Embedded RSA private key in source code #240
Comments
|
I also made a post on the Godot forum, and they referred me to this project, hence the Issue here. Forum post can be found here: https://godotengine.org/qa/129261/private-key-embedded-in-executable |
|
The person replying on Godot forums seems to be wrong. Opening the official editor binary so it seems to be present also in Godot official builds (I also checked and it is contained in my custom Godot build). Hopefully it's not any Godot developer's private key, but rather some dependency or something containing a sample key. |
|
I believe that the person who referred you to us, simply read the word Steam and immidiately forwarded this module, without checking if the same thing is present within the official engine builds, thank you @hhyyrylainen for checking this for us. If I understand both of you correctly then there is nothing we can do here, and @blitzher will have to take this up with the official devs of Godot, on their Github issue tracker. Or perhaps I can involve @akien-mga this way. (Apologies if this is not an acceptable way of contacting you.) |
|
Googling the beginning of that key, it seems to be used in a few tutorials (edit: actually it seems to be something like a homework exercise): https://www.chegg.com/homework-help/questions-and-answers/exercise-max-point-2-achieved-0-decrypt-root-17093enc-file-encrypted-using-following-priva-q49554361 and https://knowledge.broadcom.com/external/article/166106/how-do-i-get-ssl-proxy-to-work-with-an-o.html (plus a few others) |
|
This isn't included in the Godot source code, nor involved in our buildsystem. It's not present in standard builds, only in Mono builds. So it seems to be something that Mono includes. Shortly after there's "PolarSSL Test EC CA" so it might be a dummy private key used for testing purposes in their bundled PolarSSL code.
That's not the same key. The first handful of characters seem to be the same in all private keys using this algorithm, it's likely just the header that lets programs know about the actual algorithm. |
|
Not many in our community are using Mono, we don't officially support it, either. |
|
Yeah it's unrelated to GodotSteam. |
|
Closing this then, thank you! |
|
Looked into it some more for context (I'll comment on the Q&A to clarify there too), it's indeed a test RSA key from a TLS library as I suspected, but not Mono's. It actually comes from Godot's mbedTLS library and is indeed present in the engine source code: In the standard builds it seems to be properly removed from the binary when linking, since nothing uses it in Godot. But the official Mono builds (and possibly custom non-Mono builds with GodotSteam) seem to keep it for some reason. Either because they call an mbedTLS API that requires this test code, or due to different build options that impact linking optimization (LTO, etc.). The key is found for example in a local debug build (unoptimized). |
|
Man, things move quick while I'm asleep! |
|
Ah okay, that all makes sense. If it's just some testing keys, I suppose they're not of any danger to anyone. |
I was just casually looking through the hex code of the executable of a game on Steam, and found something quite precarious. See the image.
I suspect that this is from the Steam integration, and talking with the developer of said game, who said that he does not have an RSA key himself, I figured the bug likely resides with the Engine, hence the question.
In either way, I'm rather sure that the .exe file is not a place to store a private key, let alone in plain text.
img: https://imgur.com/a/Ek1ssBs
The text was updated successfully, but these errors were encountered: