Everybody plays games, and a whole lot of people plays computer games. Despite this fact, very few of us, security researchers consider them as interesting targets. Granted, you won't likely be able to directly hack into a big corporate network via game exploits, but you could for example target the people running the company via their favorite games. Or their children's favorite games. Another scenario: you should consider that a hacked game could allow Not So Admirable people access to your internal network - which at first does not seem that big of a deal considering it's "just" a home network, but when you realize all your mobile phones, your TV set, your VOIP phones, your security cameras, and even your smart house sensors and controllers are part of that network, it looks much more scary.
Games are also interesting from a technical standpoint too, since they tend to be quite complex. The majority of them have networking, and they process complex data structures (maps, saved games, etc.) which makes them ideal fuzzing targets. But this talk is not about those kind of exploits. Hackers tend to ignore the low hanging fruits in favor of beautiful exploits, but we really shouldn't - bad guys don't care about how sophisticated some exploit is, they only care about the results. This is why I have decided to take a look around and see what's already there in the games that allows access to the gamers' network. Thus this research about how game scripting engines can be abused started.
I'll show in this talk that playing on custom game servers and playing community created maps could easily lead to code execution on our machines - more so, in most cases without the need to bypass the operating system's exploit mitigation techniques. My targets include popular games and game engines like CryEngine 3, Dota 2, Garry's Mod, ARMA3 and Digital Combat Simulator. I'll show a wide range of script abuse from a simple direct command execution in an unrestricted scripting environment through brute forcing a security camera via HTTP requests to complex script sandbox escapes.
Tamas is the lead IT security researcher at PR-Audit Ltd., a company focusing mainly on penetration testing and SIEM software developing. Previously he participated in a cooperation between ELTE Department of Meteorology and the Paks Nuclear Power Plant Ltd. which goal was to develop TREX, a toxic waste emission simulator using CUDA. The scene from RoboCop where the kid defeats the evil robot with just a laptop and a serial cable made a huge impression on him, and after seeing the movie, his path was set: he was bound to be a hacker. His first experiences in this field involved poking around various copy protection schemes, and for this day his favorite areas of expertise are the ones that require some mangling of binary files. Besides computer security he also loves mountain biking and flight simulators. Twitter: @sghctoma