from Hacker News

Remote Code Execution in Marvel Rivals Game

by eugenekolo on 2/3/25, 6:02 PM with 129 comments

  • by doctorpangloss on 2/3/25, 6:58 PM

    The engineering culture behind AAA video games is rotten to the core with regards to security. Everyone thinks they're making Doom 3 and they're really making Windows 2000 Service Pack 1.

  • by agentultra on 2/3/25, 7:26 PM

    I was literally thinking about this the other day. There are a ton of games using kernel modules for anti-cheat and... just load and interpret data payloads. Certainly some of those payloads could manipulate the funny machines inside of a game executable if they're not careful about their parsing and validation.

    Nice PoC!

    Update: yes, most game client processes don't run in the kernel. My b. I was just thinking that updates and content payloads might be an interesting vector for langsec.

  • by kibwen on 2/3/25, 9:07 PM

    I bought a Steam Deck with the sole purpose of having a cheap, airgapped PC to run games on. Game devs just don't have the incentives or discipline to be trusted with security.

    Reminder that all three Dark Souls games allowed full RCE to any users connected to the internet: https://flashpoint.io/blog/rce-vulnerability-dark-souls/

  • by lockemx on 2/3/25, 9:14 PM

    Interestingly, the game doesn't run as admin for any good reason. The first thing I did was only let the launcher and game run as the user with RunAsInvoker. The anticheat alone is allowed RunAsAdmin. At the same time, I don't trust any anticheat. It's probably worse than useless, but it is what it is. I thought Microsoft would clean this up after the Crowdstrike incident for all kernel-level code, but I guess there's no incentive for them to only let game companies request runtime analysis / reports rather than run code. As for the anti-cheat industry, they should focus on patterns of user behavior to help game companies moderate the players as much as neccesary.

  • by bangaladore on 2/3/25, 6:27 PM

    > the game runs with admin privileges for the sake of anti-cheat

    "sake of anti-cheat" should be taken lightly here. There is a reason why all the other sane anti-cheats have at least two applications, the anti cheat service which often runs as admin, and the game, which does not. Running the game as admin is quite frankly inexcusable.

    The service often does the network comms and communicates to a kernel-mode driver and/or to the application via IPC or similar. Having defined barriers of separation are good things.

    In any case, this POC doesn't have huge implications necessarily for most people, but maybe in SEA or China where LAN cafes are more prevalent, it could be a larger concern.

  • by sanktanglia on 2/3/25, 7:59 PM

    Funny enough this engine is based off the same one they used in Diablo immortal which also has this issue

  • by lcnPylGDnU4H9OF on 2/3/25, 10:19 PM

    > This also opens the door up to an entrypoint on PS5.

    Does he mean that this is potentially how one could install custom firmware on their console?

    Curious because I remember reading somewhat recently that console vendors have locked their consoles down well enough so as to avoid any vulnerabilities which could be exploited to install custom firmware. It would be amusing if that was invalidated by game dev security and I start hearing about ways to install some modded firmware, which include a step of "install one of these games".

    IIRC, the web browser on 3DS systems was exploited to install custom firmware rather than a game so it was rather easily patched with a system update (and, indeed, it actually was patched). I wonder if we'll be seeing Sony/Nintendo/Microsoft start to insist on certain security standards as a result of games being exploited to install custom firmware on the devices they sell, presuming the answer to my first question is affirmative.

  • by tart-lemonade on 2/3/25, 10:18 PM

    It downloads and executes a Python script to update the store page? Log4j/log4shell, anyone?

    Just build a JSON API! It's not that hard! You don't need to RCE your game every time it launches just for microtransactions.

  • by S0y on 2/3/25, 7:19 PM

    So what part of the game code exactly is able to download a random python script and run it?

  • by jauntywundrkind on 2/3/25, 6:51 PM

    For a second I thought this was the Marvel game that got briefly banned along with TikTok, but that's marvel Snap.

    It would have been a tiny bit funny if it had been the same company that was just briefly banned that was allowing a remote exploit.

  • by zxilly on 2/3/25, 9:27 PM

    Looks like a typical mitm attack, which confuses me a bit, don't the developers use something like tls or dtls to protect their communications? The most recent game I analysed was helldivers 2, which uses dtls. i would have thought that would be fairly common knowledge.

  • by plagiarist on 2/3/25, 9:35 PM

    I like the other rant at the bottom. But why would game developers care about security when their customers don't care? The customers are fine running anticheat with admin privileges like in this RCE he just found.

  • by foco_tubi on 2/3/25, 10:18 PM

    Interesting that the PS5 has been implicated - does this mean that there is an opportunity to jailbreak firmware again?

  • by wyldfire on 2/3/25, 8:17 PM

    I'm surprised - isn't this game just a skin on Overwatch? So does Overwatch have an RCE?

  • by bilekas on 2/3/25, 9:10 PM

    > Game developers continue to amaze me at their lack of security awareness.

    Because game developers are SUPPOSED to be aware of these things?

    > It's very hard for security researchers to report bugs to most game dev companies. On top of that, most do not have bug bounty programs

    Yet the OP blames the GAME developers…

    They already have harder jobs than the majority of us, picking on them for not knowing skills outside of their area is just being mean and OP is targeting frustration at the wrong group.