Screeps: How a game about programming exposed thousands of players to remote code execution
37 points by albino
37 points by albino
imo the part that makes this really high-impact and quite serious is hidden down in the footnotes:
The community is very nice, but terrifyingly nonchalant about the insecurity of the client. Far from being an unknown vulnerability, the community actively uses it as a convenient injection point for third-party modding of the client. The official Discord server has a "client-abuse" channel for sharing these snippets, and a Github repo for storing the popular ones.
Savvy users can of course protect themselves by either studiously avoiding ever logging any attacker-controller string, or overwriting the native
console.logfunction with one that sanitizes the HTML. The community does not make any attempt to warn newcomers that they need to do this if they want to play the game safely. Astonishingly, even many of the most enfranchised players choose not to take this easy step, knowingly exposing themselves to an easy hack. Some of the most complex open-source bots also use console.log statements in an unsafe way... which hundreds of newbies then unknowingly clone to run themselves...
I play Screeps, and your read is 100% correct. The developers have not updated Screeps in like 5 years, spending all their time developing and marketing Screeps Arena (a separate game that plays more like MIT Battlecode).
And so issues have been piling up both on Discord and on the GitHub, none of them addressed. The Steam client is broken so people use the website, the simulation world is broken so people test in prod, you can still scam people with a false price on the in-game market, and the game expects you to write for Node 8 from 2019, because that is what it runs. The fact that console.log exploits (which are indeed well-known in the community) made its way into an actual real hotfix update in Screeps is pretty unprecedented.
Despite this, it's been like 10 years of a persistent world with no wipes, so while I'm not a big player, I'd be really sad to see Screeps go down. The developers' attitude is indefensible, but I hope this explains why the community is so "terrifyingly nonchalant" and tries to guide new players around all the proverbial landmines, rather than repeatedly raise a stink about every single issue.
Screeps is on Steam, and the native client reuses the browser code but with no sandboxing.
Why.
Look, it's great that you renamed the function from console.log to console.logUnsafe, but why the fuck should things logged using it be able to execute things on my computer?! Why would you ever allow <script> tags in the console output at all?
Players will just use console.logUnsafe with no further precautions to log things because they want to have fancy colors in their log output, and then they will let others install RATs or whatever on their computer.
This is not a bugfix, it's just a way to try to shift the responsibility away from themselves. A game should never be able to do this.
I think it just highlights how poorly confined games really are on Steam. Not only should a game be able to endanger user data, a game also shouldn't be able to pick a random directory on the disk for savegames or other user data (except one predefined location).
It's only a matter of time where some popular game turns out to be an infostealer or someone widely exploits some RCE to wipe peoples' machines. Something Valve really needs to work on to properly prevent.
There's a lot of security issues with games on Steam more than just lack of sandboxing. A lot have unpatched CVEs, and a lot of Valve's own games are included in that. Or old Unity games. Due to the incentives of the gaming industry (or defunct studios), it's also likely not to get patched until it becomes a PR (or liability) problem as you say.
I think it just highlights how poorly confined
gamesprograms really are onSteammodern operating systems.
I don't really think Steam can do much about this situation, tbh.
It's true that the situation is fairly bad overall, but all OSs provide some facilities for confinement.
Valve can start by publishing guidelines on filesystem access and enforce it during their automated testing/review. They can also require things like high entropy ASLR being enabled for binaries, amongst other hardening options.
Even the low-hanging fruit really hasn't been picked in terms of protecting users.
Isn't Steam Pressure Vessel on Linux, introduced due to fragmentation and compatibility breaking in GUI stack, somewhat mitigating the worst parts (with containers and per-game $HOME with the real $HOME not available inside the container)?
Ah, this brings me back to Halo Online and the community mod "El Dewrito". A Halo game for PC based on the Halo 3 engine (i.e. peak Halo), back when MCC didn't yet exist, so there was no other way to play this on PC. The game was only launched in Russia (for whatever reason) and quickly scrapped, despite being an amazing gem. The community seized the opportunity, got hold of all the files, hacked the client, replicated servers and brought it back online on their own. Overall, they did an amazing job and lots of fun was to be had. However, they did use the Chromium Embedded Framework (CEF) to create new menus and UI elements, and there was an exploit that let people break other people's games through chat messages. Someone composed such a payload that would start a pacman game in full-screen and you had to complete the level to be dropped back to Halo. Needless to say, there was a hotfix immediately after that. Good times.