Follow Us

Vulnerabilies found in MW3 and CryEngine 3

by Reinhard Rheeder-Kleist (Choc_Salties)  Posted Monday, November 12, 2012 4:04:50 PM

Vulnerabilities in game clients or game servers are not a new thing, especially with the discovery of the IP spoofing attack based on the GETSTATUS command in Quake 3-based game engines. Now researchers at security consultancy ReVuln have found another two vulnerabilities, one in Call of Duty Modern Warfare 3 and another in the Crytek’s CryEngine 3. The findings were presented at the Power of Community (POC2012) security conference in Seoul last Friday.

The exploit discovered in Modern Warfare 3 as described, sounds similar to an attack causing an attacked server to either attack another server, or be forced to crash due to the attack. "This is something we have seen," Ferrante said. "We have a lot of companies that ask for these kinds of denial-of-service attacks to attack competitors. This is really a big concern for companies."

The second and potentially more dangerous vulnerability relates to Crytek’s CryEngine 3, allowing a remote user shell access to a client running a game based on a CryEngine 3-based game. Demonstration showed an attack on CryEngine 3 within the game Nexuiz. The attack, at the server level, enabled him to create a remote shell on a game-player's computer.


In the demonstration, the presenter caused an image of cat riding a rocket to be displayed on the victim's computer.

Donato Ferrante, one of the researchers from ReVuln said, "Once you get access to the server, which is basically the interface with the company, you can get access to all of the information on the players through the server.”

It seems that introduced vulnerabilities such as these demonstrated aren’t too much of a concern for gaming companies as much as it should be, where potentially these avenues to lead to serious invasions of privacy as well as security. Suppose a couple of class-action lawsuits might solve that when this gets out more.

Oh wait, American users signed those rights away when they accepted recent EULAs from most large game publishers with the “don’t sue me” clause. Oh well…

Thanks to Slashdot for the alert and Computerworld for the source


cryengine3-logo.jpg  CryEngine_3_by_NaSoooRe.jpg 

Share This Article

comments powered by Disqus
Vote for your favourite August Game Release
View all releases

Submit Survey  View Results

1. The Last of Us: Remastered
Platform: PS4
Now R599

2. The Sims 4: Limited Edition
Brand: Electronic Arts
Now R479

3. FIFA 15
Brand: Electronic Arts
Now R649

4. Destiny: Vanguard Edition [First 300 Pre-Orders Only]
Brand: Activision/Blizzard
Now R699

5. FIFA 15 Ultimate Team Edition
Brand: Electronic Arts
Now R729

1. BigBen PS Vita™ Slim Protection Kit
Brand: BigBen Interactive
Now R168

2. Zumba World Party
Brand: 505Games
Now R659

3. Wolfenstein: The New Order
Brand: Bethesda
Now R679

4. Destiny: Vanguard Edition [First 100 Pre-Orders Only]
Brand: Activision/Blizzard
Now R649

5. Sonic Boom: Shattered Crystal
Brand: Nintendo
Now R552