Announcement

Collapse
No announcement yet.

UT3 Client vulnerabilities

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    UT3 Client vulnerabilities

    If UT3 offers an admin the ability scan running services on a client computer then it follows that there is potentially more it could allow. I am curious to know to what extent UT3 servers/admins can change game settings or files on client machines, i.e. ini files or dll's or exe's? Could this also be achieved via Steam updates?

    #2
    You can't edit clients files via server files.

    Steam is done by Steam alone, they aren't there to screw you over if Steam did they wouldn't get very far with their business...

    Comment


      #3
      I would be shocked if they could do anything overly malicious. Epic is not dumb, everyone knows that the haxx0rs are just waiting everywhere so a certain level of security is not only expected but implemented as well. I'm sure that the UT3 client sandboxes downloads from servers and does not allow them to be executed by the operating system itself. This means that a server just can't put files anywhere it would like on a clients machine, they go to a specific mod or map folder and the server can't change that. The client also does not execute the downloaded content in the operating system context, there is no execute the "delete" command. The client at most interprets the downloaded content as instructions in the context of what to do in the game itself and does not allow commands outside of that context to happen. Now, there is always the possibility of an unknown security hole that would allow content from the game context to be used in the operating system context but this risk applies to all software: when you hear about the latest Internet Explorer exploit that Microsoft is issuing a patch for this is what has happened. Likewise, if this relatively rare even occurs with UT3 I have faith that Epic would release a fix for it as soon as they could just like any other software vendor.

      Edit: Steam is a different thing, the Steam client can do a lot of things but those actions come from Valve not Epic. The same things apply just a different vendor.

      Comment


        #4
        Is it possible to read the running process on a client machine and have this information transferred back over the wire?

        Comment


          #5
          Whether server security has been compromised or hax are now rife idk, but loads of weird stuff is going down. I guess you've got to just rely on quality admins, ones who don't think being an admin gives them the right to abuse their powers, acting like they own the server(unless they do).


          Valve will have it's own rules ,policies. There is the profile data stored by GameSpy's servers related to config settings (why?). It's strange but even in offline mode it seems UT3 data is constantly being sent?.

          Getting back to the point, things do seem to becoming more intrusive -all this junk data gathering within games. Valve want to monitor/ record every mouse click -in the name of game improvement supposedly, by analysing which parts players found tricky and how long certain sections of a game took . Really the limits of this trawling exercise and the reasoning behind it need spelling beforehand, beyond just a, do you agree ? tickbox during installation.

          Comment


            #6
            Originally posted by Moloko View Post
            Getting back to the point, things do seem to becoming more intrusive -all this junk data gathering within games. Valve want to monitor/ record every mouse click -in the name of game improvement supposedly, by analysing which parts players found tricky and how long certain sections of a game took . Really the limits of this trawling exercise and the reasoning behind it need spelling beforehand, beyond just a, do you agree ? tickbox during installation.
            They monitor your activity in-game it's not like they're stealing your bank details :/

            Mass feedback like that would be amazingly useful in improving gameplay mechanics, GUIs etc. People don't like filling out detailed forms for stuff like that, but if you can analyze the way millions of gamers play your game. You have a HUGE amount of data to help you improve.

            Comment


              #7
              Originally posted by Cr4zyB4st4rd View Post
              They monitor your activity in-game it's not like they're stealing your bank details :/

              Mass feedback like that would be amazingly useful in improving gameplay mechanics, GUIs etc. People don't like filling out detailed forms for stuff like that, but if you can analyze the way millions of gamers play your game. You have a HUGE amount of data to help you improve.
              Fair point, but even this has a potential downside; there is a risk that developers come to the wrong conclusion, dumbing down games, thinking hard or difficult amongst gamers equates to bad.

              Some may not like the idea of being constantly monitored either, in game, at least it should always be optional and the limits, reasoning and scope clear to the user, as user profile specific targeted advertising is already happening.

              Getting back to the OP
              If UT3 offers an admin the ability scan running services on a client computer then it follows that there is potentially more it could allow
              Is the concern fake admins logging in and accessing Admin commands or just real admin abusing their powers?

              Comment


                #8
                The concern is that admins can essentially use the UT3.exe process to communicate back and forth over TCP/IP. So, what are the available admin commands and what data is collectable? Can files and folders be scanned? Can other windows processes be spawned ...

                Comment


                  #9
                  No...
                  There are no admin commands that will allow you to access another users PC :/

                  Im not sure why you think there is such a way.

                  Comment


                    #10
                    Originally posted by Cr4zyB4st4rd View Post
                    No...
                    There are no admin commands that will allow you to access another users PC :/

                    Im not sure why you think there is such a way.
                    Maybe he wants to run a cheater program. Just kidding.


                    I guess he's thinking about cheat protection programs like Punkbuster etc. that scan for processes.

                    The answer is that no, UT3 cannot do such a thing. If it did, it would be ridiculous that admins of a random server you happened to join could browse through your files.

                    However, if you install the xray mod (you have to do it yourself, it won't auto load when you join like other safe mods) and play on a xray enabled server, it will upload screenshots of your game and desktop to see if you're cheating.

                    Comment


                      #11
                      When your as good as me cheats slow you down .

                      I had heard, incorrectly maybe, that cheats like aim bots that hook into the game are detected by scanning running process for them. How else would an admin be able to name a wall hack, radar or aim bot.

                      Anyway it seems this is not the case, so just put it down to paranoia, wild speculation and idle chatter with references to things like xray and punk buster.

                      Comment


                        #12
                        To follow up AlienDNA, the UT3 application can read/write anywhere in it's own allocated address (memory) space for the running process. Therefore the UT3 process inherently has the ability to examine itself, without being given any other exploitable permissions to the filesystem. This is part of process management, and is built into the operating system itself.

                        With that in mind, anti-cheat mutators (presumably interfacing with UT3 through some API; I've never written any UnrealScript) should be able to examine the address space being used by the current UT3 process to determine if it has "hooked into"; this means to inject code into another processes address space, and then execute it in the context of that process.

                        Comment


                          #13
                          Most of the cheats out there are leveraging of the directx rendering system rather than ut3.exe. These are very difficult to detect and the only thing the admin can do is go behind view and track a bot. Admin will not have access to client information and ut3 via its net code decides what needs to be pushed to client (maps & mods etc) if needed.

                          Comment


                            #14
                            Originally posted by AlienDNA View Post
                            When your as good as me cheats slow you down .

                            I had heard, incorrectly maybe, that cheats like aim bots that hook into the game are detected by scanning running process for them. How else would an admin be able to name a wall hack, radar or aim bot.

                            Anyway it seems this is not the case, so just put it down to paranoia, wild speculation and idle chatter with references to things like xray and punk buster.
                            By spectating the offender. That is how admins spot aim hacking and it's pretty obvious in ut3, especially with the hitscan (link secondary, sniper, turrets, etc). Here's a video of a douche aimbotting.

                            Other games run PunkBuster which does detect processes and such.

                            Comment


                              #15
                              didn't read the whole thread. but the op made me remember a time playing ut2004 on some "build" server.
                              ****** off the admin by killing people as they made things. he logged in as admin ingame and changed all my arrows keys to make me suicide so i couldn't move at all without dying... he did some other stuff too. like i couldn't call the console down and the main menu wasn't working. so i had to alt tab and close ut to leave the server.
                              this happened a long time ago so i dont remember if i had to rebind everything once i left the server. but it was funny none the less.

                              Comment

                              Working...
                              X