Keep in mind that this is the same game whose client-update-handshake-dance largely consisted of an enormous JSON of all the updates that had ever been done to the gamestate, which then got parsed naively. This situation was recognized and patched [0] by an interested third party [1].
Not a slight against the code monkey that implemented it that way, because they surely didn't bother to think about complexity consequences when the gamestate was new and the JSON wasn't 10MB yet, but a slight on Rockstar, because the cash cow that GTA:O turned out to be deserves some fuckin' maintenance, doesn't it? Then again, the eye-popping abilities (and prevalence!) of hax0rs in Rockstar games probably ought to signify priorities to even the most casual observer. As others in these comments observe, with what those hackers can achieve, it's not surprising to learn there's RCEs too.
I appreciate that you note the capabilities of hackers in GTAO. Someone who doesn't play might just hear that there are a lot of them, but hackers in GTAO are essentially omnipotent and games are unplayable very regularly. The online world is essentially in sandbox mode for them.
Aimbots, a buzzkill, but I can play around it. Remotely spawning a cage on my player and lighting me on fire every time I spawn is unplayable. Teleporting everyone on the server to one location and blowing them up, over and over again, unplayable. Etc. You just have to quit. There are so many hackers that every server eventually succumbs to one.
Don't forget donating loads of generated cash to everyone around. I was banned for receiving a "gift" like this. Several weeks of gameplay and some difficult achievements down the drain. The email that notified me of the ban said that they are final and appeals will not be considered, which was confirmed by them ignoring any of my attempts to resolve the issue. Turned my opinion of Rockstar very sour indeed, definitely won't be playing anything "online" from them anymore.
A remote code execution exploit in GTA 5 Online should not a surprise to anybody who has played GTA 5 Online.
Cheaters have been rampant for many years, with people using apparently purchased cheat tools that allow them to choose to do server-side things like drop unlimited money and spawn vehicles anywhere, rapidly cycling through weather changes, and locking people permanently in cages.
But get on the bad side of a cheater and they can crash the games of people in the server they want to kick.
It's very sad, because despite the immense flaws of the game, the game play loop can be very engaging.
The fact that there's so many different ways for mod menus to crash other players should have been a pretty obvious signal to infosec-aware people that there's almost certainly RCEs just waiting to be found. And even story mode being potentially impacted shouldn't come as a surprise, because previously there was the "FoG" (finger of god) series of exploits that allowed mod menu users to manipulate story mode sessions of other players, as long as they were connected to the internet.
Technically, the online game is a complete joke. I don't know if this still works, but a couple of years ago you could kick everyone from the server by simply pausing the main game process in Process Explorer for a few seconds (8-10 IIRC), and then unpausing it. Very handy when transporting stuff like cars that may be interesting to other players.
Yes it still works, but that is quite normal and fine, actually. The game's lobbies/sessions are based on peer-to-peer, so obviously when you cut connections to other players you will get to play by yourself (in other words, you are just "kicking" yourself out of the current session). Someone could join your "solo" session at any time, it just isn't very likely, as the game's services usually find more populated sessions for everyone.
Then again, nowadays you can play the game without restrictions in invite-only and friends sessions, too.
A RCE in any and all video games should not be a surprise to anyone who took a cursory look at software quality, complexity, and the constraints (and rush) that come with game development.
> Cheaters have been rampant for many years, with people using apparently purchased cheat tools that allow them to choose to do server-side things like drop unlimited money and spawn vehicles anywhere, rapidly cycling through weather changes, and locking people permanently in cages.
First I ever played with friends, we were driving down a highway, stopped by spikes that killed our tires, and someone spawned bags of money in front of us. I took a few million, logged out, and did not touch GTA till many years later. I remember I also bought cars and apartments with my friend, I figure we didnt have impossible amounts of money, so Rockstar would never ban us, sure enough, we were fine.
I played a year back with the same friend, but despite there being less hackers, I hate not being able to do gameplay more isolated to just friends, even if you lock out some missions.
I wouldn't have assumed that a cheater's ability to effect things on a game server would mean they could execute whatever code they wanted on my personal computer unless that server was running on my system.
Spawning money and vehicles sound like pretty harmless cheats you'd expect in a game like grand theft auto.
I would assume it. If attacker can send my game arbitrary commands for execution without client side filtering out things like moving my character around (unless context allows it, eg waiting for a mission to start), there are good odds they can cause a buffer overrun and execute code directly too. Games usually aren't in memory-safe languages.
Also remember this game is P2P, there is no saving that on PC, on consoles it works because it's a "safe" environment but on PC even with rootkit levels of anticheat you don't have control over the machine running the game and can't prevent it from messing things up
I knew this was coming. GTA V is the game that finally caused me to quit PC online gaming entirely some years ago, and purchase a game console instead. I had to relearn everything, because I grew up on mouse/keyboard control and had never used a console controller before. (It's not that difficult, really.) The move was worth it. The amount of headaches caused by cheaters and hackers in PC gaming just isn't worth the time, money, aggravation and risk. User-created game mods aren't worth it. Building a faster rig than everyone else is interesting, but in the end wasn't worth it. My life is much easier & simpler now.
this is like burning down your house and deciding to live in a tent because your roof is leaky. multiplayer console gaming is even buggier than it's PC gaming counterpart, or at least has been traditionally.
I like how you left yourself an out with "or at least has been traditionally"... the 8th generation consoles came out a decade ago now and mostly put an end to widespread arbitrary code execution on consoles.
If there's anything that consoles absolutely blow PCs out of the water with, it's multiplayer gaming for that exact reason, and I say that as someone with a pretty serious gaming PC
Really hoping that GTA 6 Online uses dedicated servers. It's not that expensive, and lets you have the option of being more authoritative with clients.
not to mention the dozen shaddy EA extra apps you are forced to install just to be able to open the game. none to combat cheats but just abandoned attemps at lame game stores and desktop spammers
I've played with and studied netcode and I'm unsure what GTA netcode would even look like. I've seen cheats to the point where everyone is just teleported to the cheater, the cheater spawning millions of dollars, cheaters taking away millions of dollars from people, the cheater unlocking all the online collectables for everyone in the lobby at the same time, people screwing with singleplayer sessions, cheaters crashing games, and much more.
This doesn't surprise me at all. There seems to be zero validation that other people's actions. How was netcode even designed to players allowed to teleport and unlock collectable for one another? How does the client accept actions from other players in a singleplayer game?
This doesn't seem to be just standard peer2peer issues, it seems like Rockstar went out of their way to design the least secure netcode possible.
And now everything is twice as slow and you need enormous server capacity. They chose a different system and not because they couldn’t think of your obvious idea.
Pushing another player is also teleporting them to somewhere else on the map. And if you think oh I’ll just have some limits they’ll just do the same thing in multiple frames.
Rockstar Games only seem to "guarantee" a $2,500 payment for RCE vulnerabilities, despite making billions off their properties. They claim to provide a bounty of up to $25k, but I couldn't find evidence of them ever paying a bounty close to that amount. It shows how much they value their customers' privacy and security.
The rumors are correct. This is an out-of-bounds array read/write vulnerability in the multiplayer scripting engine. Even if they patch this one, there are about half a dozen others known already. The only reason why this hasn't yet been turned into an exploit that runs arbitrary code outside of GTA on your computer is that no-one has bothered to do the extra work required for that. Not as far as I know anyway.
Almost every single online game out there that relies on players connecting to each other instead of only a central server is vulnerable to these types of exploits, it's often just a question of finding them.
Every once in a while I feel like playing one of the older Call of Duty games on my steam library again, but then I remember that they all have known unfixed RCE exploits.
But seriously, one of the reasons games should maybe be less C++ and more memory-safe languages, if not Rust then languages like C# or JavaScript. And maybe incorporate formal methods into game-dev. The code which handles server responses should be sufficiently isolated from any of the unsafe code (e.g. rendering), so that you can ideally prove (or non-ideally, at least be very confident) that a server response cannot cause arbitrary code execution.
Maybe it still won't be sufficient against state actors, but it would mean that you can reliably play an old game like you can reliably view a webpage.
I would not be surprised if COD and GTA have remote-code exploits, though.
Microsoft Flight Simulator[1] is a really interesting example, because running code from third parties has been the norm for decades. Custom code for things like airplane instruments was distributed in DLL modules that had full Windows API access (file system, networking, etc) while the game was running. It's obviously a huge security risk.
So for the new version of Flight Simulator, they divided it into core game engine and "content packages" that fill the rest (airplanes, landscape, missions, other assets). Packages get loaded into a virtual file tree[2]. Packages may contain custom code, usually compiled from C++ to WASM, but the code is executed in isolated containers and it does not have access to the underlying file system. It only sees contents of its local package within the virtual file system.
As a result, the shiny airplane you bought from some online marketplace can't read your documents folder and send its contents to remote servers anymore. It remains an issue with many other games where third-party modifications ship as unrestricted DLLs, even on authoritative-looking platforms like Steam Workshop. For example, a pathfinding fix for Command & Conquer on Steam is just a DLL swap[3] - this should make security-concious people very uneasy.
This kind of thing was fairly common historically. For example, Quake 2 mods were DLL / .so files, depending on the platform, and modding was more common than not in multiplayer. Or the just-released Mount & Blade 2: Bannerlord, which is written in C# and runs on the full-featured .NET Framework on Windows - its mods are managed assemblies, naturally, and they run under full trust.
"Maybe it still won't be sufficient against state actors, but it would mean that you can reliably play an old game like you can reliably view a webpage."
Is it just me or is it impossible to find from this source link any _real details_ about the actual RCE?
* This post claims an RCE being exploited and warns people not to play.
* It links to Rockstar forums where people are warning about the game being exploited but provide no details on the attack vector or indicators of compromise.
* It links to a screenshot of a tweet of some random person again warning not to play but doesn't provide any useful detail.
* The _original source_ linked in this post is a tweet with some screenshots of a mod that clearly indicates some game modifications but says nothing about an RCE.
Can anyone point to an authoritative source with real technical details?
It's likely one or a small group of people that have the exploit. Chances are they aren't spraying it en mass so it only happens unexpectedly to a few people here and there, none of which are security experts. The only source that can give these details are Rockstar, maybe once they figure it out, or now that it's out someone else may figure it out as well.
I believe it's likely real, and we'll see more details soon enough.
Whilst an issue like this can occur with any network architecture, going with Peer-to-peer looks like a terrible decision. 'Never trust the client' and all that. The in-game money cost real money, but the client is trusted so anyone can edit their balance in memory as the game is running. Ridiculous.
It's always a balance between performance and security.
Yes, it is better to have the server parse, validate and reserialize messages from other players to add another layer of defense in front of the client. But the client shouldn't be trusting the server anyways so going peer-to-peer shouldn't be an issue. The fact is that server pricing isn't going to catch everything anyways.
Probably the biggest problem with P2P these days is that it shares your IP which can be used for tracking or DoS attacks.
> But the client shouldn't be trusting the server anyways so going peer-to-peer shouldn't be an issue.
If there's things like durable money between matches, etc: without someone in the loop to validate what happened you can't really solve this problem peer to peer. (If we define security to encompass "secure game state" and not just "safety from remote code execution")
This is usually done by logging state to the server which does some validation.
Most validation that the server does can be run on clients just as easily. (The main issue is what information is visible to clients. But if you are doing mostly P2P you usually end up making tradeoff that the client gets most information)
Hopefully this doesn’t affect ScriptHookV and their like for single player. Enjoy playing LSPDFR once in a while. GTA:V is just a treasure trove for modders.
Not a slight against the code monkey that implemented it that way, because they surely didn't bother to think about complexity consequences when the gamestate was new and the JSON wasn't 10MB yet, but a slight on Rockstar, because the cash cow that GTA:O turned out to be deserves some fuckin' maintenance, doesn't it? Then again, the eye-popping abilities (and prevalence!) of hax0rs in Rockstar games probably ought to signify priorities to even the most casual observer. As others in these comments observe, with what those hackers can achieve, it's not surprising to learn there's RCEs too.
[0] https://github.com/tostercx/GTAO_Booster_PoC
[1] https://nee.lv/2021/02/28/How-I-cut-GTA-Online-loading-times...