{"id":418,"date":"2013-05-10T17:12:57","date_gmt":"2013-05-10T17:12:57","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=418"},"modified":"2013-05-10T17:25:52","modified_gmt":"2013-05-10T17:25:52","slug":"exploit-in-skyrim","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2013\/05\/exploit-in-skyrim\/","title":{"rendered":"Exploit In Skyrim"},"content":{"rendered":"

Welcome loyal readers!<\/p>\n

It’s been a dogs age. I’ve been split on projects and time, playing lots of video games and writing lots of code. Recently I found a format string vulnerability in a video game. A popular one at that. Further research into this video game revealed this vulnerability is not new. I found the same vulnerability in the same series of games dating all the way back to 2001. 12 years is a long time for a vulnerability to stick around.<\/p>\n

Ok, I’m done beating around the bush. I found a format string vulnerability in Morrowind, Oblivion, Fallout 3, Fallout New Vegas, and the latest game Skyrim. Further proof that I have too much time on my hands and my 2 hobbies are starting to blend together. Sort of like having a love for running and target shooting then combining the 2 into extreme paintball. <\/p>\n

Here’s how it works:<\/p>\n

By pressing the tilde key you bring up the console window. Most games have this as a sort of ‘debug’ menu or for administration of game servers such as with Counterstrike or Battlefield. Anywho, in The Elder Scrolls games \/ Fallout, you can change character attributes and spawn items with this menu. This is where the format string vulnerability exists.<\/p>\n

Do you recall what a format string vulnerability is? Functions like printf() and its variants allow us to view and manipulate the program’s running stack frame by specifying certain format string characters. By passing %08x.%08x.%08x.%08x.%08x, we get 5 parameters from the stack and display them in an 8-digit padded hex format. The format string specifier ‘%s’ displays memory from an address that is supplied on the stack. Then there’s the %n format string specifier – the one that crashes applications because it writes addresses to the stack. Powerful stuff.<\/p>\n

And its also not just The Elder Scrolls games that are affected. Since Bethesda produced The Elder scrolls games, its worth mentioning that other games produced by this company are vulnerable to this same attack. I’m of course talking about Fallout 3 and its counterpart, Fallout – New Vegas.<\/p>\n

I’m sure you’re all calling BS right now, so I’ve provided some screen shot proof. Have a look see.<\/p>\n

The first game is Skyrim.
\n\"vuln_vidya1\"<\/a>
\nIn this example, I am just printing 3 values from the stack in hexadecimal format.<\/p>\n

\"vuln_vidya2\"<\/a>
\nAnd now I’m writing the value of whatever was stored in the previous buffer to the stack which is in turn crashing the program.<\/p>\n

\"vuln_vidya3\"<\/a>
\nHere’s Fallout inside the ‘Great Khan’s longhouse’ testing with ‘%x’ again.<\/p>\n

\"vuln_vidya4\"<\/a>
\nAnd another crash after writing BS contents to the stack frame.<\/p>\n

\"vuln_vidya5\"<\/a>
\nThis is from Morrowind, released in 2001, the same vulnerability is found involving the scripting module.<\/p>\n

\"vuln_vidya6\"<\/a>
\nAnd once again, crashed for writing BS to the stack.<\/p>\n

I’m certain the same vulnerability lies in Fallout 3 and Oblivion however I was too lazy to install to show you all, but you get the idea. Same vulnerable scripting module.
\nWhy stop at screen shots? I’m sure you’re all dying to see some static binary analysis and the root cause. <\/p>\n

After some digging around inside Morrowind, I found out where the call was being made for the syntax error handler since this is where the format string vulnerability lies:<\/p>\n

\r\n; at offset 004FCD10<\/span>\r\nmov<\/span> eax<\/span>,<\/span> [<\/span>ebp<\/span>+<\/span>64h<\/span>]<\/span>\r\nmov<\/span> edx<\/span>,<\/span> [<\/span>ebp<\/span>+<\/span>50h<\/span>]<\/span>\r\nlea<\/span> ecx<\/span>,<\/span> [<\/span>eax<\/span>+<\/span>ebp<\/span>+<\/span>6Ch<\/span>]<\/span>\r\npush<\/span> ecx<\/span>\r\npush<\/span> edx<\/span>\r\nlea<\/span> eax<\/span>,<\/span> [<\/span>ebp<\/span>+<\/span>0Ch<\/span>]<\/span>\r\npush<\/span> eax<\/span> ; Args<\/span>\r\npush<\/span> offset<\/span> aScriptSSynta_4<\/span> ; \u201cScript %s\\nSyntax Error Line %d.\\r\\n%s\\r\\nCould not parse this line.\u2019\u201d<\/span>\r\npush<\/span> ebp<\/span> ; int<\/span>\r\ncall<\/span> sub_4F72E0<\/span>\r\nadd<\/span> esp<\/span>,<\/span> 14h<\/span>\r\npop<\/span> edi<\/span>\r\npop<\/span> esi<\/span>\r\npop<\/span> ebp<\/span>\r\nmov<\/span> eax<\/span>,<\/span> 0FFFFh<\/span>\r\npop<\/span> ebx<\/span>\r\nadd<\/span> esp<\/span>,<\/span> 8<\/span>\r\nretn<\/span>\r\n<\/pre>\n
Since this is a ‘fastcall’ style function, the arguments are placed into registers prior to the function call  to ‘sub_4F72E0’. Inside this sub routine lies our problem.<\/p>\n
\r\n;.text:004F72E0 ; int __cdecl sub_4F72E0(int, char *Format, char Args)<\/span>\r\nmov<\/span>     ecx<\/span>,<\/span> [<\/span>esp<\/span>+<\/span>Format]<\/span>\r\nsub<\/span>     esp<\/span>,<\/span> 104h<\/span>\r\nlea<\/span>     eax<\/span>,<\/span> [<\/span>esp<\/span>+<\/span>104h<\/span>+<\/span>Args]<\/span>\r\npush<\/span>    eax<\/span>             ; Args<\/span>\r\npush<\/span>    ecx<\/span>             ; Format<\/span>\r\nlea<\/span>     edx<\/span>,<\/span> [<\/span>esp<\/span>+<\/span>10Ch<\/span>+<\/span>Dest]<\/span>\r\npush<\/span>    edx<\/span>             ; Dest<\/span>\r\ncall<\/span>    ds<\/span>:<\/span>vsprintf\r\nmov<\/span>     eax<\/span>,<\/span> dword_7CEC0C\r\nadd<\/span>     esp<\/span>,<\/span> 0Ch<\/span>\r\ncmp<\/span>     eax<\/span>,<\/span> 1<\/span>\r\njnz<\/span>     short<\/span> loc_4F732D<\/span>\r\nmov<\/span>     ecx<\/span>,<\/span> dword_7C67DC\r\nlea<\/span>     eax<\/span>,<\/span> [<\/span>esp<\/span>+<\/span>104h<\/span>+<\/span>Dest]<\/span>\r\npush<\/span>    eax<\/span>             ; Format<\/span>\r\npush<\/span>    ecx<\/span>             ; int<\/span>\r\ncall<\/span>    sub_40F970<\/span>\r\nadd<\/span>     esp<\/span>,<\/span> 8<\/span>\r\nmov<\/span>     byte_7CEC10<\/span>,<\/span> 1<\/span>\r\nadd<\/span>     esp<\/span>,<\/span> 104h<\/span>\r\nretn<\/span>\r\n;^<\/span>\r\n;|<\/span>\r\n;v<\/span>\r\nloc_4F732D:<\/span>                             ; CODE XREF: sub_4F72E0+29\u0018j<\/span>\r\nlea<\/span>     edx<\/span>,<\/span> [<\/span>esp<\/span>+<\/span>104h<\/span>+<\/span>Dest]<\/span>\r\npush<\/span>    edx<\/span>             ; Format<\/span>\r\ncall<\/span>    sub_477400<\/span>\r\nadd<\/span>     esp<\/span>,<\/span> 4<\/span>\r\nmov<\/span>     byte_7CEC10<\/span>,<\/span> 1<\/span>\r\nadd<\/span>     esp<\/span>,<\/span> 104h<\/span>\r\nretn<\/span>\r\nendp<\/span>\r\n<\/pre>\n
As As I’ve said before, printf() style functions are the cause of format string vulnerabilities and in this case, its vsprintf(). One of the function arguments is being passed to vsprintf() without proper checking. <\/p>\n
Here’s the function again in IDA if you want fancy highlighting:
\n\"vuln_vidya7\"<\/a><\/p>\n
So far, the only feasible way to exploit the game I’ve come up with is by some sort of hand crafted mod or plugin for the game as that would have access to the scripting console on which the vulnerabilities lie. That said, it would be difficult to exploit in the wild also do in part to the video games having no network capability.<\/p>\n
One thing I am looking forward to is the newest Elder Scrolls game by Bethesda – The Elder Scrolls Online. This online capability might just make remote exploitation of my 0day feasible. Why? If the same vulnerability is present in Morrowind released in 2002 is still present in Skyrim (released 2012), the odds are in my favor that the same vulnerability will be in the latest game release. <\/p>\n
Since its pretty hard to exploit these vulnerabilities given the game has to be running, I’m not going to bother with posting on bugtraq or emailing devs who will send me angry threatening emails. So for now, they’re 0days to be picked apart by people better than me. <\/p>\n
For more info on format string exploits, check this paper out: Format Strings<\/a><\/p>\n
Happy hacking!
\n\"1329968336101\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Welcome loyal readers! It’s been a dogs age. I’ve been split on projects and time, playing lots of video games and writing lots of code. Recently I found a format string vulnerability in a video game. A popular one at that. Further research into this video game revealed this vulnerability is not new. I found […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,6],"tags":[22,105,59,9,60,58],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/418"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=418"}],"version-history":[{"count":13,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/418\/revisions"}],"predecessor-version":[{"id":435,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/418\/revisions\/435"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=418"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=418"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=418"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}