Jump to content


Critical Vulnerabilities found in Call of Duty:MW3, CryEngine 3

  • Please log in to reply
5 replies to this topic

#1 Asrokhel



  • 1,027 posts
  • Joined: 05-April 12
  • OS: Windows 8 Pro x64 (testing to see if I keep it or go back to Windows 7)

Posted 10 November 2012 - 17:09

Call of Duty: Modern Warfare 3 and CryEngine 3 graphics platform suffer from critical vulnerabilities, two security researchers have revealed.

ReVuln security consultants Luigi Auriemma and Donato Ferrante presented results of their research at the Power of Community (POC2012) security conference in Seoul and said that not only hackers but also other online gaming companies can benefit by exploiting these vulnerabilities. The security researchers have revealed that online gaming companies can try and steal a competitor's players or shut down a competitor’s game completely. Ferrante said "We have a lot of companies that ask for these kinds of denial-of-service attacks to attack competitors. This is really a big concern for companies."

Auriemma showcased a video during the conference which contained an exploit targeting a denial-of-service vulnerability in Activision’s COD:MW3. In the video, the server administrator received a warning when the server running the game was remotely crashed. The duo is planning to release advisories next Tuesday and have showed willingness to work with Activision to patch the vulnerability but, have revealed that they will not be doing so by volunteering the information as vulnerability research is part of their business.

Auriemma’s also showcased another exploit that targeted vulnerability in CryEngine 3. The researcher showcased how he was able to gain access to a game-player’s system by creating a remote shell through to the player's computer. "Once you get access to the server, which is basically the interface with the company, you can get access to all of the information on the players through the server," said Ferrante.


#2 Yusuf M.

Yusuf M.

  • 21,507 posts
  • Joined: 25-May 04
  • Location: Toronto, ON
  • OS: Windows 8.1 Pro
  • Phone: OnePlus One 64GB

Posted 10 November 2012 - 19:22

That's interesting. I've never read about a game engine having a vulnerability like that. If it had one, it allowed users to create hacks or mess with the game. I wonder what Crytek and Infinity Ward are going to do about this.

#3 The King of GnG

The King of GnG

    Knight and King of the Great Hell Village

  • 450 posts
  • Joined: 06-February 12
  • Location: Italy
  • OS: Windows
  • Phone: Windows Phone

Posted 11 November 2012 - 01:22

Heh, cloud gaming. It's the future....

#4 syncore



  • 87 posts
  • Joined: 14-February 04

Posted 11 November 2012 - 01:29

Auriemma is probably one of the top exploits researchers for games. A couple of years ago I remember using one of his proof of concepts in order to get the Quake Live chat to work in pidgin

#5 Alladaskill17


    Neowinian Senior

  • 5,450 posts
  • Joined: 21-July 05

Posted 11 November 2012 - 04:19

This is very interesting, thanks for the post. Interested to see how this plays out.

#6 Phouchg


    has stopped responding

  • 5,689 posts
  • Joined: 28-March 11

Posted 11 November 2012 - 10:46

Game hacks have been there since the dawn of time. Online portion shouldn't be any different. Aimbots, point hacks, kick scripts. While most trainers are just memory patching, isn't that simple with things that have to work online. In most cases somebody traces game code see what it sends and receives and where it puts that stuff. Integrate network code into engine and there you have it - engine vulnerability.
Offline portions of game code are getting pwnt all the time by warez people. No piece of code (except for NASA shuttle launch) is secure. Game companies have more or less got away with it because it's a game - games (except MMOs) didn't have much useful personal information up until recently.

Welcome to the future, yes.