Five years ago, a pair of security researchers write a book called Exploiting Online Games in which they described a number of ways in which attackers could take advantage of weaknesses in the protection systems for various gaming platforms. Now, with online gaming having emerged as a massive business, other researchers have picked up the ball and begun finding serious flaws. The latest vulnerability to be disclosed is in EA’s Origin online game-delivery system, which researchers from ReVuln have shown can be exploited remotely to run malicious code on users’ machines.
The problem lies in the way that Origin’s custom URI handles commands. Origin is EA’s platform for delivering and enabling users to play games without downloading them or playing them from a disc. In order to access content, users download a client that connects to the Origin server. To do so, the client uses a custom URI handler, origin://. So a command to the system to launch a game begins with that URI and then contains several other components. An attacker who can discover the Game ID–which is a unique identifier for each game–can use local vulnerabilities on a user’s machine to execute arbitrary code.
“The Origin platform allows malicious users to exploit local vulnerabilities or features, by abusing the Origin URI handling mechanism. In other words, an attacker can craft a malicious internet link to execute malicious code remotely on victim’s system, which has Origin installed,” the ReVuln research paper says.
“In order to demonstrate the insecurity of the Origin platform, we picked the most recent and well known game available on this platform: Crysis 311, which was released on 19 February 2013. We found several ways to trigger remote code execution against remote victim systems by abusing the Origin platform itself. One way is based on exploiting a feature, NVidia Benchmark framework12, in CryEngine’s game engine.”
By specifying a certain set of commands in an Origin link, an attacker can cause a user to load malicious code onto his machine. In a video demonstration of the problem, ReVuln researchers Luigi Auriemma and Donato Ferrante showed their attack working against the Crysis 3 game on Origin.
The researchers presented their findings at the Black Hat EU conference in Amsterdam last week. Auriemma said that because of the nature of attacks on games it’s difficult to know whether any attackers are using this technique already.
“For this kind of attacks the situation is a little bit tricky, because we are not talking about attacking big systems, like SCADA. But we are talking about games and gamers, and attacks via games usually are pretty stealthy, and they are pretty difficult to spot. As this sort of attack vectors are pretty underestimated by people,” he said.
In October, ReVuln published similar research demonstrating a vulnerability in the Steam gaming platform.