Follow Us
    
 

Vulnerabilies found in MW3 and CryEngine 3

by Reinhard Rheeder-Kleist (Choc_Salties)  Posted Monday, November 12, 2012 4:04:50 PM

Hit
 
0
 
 
Vulnerabilities in game clients or game servers are not a new thing, especially with the discovery of the IP spoofing attack based on the GETSTATUS command in Quake 3-based game engines. Now researchers at security consultancy ReVuln have found another two vulnerabilities, one in Call of Duty Modern Warfare 3 and another in the Crytek’s CryEngine 3. The findings were presented at the Power of Community (POC2012) security conference in Seoul last Friday.

The exploit discovered in Modern Warfare 3 as described, sounds similar to an attack causing an attacked server to either attack another server, or be forced to crash due to the attack. "This is something we have seen," Ferrante said. "We have a lot of companies that ask for these kinds of denial-of-service attacks to attack competitors. This is really a big concern for companies."

The second and potentially more dangerous vulnerability relates to Crytek’s CryEngine 3, allowing a remote user shell access to a client running a game based on a CryEngine 3-based game. Demonstration showed an attack on CryEngine 3 within the game Nexuiz. The attack, at the server level, enabled him to create a remote shell on a game-player's computer.

CryEngine_3_by_NaSoooRe.jpg

In the demonstration, the presenter caused an image of cat riding a rocket to be displayed on the victim's computer.

Donato Ferrante, one of the researchers from ReVuln said, "Once you get access to the server, which is basically the interface with the company, you can get access to all of the information on the players through the server.”

It seems that introduced vulnerabilities such as these demonstrated aren’t too much of a concern for gaming companies as much as it should be, where potentially these avenues to lead to serious invasions of privacy as well as security. Suppose a couple of class-action lawsuits might solve that when this gets out more.

Oh wait, American users signed those rights away when they accepted recent EULAs from most large game publishers with the “don’t sue me” clause. Oh well…

Thanks to Slashdot for the alert and Computerworld for the source


Gallery

cryengine3-logo.jpg  CryEngine_3_by_NaSoooRe.jpg 

Share This Article


 
comments powered by Disqus
Survey
 
Vote for your favourite November Game Release
View all releases










Submit Survey  View Results

1. FIFA 15
Brand: Electronic Arts
Now R599

2. FIFA 15
Brand: Electronic Arts
Now R599

3. FIFA 15
Brand: Electronic Arts
Now R679

4. Call of Duty: Advanced Warfare Day Zero Edition
Brand: Activision/Blizzard
Now R799

5. Call of Duty: Advanced Warfare Day Zero Edition
Brand: Activision/Blizzard
Now R699

Kalahari.com
 

1. Assassin's Creed 4: Black Flag - Special Edition
Platform: Xbox One
Now R509

2. Project Spark
Brand: Microsoft
Now R430

3. Blood Bowl 2
Brand: Focus Home
Now R699

4. Orb Xbox One Controller Thumb Grips
Brand: ORB
Now R49

5. The Walking Dead Season 1 (GOTY)
Brand: Nordic Games
Now R649

Kalahari.com