A critical remote code execution (RCE) vulnerability was discovered in the now-defunct mobile game Marvel: Contest of Champions (also known as Marvel Rivals). The game's chat functionality lacked proper input sanitization, allowing attackers to inject and execute arbitrary JavaScript code within clients of other players. This could have been exploited to steal sensitive information, manipulate game data, or even potentially take control of affected devices. The vulnerability, discovered by a security researcher while reverse-engineering the game, was responsibly disclosed to Kabam, the game's developer. Although a fix was implemented, the exploit served as a stark reminder of the potential security risks associated with unsanitized user inputs in online games.
This blog post details the discovery and exploitation of a remote code execution (RCE) vulnerability within the now-defunct mobile game "Marvel: Contest of Champions," also referred to as "MCOC" or "Rivals," developed by Kabam. The author, a security researcher operating under the pseudonym "shalzuth," meticulously outlines the process of reverse engineering the game's client-server communication protocol to identify and leverage a weakness in how the game handled JSON messages.
Shalzuth began by intercepting the traffic between the game client and the server using a proxy tool. This allowed them to observe the structure and content of the JSON messages exchanged during gameplay. Through careful analysis and manipulation of these messages, they discovered that the server did not adequately sanitize certain fields within the JSON payloads. Specifically, the game incorporated a feature allowing players to send pre-defined messages to each other during matches, and these messages were processed server-side. Shalzuth found that embedding malicious JavaScript code within these seemingly innocuous chat messages could bypass the server's security measures.
The core vulnerability stemmed from the server's use of an embedded JavaScript engine to dynamically interpret and execute parts of the received JSON messages. By crafting a specially formatted chat message containing JavaScript code, shalzuth could inject arbitrary commands that would be executed on the game server. This provided them with the ability to perform actions beyond the intended game mechanics, including, but not limited to, potentially manipulating game data, accessing sensitive information, or even disrupting the game service for other players.
The blog post further elaborates on the specific JavaScript functions and techniques employed to achieve code execution, including bypassing character limitations and other restrictions imposed by the game client. Shalzuth explains how they constructed the malicious payload and demonstrates its effectiveness by successfully executing a simple "alert" command on the server, proving the existence of the vulnerability. While the post does not delve into the potential ramifications of this exploit beyond the proof-of-concept demonstration, it implicitly highlights the severe security risks associated with inadequate server-side input validation and the dangers of executing user-supplied code in sensitive environments. The responsible disclosure process is also detailed, indicating that Kabam was notified and subsequently patched the vulnerability before the blog post's publication. This demonstrates a commitment to ethical hacking practices and responsible vulnerability disclosure.
Summary of Comments ( 54 )
https://news.ycombinator.com/item?id=42920962
Hacker News users discussed the exploit detailed in the blog post, focusing on the surprising simplicity of the vulnerability and the potential impact it could have had. Several commenters expressed amazement that such a basic oversight could exist in a production game, with one pointing out the irony of a game about superheroes being vulnerable to such a mundane attack. The discussion also touched on the responsible disclosure process, with users questioning why Kabam hadn't offered a bug bounty and acknowledging the author's ethical handling of the situation. Some users debated the severity of the vulnerability, with opinions ranging from "not a big deal" to a serious security risk given the game's access to user data. The lack of a detailed technical explanation in the blog post was also noted, with some users desiring more information about the specific code involved.
The Hacker News post titled "Remote Code Execution in Marvel Rivals Game" (https://news.ycombinator.com/item?id=42920962) has a moderate number of comments, discussing various aspects of the linked blog post detailing a game exploit. Several commenters focus on the technical details of the exploit, while others discuss the broader implications for game security and the responsible disclosure process.
One compelling comment thread revolves around the surprising simplicity of the vulnerability. Commenters express astonishment that such a basic oversight could exist in a production game, especially given the potential security implications. The discussion touches upon the possibility of this being a common issue in other games and the need for better security practices in game development.
Another interesting thread focuses on the author's decision to withhold certain technical details of the exploit to prevent malicious actors from replicating it. Commenters generally agree with this approach, acknowledging the potential harm that could be caused if the exploit were to become widely known. Some discuss the ethical responsibilities of security researchers in disclosing vulnerabilities and the balance between transparency and protecting users.
Some comments also delve into the specifics of the exploit, questioning the author's description of it as "Remote Code Execution (RCE)." They argue that while the exploit allows for manipulating game data and potentially impacting other players, it doesn't necessarily grant full control over the server or allow for arbitrary code execution in the traditional sense. This leads to a nuanced discussion about the definition of RCE and the different levels of severity associated with various types of exploits.
Several users also share anecdotal experiences about encountering similar vulnerabilities in other games, highlighting the prevalence of such issues. They discuss the challenges of getting game developers to take security concerns seriously and the often slow response times in patching vulnerabilities.
Finally, some comments express appreciation for the author's detailed write-up and the clear explanation of the exploit, even with the omission of sensitive details. They commend the author for responsible disclosure and for bringing attention to an important security issue in the gaming industry. Overall, the comments provide valuable insights into the technical aspects of the exploit, the ethical considerations of vulnerability disclosure, and the broader implications for game security.