, [ebp+0Ch]
push eax ; Args
push offset aScriptSSynta_4 ; “Script %s\nSyntax Error Line %d.\r\n%s\r\nCould not parse this line.’”
push ebp ; int
call sub_4F72E0
add esp, 14h
pop edi
pop esi
pop ebp
mov eax, 0FFFFh
pop ebx
add esp, 8
retn

Since this is a ‘fastcall’ style function, the arguments are placed into registers prior to the function call to ‘sub_4F72E0’. Inside this sub routine lies our problem.

;.text:004F72E0 ; int __cdecl sub_4F72E0(int, char *Format, char Args)
mov     ecx, [esp+Format]
sub     esp, 104h
lea     eax, [esp+104h+Args]
push    eax             ; Args
push    ecx             ; Format
lea     edx, [esp+10Ch+Dest]
push    edx             ; Dest
call    ds:vsprintf
mov     eax, dword_7CEC0C
add     esp, 0Ch
cmp     eax, 1
jnz     short loc_4F732D
mov     ecx, dword_7C67DC
lea     eax, [esp+104h+Dest]
push    eax             ; Format
push    ecx             ; int
call    sub_40F970
add     esp, 8
mov     byte_7CEC10, 1
add     esp, 104h
retn
;^
;|
;v
loc_4F732D:                             ; CODE XREF: sub_4F72E0+29j
lea     edx, [esp+104h+Dest]
push    edx             ; Format
call    sub_477400
add     esp, 4
mov     byte_7CEC10, 1
add     esp, 104h
retn
endp

As As I’ve said before, printf() style functions are the cause of format string vulnerabilities and in this case, its vsprintf(). One of the function arguments is being passed to vsprintf() without proper checking.

Here’s the function again in IDA if you want fancy highlighting:

So far, the only feasible way to exploit the game I’ve come up with is by some sort of hand crafted mod or plugin for the game as that would have access to the scripting console on which the vulnerabilities lie. That said, it would be difficult to exploit in the wild also do in part to the video games having no network capability.

One thing I am looking forward to is the newest Elder Scrolls game by Bethesda – The Elder Scrolls Online. This online capability might just make remote exploitation of my 0day feasible. Why? If the same vulnerability is present in Morrowind released in 2002 is still present in Skyrim (released 2012), the odds are in my favor that the same vulnerability will be in the latest game release.

Since its pretty hard to exploit these vulnerabilities given the game has to be running, I’m not going to bother with posting on bugtraq or emailing devs who will send me angry threatening emails. So for now, they’re 0days to be picked apart by people better than me.

For more info on format string exploits, check this paper out: Format Strings

Happy hacking!