Two video game researchers have discovered a slew of zero day vulnerabilities in the engines that run popular first person shooter games like “Quake 4,” “Monday Night Combat,” “Crysis 2” and “Homefront,” among others that could put their servers and the gamers who use them in danger.

The flaws lie in engines like Unreal Engine 3, id Tech 4, and CryEngine 3, some of the same systems used by the Federal Bureau of Investigation and the U.S. Air Force in military simulator training systems.

Luigi Auriemma and Donato Ferrante, two researchers behind the Malta-based firm ReVuln Security, discussed their findings in a presentation, “Exploiting Game Engines for Fun and Profit,” (.PDF) at the NoSuchCon security conference in Paris.

The vulnerabilities can be used to attack game servers, along with game clients, according to the duo’s research.

In one case an attacker could potentially fake the IP of the server for id Tech 4 (the engine associated with Quake 4) to trigger a stack based buffer overflow in the game. In another, an attacker could get the CryEngine 3 engine to improperly handle “fragmented packets,” which could result in a heap overlow or integer overflow vulnerability.

Dozens of games in addition to those mentioned above could be affected by the vulnerabilities, since multiple games use the same engines.

“It’s a matter of how many other games share the same engine,” the two said in their presentation, “Any attacker can exploit them without any user interaction or additional requirements.”

Auriemma and Ferrante have proved quite adept at finding bugs in gaming systems over the last half decade or so. The two found a handful of memory corruption issues, buffer and heap overflows in the online video gaming portal Steam last October and earlier this year, found a flaw in EA’s Origin client that opened the site up to remote code execution and put users’ computers at risk.

As they usually do for exploits, the two have posted a .PDF copy of their Powerpoint presentation  (.PDF) and posted a video on Vimeo describing the vulnerabilities in detail. This particular one demonstrates the exploits against Crysis 2 and Quake 4’s master servers:

[vimeo 66027238 w=600 h=338]

Auriemma and Ferrante plan to sell the information about the vulnerabilities – all of which were previously undisclosed – to third party companies via its subscription service, the “zero-day feed.”

For more on their research, check out the accompanying paper, “Game Engines: A 0-Day’s Tale,” (.PDF) ReVuln posted, complete with code sequences that breaks down which vulnerabilities affect each game.

Categories: Videos, Vulnerabilities