GAME ENGINES VULNERABILITIESIndependent specialists in IT security have found serious vulnerabilities in software engines of some very popular games, first person shooters.

Identified bugs allow an attacker to compromise a serveroy operators of games, and computers themselves gamers.

Security experts Luigi Auriemma and Donato Ferrante of the company Revuln found faults in the subsystem with computer memory and the possibility to exchange buffer overflow in such developments as the CryEngine 3, Unreal Engine 3, Hydrogen Engine and id Tech 4. On the basis of these engines run games such as “Quake 4,” “Crysis 2,” “Homefront,” “Brink,” “Monday Night Combat,” “Enemy Territory: Quake Wars”, “Sanctum”, “Breach,” ” Nexuiz “and many others.

Identified two problems allow professionals to run on the target gamer’s computer malicious code or spend a DoS-attack against the server or client by sending specially crafted packets of data. About his findings Oremma and Farrant told the conference NoSuchCon in Paris, at the same time by presenting the description of the attack, compromising servers for multiplayer Crysis 2 and Quake 4.

Both developers say that today they regarded vulnerabilities persist, although the respective vendors already have been alerted. “Some of the vulnerabilities could be used to attack servers, while others, such as in CryEngine 3, the client computers. Attacker can launch attacks without any interaction with the victim and other manipulations” – they say. “Servers can also be collapsed, sending them a specially configured network packets.”

The researchers also say that potential attackers can gain sensitive information from the victim’s computer, which may be confidential business or public nature. “When people play games, they somehow creates the illusion of security, even worse when the hacker attack can be carried out at all without any interaction with the victim,” – says Auriemma.

In the video below, ReVuln experts show you how to use a special tool, you can perform an attack on the game servers Crysis 2 and Quake 4.

Luigi Auriemma and Donato Ferrante also published documenting attacks – http://revuln.com/files/ReVuln_Game_Engines_0days_tale.pdf

Advertisements