Critical Vulnerabilities found in Call of Duty:MW3, CryEngine 3

[Asrokhel]

Call of Duty: Modern Warfare 3 and CryEngine 3 graphics platform suffer from critical vulnerabilities, two security researchers have revealed.

ReVuln security consultants Luigi Auriemma and Donato Ferrante presented results of their research at the Power of Community (POC2012) security conference in Seoul and said that not only hackers but also other online gaming companies can benefit by exploiting these vulnerabilities. The security researchers have revealed that online gaming companies can try and steal a competitor's players or shut down a competitor?s game completely. Ferrante said "We have a lot of companies that ask for these kinds of denial-of-service attacks to attack competitors. This is really a big concern for companies."

Auriemma showcased a video during the conference which contained an exploit targeting a denial-of-service vulnerability in Activision?s COD:MW3. In the video, the server administrator received a warning when the server running the game was remotely crashed. The duo is planning to release advisories next Tuesday and have showed willingness to work with Activision to patch the vulnerability but, have revealed that they will not be doing so by volunteering the information as vulnerability research is part of their business.

Auriemma?s also showcased another exploit that targeted vulnerability in CryEngine 3. The researcher showcased how he was able to gain access to a game-player?s system by creating a remote shell through to the player's computer. "Once you get access to the server, which is basically the interface with the company, you can get access to all of the information on the players through the server," said Ferrante.

http://paritynews.com/security/item/472-critical-vulnerabilities-found-in-call-of-dutymw3-cryengine-3

[Yusuf M. Veteran]

That's interesting. I've never read about a game engine having a vulnerability like that. If it had one, it allowed users to create hacks or mess with the game. I wonder what Crytek and Infinity Ward are going to do about this.

[The King of GnG]

Heh, cloud gaming. It's the future....

[syncore]

Auriemma is probably one of the top exploits researchers for games. A couple of years ago I remember using one of his proof of concepts in order to get the Quake Live chat to work in pidgin

[Alladaskill17]

This is very interesting, thanks for the post. Interested to see how this plays out.

[Phouchg]

Game hacks have been there since the dawn of time. Online portion shouldn't be any different. Aimbots, point hacks, kick scripts. While most trainers are just memory patching, isn't that simple with things that have to work online. In most cases somebody traces game code see what it sends and receives and where it puts that stuff. Integrate network code into engine and there you have it - engine vulnerability.

Offline portions of game code are getting pwnt all the time by warez people. No piece of code (except for NASA shuttle launch) is secure. Game companies have more or less got away with it because it's a game - games (except MMOs) didn't have much useful personal information up until recently.

Welcome to the future, yes.