Rumors of GTA online exploits allowing remote code execution on gamer PCs (opens in new tab)

(old.reddit.com)

93 pointshighclass3y ago47 comments

47 comments

Keep in mind that this is the same game whose client-update-handshake-dance largely consisted of an enormous JSON of all the updates that had ever been done to the gamestate, which then got parsed naively. This situation was recognized and patched [0] by an interested third party [1].

Not a slight against the code monkey that implemented it that way, because they surely didn't bother to think about complexity consequences when the gamestate was new and the JSON wasn't 10MB yet, but a slight on Rockstar, because the cash cow that GTA:O turned out to be deserves some fuckin' maintenance, doesn't it? Then again, the eye-popping abilities (and prevalence!) of hax0rs in Rockstar games probably ought to signify priorities to even the most casual observer. As others in these comments observe, with what those hackers can achieve, it's not surprising to learn there's RCEs too.

[0] https://github.com/tostercx/GTAO_Booster_PoC

[1] https://nee.lv/2021/02/28/How-I-cut-GTA-Online-loading-times...

ehnto3y ago

I appreciate that you note the capabilities of hackers in GTAO. Someone who doesn't play might just hear that there are a lot of them, but hackers in GTAO are essentially omnipotent and games are unplayable very regularly. The online world is essentially in sandbox mode for them.

Aimbots, a buzzkill, but I can play around it. Remotely spawning a cage on my player and lighting me on fire every time I spawn is unplayable. Teleporting everyone on the server to one location and blowing them up, over and over again, unplayable. Etc. You just have to quit. There are so many hackers that every server eventually succumbs to one.

5e92cb50239222b3y ago

Don't forget donating loads of generated cash to everyone around. I was banned for receiving a "gift" like this. Several weeks of gameplay and some difficult achievements down the drain. The email that notified me of the ban said that they are final and appeals will not be considered, which was confirmed by them ignoring any of my attempts to resolve the issue. Turned my opinion of Rockstar very sour indeed, definitely won't be playing anything "online" from them anymore.

someperson3y ago

A remote code execution exploit in GTA 5 Online should not a surprise to anybody who has played GTA 5 Online.

Cheaters have been rampant for many years, with people using apparently purchased cheat tools that allow them to choose to do server-side things like drop unlimited money and spawn vehicles anywhere, rapidly cycling through weather changes, and locking people permanently in cages.

But get on the bad side of a cheater and they can crash the games of people in the server they want to kick.

It's very sad, because despite the immense flaws of the game, the game play loop can be very engaging.

formerly_proven3y ago

The fact that there's so many different ways for mod menus to crash other players should have been a pretty obvious signal to infosec-aware people that there's almost certainly RCEs just waiting to be found. And even story mode being potentially impacted shouldn't come as a surprise, because previously there was the "FoG" (finger of god) series of exploits that allowed mod menu users to manipulate story mode sessions of other players, as long as they were connected to the internet.

5e92cb50239222b3y ago

Technically, the online game is a complete joke. I don't know if this still works, but a couple of years ago you could kick everyone from the server by simply pausing the main game process in Process Explorer for a few seconds (8-10 IIRC), and then unpausing it. Very handy when transporting stuff like cars that may be interesting to other players.

bunnybender3y ago

Yes it still works, but that is quite normal and fine, actually. The game's lobbies/sessions are based on peer-to-peer, so obviously when you cut connections to other players you will get to play by yourself (in other words, you are just "kicking" yourself out of the current session). Someone could join your "solo" session at any time, it just isn't very likely, as the game's services usually find more populated sessions for everyone.

Then again, nowadays you can play the game without restrictions in invite-only and friends sessions, too.

tgsovlerkhgsel3y ago

A RCE in any and all video games should not be a surprise to anyone who took a cursory look at software quality, complexity, and the constraints (and rush) that come with game development.

giancarlostoro3y ago

> Cheaters have been rampant for many years, with people using apparently purchased cheat tools that allow them to choose to do server-side things like drop unlimited money and spawn vehicles anywhere, rapidly cycling through weather changes, and locking people permanently in cages.

First I ever played with friends, we were driving down a highway, stopped by spikes that killed our tires, and someone spawned bags of money in front of us. I took a few million, logged out, and did not touch GTA till many years later. I remember I also bought cars and apartments with my friend, I figure we didnt have impossible amounts of money, so Rockstar would never ban us, sure enough, we were fine.

I played a year back with the same friend, but despite there being less hackers, I hate not being able to do gameplay more isolated to just friends, even if you lock out some missions.

someperson3y ago

You can create a private room with just friends by the way. The option is buried deep in the menus, but it is there.

1 more reply

autoexec3y ago

I wouldn't have assumed that a cheater's ability to effect things on a game server would mean they could execute whatever code they wanted on my personal computer unless that server was running on my system.

Spawning money and vehicles sound like pretty harmless cheats you'd expect in a game like grand theft auto.

mopsi3y ago

I would assume it. If attacker can send my game arbitrary commands for execution without client side filtering out things like moving my character around (unless context allows it, eg waiting for a mission to start), there are good odds they can cause a buffer overrun and execute code directly too. Games usually aren't in memory-safe languages.

1 more reply

Lendal3y ago

I knew this was coming. GTA V is the game that finally caused me to quit PC online gaming entirely some years ago, and purchase a game console instead. I had to relearn everything, because I grew up on mouse/keyboard control and had never used a console controller before. (It's not that difficult, really.) The move was worth it. The amount of headaches caused by cheaters and hackers in PC gaming just isn't worth the time, money, aggravation and risk. User-created game mods aren't worth it. Building a faster rig than everyone else is interesting, but in the end wasn't worth it. My life is much easier & simpler now.

Spastche3y ago

this is like burning down your house and deciding to live in a tent because your roof is leaky. multiplayer console gaming is even buggier than it's PC gaming counterpart, or at least has been traditionally.

1 more reply

marcsj3y ago

Really hoping that GTA 6 Online uses dedicated servers. It's not that expensive, and lets you have the option of being more authoritative with clients.

dns_snek3y ago

This is very likely, not to aid player experience but so that they can make even more money through grindy in-game currency and microtransactions.

xcvbjbhvfgx3y ago

not to mention the dozen shaddy EA extra apps you are forced to install just to be able to open the game. none to combat cheats but just abandoned attemps at lame game stores and desktop spammers

DefineOutside3y ago

I've played with and studied netcode and I'm unsure what GTA netcode would even look like. I've seen cheats to the point where everyone is just teleported to the cheater, the cheater spawning millions of dollars, cheaters taking away millions of dollars from people, the cheater unlocking all the online collectables for everyone in the lobby at the same time, people screwing with singleplayer sessions, cheaters crashing games, and much more.

This doesn't surprise me at all. There seems to be zero validation that other people's actions. How was netcode even designed to players allowed to teleport and unlock collectable for one another? How does the client accept actions from other players in a singleplayer game?

This doesn't seem to be just standard peer2peer issues, it seems like Rockstar went out of their way to design the least secure netcode possible.

tinus_hn3y ago

How can the game handle another player pushing you if you don’t ‘accept actions from other players’?

doober3y ago

by letting a dedicated server also simulate the world and all entities?

client send new origin to server -> server checks if everything is in bounds with the simulation/world -> tells other clients ur new position

1 more reply

DefineOutside3y ago

I meant letting other players control your character, why is teleporting someone else to anywhere on the map a valid action?

1 more reply

dns_snek3y ago

Rockstar Games only seem to "guarantee" a $2,500 payment for RCE vulnerabilities, despite making billions off their properties. They claim to provide a bounty of up to $25k, but I couldn't find evidence of them ever paying a bounty close to that amount. It shows how much they value their customers' privacy and security.

https://hackerone.com/rockstargames

fakecarhacker3y ago

The rumors are correct. This is an out-of-bounds array read/write vulnerability in the multiplayer scripting engine. Even if they patch this one, there are about half a dozen others known already. The only reason why this hasn't yet been turned into an exploit that runs arbitrary code outside of GTA on your computer is that no-one has bothered to do the extra work required for that. Not as far as I know anyway.

philistine3y ago

I'd bet good money they will find crypto-mining injections in the wild.

hahalolha3y ago

So now GTA:O hackers have found an irl money glitch /j

bakugo3y ago

Almost every single online game out there that relies on players connecting to each other instead of only a central server is vulnerable to these types of exploits, it's often just a question of finding them.

Every once in a while I feel like playing one of the older Call of Duty games on my steam library again, but then I remember that they all have known unfixed RCE exploits.

armchairhacker3y ago

This is why you rewrite it in Rust \s

But seriously, one of the reasons games should maybe be less C++ and more memory-safe languages, if not Rust then languages like C# or JavaScript. And maybe incorporate formal methods into game-dev. The code which handles server responses should be sufficiently isolated from any of the unsafe code (e.g. rendering), so that you can ideally prove (or non-ideally, at least be very confident) that a server response cannot cause arbitrary code execution.

Maybe it still won't be sufficient against state actors, but it would mean that you can reliably play an old game like you can reliably view a webpage.

I would not be surprised if COD and GTA have remote-code exploits, though.

mopsi3y ago

Microsoft Flight Simulator[1] is a really interesting example, because running code from third parties has been the norm for decades. Custom code for things like airplane instruments was distributed in DLL modules that had full Windows API access (file system, networking, etc) while the game was running. It's obviously a huge security risk.

So for the new version of Flight Simulator, they divided it into core game engine and "content packages" that fill the rest (airplanes, landscape, missions, other assets). Packages get loaded into a virtual file tree[2]. Packages may contain custom code, usually compiled from C++ to WASM, but the code is executed in isolated containers and it does not have access to the underlying file system. It only sees contents of its local package within the virtual file system.

As a result, the shiny airplane you bought from some online marketplace can't read your documents folder and send its contents to remote servers anymore. It remains an issue with many other games where third-party modifications ship as unrestricted DLLs, even on authoritative-looking platforms like Steam Workshop. For example, a pathfinding fix for Command & Conquer on Steam is just a DLL swap[3] - this should make security-concious people very uneasy.

[1] https://docs.flightsimulator.com/html/Programming_Tools/WASM...

[2] https://docs.flightsimulator.com/html/Developer_Mode/Menus/T...

[3] https://steamcommunity.com/sharedfiles/filedetails/?id=21371...

1 more reply

doober3y ago

"Maybe it still won't be sufficient against state actors, but it would mean that you can reliably play an old game like you can reliably view a webpage."

https://www.cvedetails.com/product/15031/Google-Chrome.html?...

oh and muh rust magic safety https://github.com/Qwaz/rust-cve

lopkeny12ko3y ago

Is it just me or is it impossible to find from this source link any _real details_ about the actual RCE?

* This post claims an RCE being exploited and warns people not to play.

* It links to Rockstar forums where people are warning about the game being exploited but provide no details on the attack vector or indicators of compromise.

* It links to a screenshot of a tweet of some random person again warning not to play but doesn't provide any useful detail.

* The _original source_ linked in this post is a tweet with some screenshots of a mod that clearly indicates some game modifications but says nothing about an RCE.

Can anyone point to an authoritative source with real technical details?

CommitSyn3y ago

It's likely one or a small group of people that have the exploit. Chances are they aren't spraying it en mass so it only happens unexpectedly to a few people here and there, none of which are security experts. The only source that can give these details are Rockstar, maybe once they figure it out, or now that it's out someone else may figure it out as well.

I believe it's likely real, and we'll see more details soon enough.

pstrateman3y ago

I treat all video games like they contain remote code execution.

If you look hard enough I'm quite sure most of them do

worthless-trash3y ago

You'd be surprised that in many cases its actually a feature.

Stevvo3y ago

Whilst an issue like this can occur with any network architecture, going with Peer-to-peer looks like a terrible decision. 'Never trust the client' and all that. The in-game money cost real money, but the client is trusted so anyone can edit their balance in memory as the game is running. Ridiculous.

kevincox3y ago

It's always a balance between performance and security.

Yes, it is better to have the server parse, validate and reserialize messages from other players to add another layer of defense in front of the client. But the client shouldn't be trusting the server anyways so going peer-to-peer shouldn't be an issue. The fact is that server pricing isn't going to catch everything anyways.

Probably the biggest problem with P2P these days is that it shares your IP which can be used for tracking or DoS attacks.

mlyle3y ago

> But the client shouldn't be trusting the server anyways so going peer-to-peer shouldn't be an issue.

If there's things like durable money between matches, etc: without someone in the loop to validate what happened you can't really solve this problem peer to peer. (If we define security to encompass "secure game state" and not just "safety from remote code execution")

1 more reply

seba_dos13y ago

Don't worry, there's a lot more where that came from.

darepublic3y ago

Similar bug with dark souls online

kibwen3y ago

For anyone who wants to read about the history of the RCE exploit that affected all three Dark Souls games: https://github.com/tremwil/ds3-nrssr-rce

MrGilbert3y ago

Hopefully this doesn’t affect ScriptHookV and their like for single player. Enjoy playing LSPDFR once in a while. GTA:V is just a treasure trove for modders.

j / k navigate · click thread line to collapse

47 comments

revolvingocelot3y ago

[0] https://github.com/tostercx/GTAO_Booster_PoC

[1] https://nee.lv/2021/02/28/How-I-cut-GTA-Online-loading-times...

ehnto3y ago

5e92cb50239222b3y ago

someperson3y ago

A remote code execution exploit in GTA 5 Online should not a surprise to anybody who has played GTA 5 Online.

But get on the bad side of a cheater and they can crash the games of people in the server they want to kick.

It's very sad, because despite the immense flaws of the game, the game play loop can be very engaging.

formerly_proven3y ago

5e92cb50239222b3y ago

bunnybender3y ago

Then again, nowadays you can play the game without restrictions in invite-only and friends sessions, too.

tgsovlerkhgsel3y ago

A RCE in any and all video games should not be a surprise to anyone who took a cursory look at software quality, complexity, and the constraints (and rush) that come with game development.

giancarlostoro3y ago

I played a year back with the same friend, but despite there being less hackers, I hate not being able to do gameplay more isolated to just friends, even if you lock out some missions.

someperson3y ago

You can create a private room with just friends by the way. The option is buried deep in the menus, but it is there.

1 more reply

autoexec3y ago

Spawning money and vehicles sound like pretty harmless cheats you'd expect in a game like grand theft auto.

mopsi3y ago

1 more reply

Lendal3y ago

Spastche3y ago

1 more reply

marcsj3y ago

Really hoping that GTA 6 Online uses dedicated servers. It's not that expensive, and lets you have the option of being more authoritative with clients.

dns_snek3y ago

This is very likely, not to aid player experience but so that they can make even more money through grindy in-game currency and microtransactions.

xcvbjbhvfgx3y ago

not to mention the dozen shaddy EA extra apps you are forced to install just to be able to open the game. none to combat cheats but just abandoned attemps at lame game stores and desktop spammers

DefineOutside3y ago

This doesn't seem to be just standard peer2peer issues, it seems like Rockstar went out of their way to design the least secure netcode possible.

tinus_hn3y ago

How can the game handle another player pushing you if you don’t ‘accept actions from other players’?

doober3y ago

by letting a dedicated server also simulate the world and all entities?

client send new origin to server -> server checks if everything is in bounds with the simulation/world -> tells other clients ur new position

1 more reply

DefineOutside3y ago

I meant letting other players control your character, why is teleporting someone else to anywhere on the map a valid action?

1 more reply

dns_snek3y ago

https://hackerone.com/rockstargames

fakecarhacker3y ago

philistine3y ago

I'd bet good money they will find crypto-mining injections in the wild.

hahalolha3y ago

So now GTA:O hackers have found an irl money glitch /j

bakugo3y ago

Every once in a while I feel like playing one of the older Call of Duty games on my steam library again, but then I remember that they all have known unfixed RCE exploits.

armchairhacker3y ago

This is why you rewrite it in Rust \s

Maybe it still won't be sufficient against state actors, but it would mean that you can reliably play an old game like you can reliably view a webpage.

I would not be surprised if COD and GTA have remote-code exploits, though.

mopsi3y ago

[1] https://docs.flightsimulator.com/html/Programming_Tools/WASM...

[2] https://docs.flightsimulator.com/html/Developer_Mode/Menus/T...

[3] https://steamcommunity.com/sharedfiles/filedetails/?id=21371...

1 more reply

doober3y ago

"Maybe it still won't be sufficient against state actors, but it would mean that you can reliably play an old game like you can reliably view a webpage."

https://www.cvedetails.com/product/15031/Google-Chrome.html?...

oh and muh rust magic safety https://github.com/Qwaz/rust-cve

lopkeny12ko3y ago

Is it just me or is it impossible to find from this source link any _real details_ about the actual RCE?

* This post claims an RCE being exploited and warns people not to play.

* It links to Rockstar forums where people are warning about the game being exploited but provide no details on the attack vector or indicators of compromise.

* It links to a screenshot of a tweet of some random person again warning not to play but doesn't provide any useful detail.

* The _original source_ linked in this post is a tweet with some screenshots of a mod that clearly indicates some game modifications but says nothing about an RCE.

Can anyone point to an authoritative source with real technical details?

CommitSyn3y ago

I believe it's likely real, and we'll see more details soon enough.

pstrateman3y ago

I treat all video games like they contain remote code execution.

If you look hard enough I'm quite sure most of them do

worthless-trash3y ago

You'd be surprised that in many cases its actually a feature.

Stevvo3y ago

kevincox3y ago

It's always a balance between performance and security.

Probably the biggest problem with P2P these days is that it shares your IP which can be used for tracking or DoS attacks.

mlyle3y ago

> But the client shouldn't be trusting the server anyways so going peer-to-peer shouldn't be an issue.

1 more reply

seba_dos13y ago

Don't worry, there's a lot more where that came from.

darepublic3y ago

Similar bug with dark souls online

kibwen3y ago

For anyone who wants to read about the history of the RCE exploit that affected all three Dark Souls games: https://github.com/tremwil/ds3-nrssr-rce

MrGilbert3y ago

Hopefully this doesn’t affect ScriptHookV and their like for single player. Enjoy playing LSPDFR once in a while. GTA:V is just a treasure trove for modders.

j / k navigate · click thread line to collapse