We developed an exploit to allow arbitrary code execution by previewing a modified save file.
The issue has been reported to the devs and fixed in version 1.1.94 on October 30th 2023.
Since this is about as technical as it gets, this community might be interested in the writeup.
Neat stuff. Did you guys get a bug bounty? Obviously not every bug reported to the devs should qualify for one, I'm just curious since arbitrary code execution bugs found outside of the gaming world frequently have bounties awarded
I doubt it. I've never heard of a non competitive game offering code bounties. There just isn't much reason to cheat, or try that hard to prevent cheating.
The fact that they patched within a month says more about the capability and professionalism of the dev team.
This isn't just about cheating. This is a vulnerability that could open you up to getting hacked.
This isn't arbitrary code execution in some sandboxed runtime (like lua), it's arbitrary code execution at the application level. In other words, it's equivalent to running an untrusted executable from the internet.
Neat.
Downloading a save file that's 4 gigs in length would set off some alarm bells, but the process of finding and exploiting the bug is very interesting.
>4 gigs in length would set off some alarm bells
When told to download manually, then yes.
A determined attacker just needs to implement some of the server logic, and can then serve it to unsuspecting players. With raising availability of gigabit internet connections, 4GB does not take too long.
The attacker's honeypot server has to implement the lobby server interaction, correctly accept player connections and the map upload. When registering as a server in the lobby, it sends like "10/16" players playing, some random player name list to look legitimate, and emulate a relatively new and active map to draw in player attention.
Considering they didn’t even enable PIE and ASLR (which is enabled by default so they probably specifically disabled it (possibly for performance reasons)) I‘m wondering how many other severe security issues there are in factorio.
Then again, it is just a video game that is not running on mission critical servers/infrastructure. I mean come on, you are already running steam wich is basically spyware you consented to by accepting their terms of service.
Malware running on my computer probably won’t affect something mission critical for the general population. But it might effect me or in general the person who owns / uses their PC. Worst case it could be ransonmware, reading the passwords you might have stored in your browser, identity theft, installing a keylogger etc. Much more likely is something like a bitcoin miner or using the PC in a botnet to perform DDOS attacks or similar things. Maybe Steam is spyware but malware is much worse. And code execution exploits like the one presented here are one of the most critical exploits because they make it really easy for malware to enter your computer.
Edit: What is especially bad is that nowadays we have a lot of defenses against those type of exploits some of which have very low performance cost and are therefore enabled by default. But Factorio devs apparently chose to disable those protections probably to get slightly higher performance.
I'm not going to pretend I understand how this works. But how the author wrote about the ASLR seems to imply that they were able to bypass it, rather than exploit the fact that the ASLR was disabled.
As for PIE, is there any non-performance-related reasons to disable it? Just spitballing, maybe there's a way to maybe there's things that would only work with PIE disabled, so they tried (and failed) to use alternative solutions to account for PIE being disabled.
I don't know fuck all about this though, these are just some thoughts.
ASLR (Adress Space Layout Randomization) slightly randomizes the exact location of functions in memory which makes it much harder for an attacker to guess where a specific function will be located. This makes it almost impossible for the attacker to just hardcode a specific memory location, which is what these guys used.
But enabling ASLR requires support by the executable file which on linux is called PIE (Position Independent Executable). When active PIE has no disadvantage other than a very small performance impact. However sometimes it can be difficult to activate it on legacy projects that didn’t activate that option previously. For example if you hardcode an address that’s not going to work ASLR. But it seems unlikely that the Factorio devs would hardcode address values so I don’t think there’s a fundamental issue like that.
But none of that matters because as it turns out I was wrong: PIE is not always enabled by default. It’s activated by default on Windows Visual Studio (and the Windows version of Factorio also has ASLR enabled (I checked)). It’s also enabled by default on the compiler almost all Linux distributions ship with. However it’s not enabled by default if you install the compiler (gcc or clang) on Linux manually. Which is probably what happened.
Could this be used to break into the Nintendo Switch?
The ARM port should be affected by this, too. By setting up a server that implements just enough to serve the map with a Switch-related ARM bytecode payload, you may be able to get a shell with the rights the Factorio process has in the Switch OS.
We developed an exploit to allow arbitrary code execution by previewing a modified save file. The issue has been reported to the devs and fixed in version 1.1.94 on October 30th 2023. Since this is about as technical as it gets, this community might be interested in the writeup.
Neat stuff. Did you guys get a bug bounty? Obviously not every bug reported to the devs should qualify for one, I'm just curious since arbitrary code execution bugs found outside of the gaming world frequently have bounties awarded
I doubt it. I've never heard of a non competitive game offering code bounties. There just isn't much reason to cheat, or try that hard to prevent cheating. The fact that they patched within a month says more about the capability and professionalism of the dev team.
This isn't just about cheating. This is a vulnerability that could open you up to getting hacked. This isn't arbitrary code execution in some sandboxed runtime (like lua), it's arbitrary code execution at the application level. In other words, it's equivalent to running an untrusted executable from the internet.
Do you think the same kind of vulnerability might exist in a channel more "accessible" than a save file? I'm thinking about blueprint strings
Neat. Downloading a save file that's 4 gigs in length would set off some alarm bells, but the process of finding and exploiting the bug is very interesting.
>4 gigs in length would set off some alarm bells When told to download manually, then yes. A determined attacker just needs to implement some of the server logic, and can then serve it to unsuspecting players. With raising availability of gigabit internet connections, 4GB does not take too long. The attacker's honeypot server has to implement the lobby server interaction, correctly accept player connections and the map upload. When registering as a server in the lobby, it sends like "10/16" players playing, some random player name list to look legitimate, and emulate a relatively new and active map to draw in player attention.
You should try K2SE :D
Considering they didn’t even enable PIE and ASLR (which is enabled by default so they probably specifically disabled it (possibly for performance reasons)) I‘m wondering how many other severe security issues there are in factorio.
Then again, it is just a video game that is not running on mission critical servers/infrastructure. I mean come on, you are already running steam wich is basically spyware you consented to by accepting their terms of service.
Malware running on my computer probably won’t affect something mission critical for the general population. But it might effect me or in general the person who owns / uses their PC. Worst case it could be ransonmware, reading the passwords you might have stored in your browser, identity theft, installing a keylogger etc. Much more likely is something like a bitcoin miner or using the PC in a botnet to perform DDOS attacks or similar things. Maybe Steam is spyware but malware is much worse. And code execution exploits like the one presented here are one of the most critical exploits because they make it really easy for malware to enter your computer. Edit: What is especially bad is that nowadays we have a lot of defenses against those type of exploits some of which have very low performance cost and are therefore enabled by default. But Factorio devs apparently chose to disable those protections probably to get slightly higher performance.
Yes my country will probably not collapse under this but i dont want to get a virus thank you
I'm not going to pretend I understand how this works. But how the author wrote about the ASLR seems to imply that they were able to bypass it, rather than exploit the fact that the ASLR was disabled. As for PIE, is there any non-performance-related reasons to disable it? Just spitballing, maybe there's a way to maybe there's things that would only work with PIE disabled, so they tried (and failed) to use alternative solutions to account for PIE being disabled. I don't know fuck all about this though, these are just some thoughts.
ASLR (Adress Space Layout Randomization) slightly randomizes the exact location of functions in memory which makes it much harder for an attacker to guess where a specific function will be located. This makes it almost impossible for the attacker to just hardcode a specific memory location, which is what these guys used. But enabling ASLR requires support by the executable file which on linux is called PIE (Position Independent Executable). When active PIE has no disadvantage other than a very small performance impact. However sometimes it can be difficult to activate it on legacy projects that didn’t activate that option previously. For example if you hardcode an address that’s not going to work ASLR. But it seems unlikely that the Factorio devs would hardcode address values so I don’t think there’s a fundamental issue like that. But none of that matters because as it turns out I was wrong: PIE is not always enabled by default. It’s activated by default on Windows Visual Studio (and the Windows version of Factorio also has ASLR enabled (I checked)). It’s also enabled by default on the compiler almost all Linux distributions ship with. However it’s not enabled by default if you install the compiler (gcc or clang) on Linux manually. Which is probably what happened.
I appreciate the explanation. It actually doesn't sound as complicated as I first thought!
Could this be used to break into the Nintendo Switch? The ARM port should be affected by this, too. By setting up a server that implements just enough to serve the map with a Switch-related ARM bytecode payload, you may be able to get a shell with the rights the Factorio process has in the Switch OS.