Remote Code Execution in Marvel Rivals Game
35 comments
·February 3, 2025doctorpangloss
Thaxll
It's not more rotten that your regular backend shop. How many api issues / auth problems / s3 open bucket there are out there exactly?
agoodusername63
Is it particularly surprising though?
These are game developers. Not backend developers. Not web guys. Not remotely trained in infosec. They make games. Not security software. And for the longest time this was acceptable.
I think for a GaaS in 2025 it's unacceptable to not have security minded engineers on staff for the backend stuff. Too much money is involved not to. Especially for studios very familiar with shipping online games.
But I'm also kind of disappointed in how much we're forgetting that these people are not infosec nerds. Last year there was a cute fishing game made by a single dude messing around making things. It got popular and a kid found an RCE bug with the multiplayer. The dude got a TON of shit for the flaw, which feels deeply unfair. I don't expect my mom to configure a router correctly. I don't expect video game developers to understand defensive network programming without training.
Maybe I'm just a little frustrated at the Internet largely unable to understand that defensive programming is something that isn't in a game devs trained skills. I would expect better of Netease however
phoronixrly
Hey, I feel there's some predisposition in infosec-minded people that insecure software must not exist regardless of its purpose or threat model. And also that people who can't write secure code must not write code...
null
gruez
>These are game developers. Not backend developers. Not web guys. Not remotely trained in infosec. They make games. Not security software.
Why do game developers get a pass but not "backend developers" or "web guys"? Don't the latter only "make CRUD apps, not security software"?
sbarre
I think for web or "backend for network" people, you are always deploying into a hostile environment (the Internet) and so you really should be at least aware of basic security measures. If you consider yourself a professional in that field, it's table stakes.
If you're a game dev, you were taught to write optimized code that runs locally on a computer.
Not everything you do will run on the network, and networking/multiplayer might not be relevant every single time you ship a game. So it's less relevant (if still important)
devmor
Why would there be a strong engineering culture behind AAA video games at all? Game developers are underpaid, overworked and constantly told they can be replaced at a moments notice.
I wouldn't expect anything but code that "ships" out of them, and its understandable why.
cubefox
> The engineering culture behind AAA video games is rotten to the core with regards to security.
But it is way ahead with regards to efficient hardware utilization!
Xunjin
Great commentary, today the industry is focused on delivering free game with tons of cosmetics (which gives a ton of money) but forgetting about performance and security.
agentultra
I was literally thinking about this the other day. There are a ton of games using kernel modules for anti-cheat and... just load and interpret data payloads. Certainly some of those payloads could manipulate the funny machines inside of a game executable if they're not careful about their parsing and validation.
Nice PoC!
Update: yes, most game client processes don't run in the kernel. My b. I was just thinking that updates and content payloads might be an interesting vector for langsec.
Liquix
Yes. For example world of warcraft's anticheat (warden), although it runs in userspace, has been exploited multiple times to gain RCE/server root after receiving malicious payloads from clients.
agentultra
Also, if you see content distribution networks the way we've been looking into package managers as a vector distributing poisoned payloads... seems fruitful.
wyldfire
I'm surprised - isn't this game just a skin on Overwatch? So does Overwatch have an RCE?
Nannooskeeska
No, Marvel Rivals and Overwatch are not related in any way other than they're both the same genre of game.
sanktanglia
Funny enough this engine is based off the same one they used in Diablo immortal which also has this issue
bangaladore
> the game runs with admin privileges for the sake of anti-cheat
"sake of anti-cheat" should be taken lightly here. There is a reason why all the other sane anti-cheats have at least two applications, the anti cheat service which often runs as admin, and the game, which does not. Running the game as admin is quite frankly inexcusable.
The service often does the network comms and communicates to a kernel-mode driver and/or to the application via IPC or similar. Having defined barriers of separation are good things.
In any case, this POC doesn't have huge implications necessarily for most people, but maybe in SEA or China where LAN cafes are more prevalent, it could be a larger concern.
shalzuth
The one implication that I (the author) should highlight for the extra paranoid - this exploit extends to ISP's and cloud vendors that traffic is routed through. Anywhere in the trace route can MITM. It depends on how much you trust those parties.
sim7c00
tried in some communities of gamedev to talk about security but i gave up. i think the main sentiment is not to care at all. so many games have or had trivial exploits. enabling mass cheating, harasment of other players (DOS) and more nefarious stuff. for people whwo think the mitm wont affect them... thats a silly stance. people hack home routers on massive scales. (another domain who doesnt seem to give shits about security)
good writeup! thanks!
999900000999
Their's a really good argument for having a "gaming" os, Windows, and a serious OS , Linux on the same computer.
If League of Legends needs super admin mode, it's no longer my computer. I'm sharing it with Tencent. I can't trust them ( specifically a disgruntled employee) to not install key loggers and other really nasty things.
S0y
So what part of the game code exactly is able to download a random python script and run it?
sanktanglia
The patching process sends python byte code for hot fixes
jauntywundrkind
For a second I thought this was the Marvel game that got briefly banned along with TikTok, but that's marvel Snap.
It would have been a tiny bit funny if it had been the same company that was just briefly banned that was allowing a remote exploit.
xnx
Exactly my confusion. This would've made the TikTok ban feel a little more legitimate.
empath75
To be honest, I would not be surprised if netease the same kind of attention as bytedance.
The engineering culture behind AAA video games is rotten to the core with regards to security. Everyone thinks they're making Doom 3 and they're really making Windows 2000 Service Pack 1.