Do note that they asked us to keep any information regarding the issue confidential until it is resolved. We received an initial response from EA saying they are investigating the issue. We also discovered first abuses of the vulnerability in the wild: 18:28 UTC Per EA’s own instructions, we sent a follow up email due to a lack of response. We sent an initial email to EA Security to inform them about the exploit. We purposefully decided not to perform any potentially damaging attacks to avoid any liability. This clip is to simply show that the vulnerability of running arbitrary Squirrel functions server side exists. This map/mode combination was however never released in the retail game as you can see by the map being locked in the map selection screen, after setting the gamemode to Frontier Defense.Īgain loading an unreleased map/mode combination is not really a security issue per se. Note that this clip shows loading Frontier Defense on the map Glitch. We uploaded the clip showcasing it as an unlisted YouTube video. We created a quick proof of concept using an unmodified retail Titanfall2 client which has a keybind bound to run a serverside function that switches map and mode using GameRules_ChangeMap. We’ve been using this person as contact previously for reporting exploits. As such it was clear from the beginning that it was only a matter of time until the exploit would become public knowledge.Īs such, shortly afterwards, Taskinoz reached out to a Respawn employee directly. Note that the message was posted in a semi-private channel with 100+ members. We immediately began archiving the entire conversation via screenshots and deleted all references to the exploit to limit exposure of the vulnerability. Within half an hour we identified the severity of the exploit. In particular this issue was found to affect build number 8740 of the official public Titanfall2 dedicated servers. 10:22 UTCĪs part of a discussion about Northstar in a semi-restricted Discord channel, zxcPandora finds out that the script command allows for running for Squirrel script server side on official public servers. The following is a timeline of events between the discovery of the vulnerability and its fix. Squirrel VM, a virtual machine for scripting that acts as an abstract binding layer between the Source engine and external scripts.Squirrel is the scripting language used by Titanfall2.Stay tuned for more blog posts on other vulnerabilities we found on public Titanfall2 servers and reported to Respawn that then got patched.) (And yes Respawn does still patch Titanfall2 servers for vulnerabilities. This issue was reported through EA’s Coordinated Vulnerability Disclosure process and was triaged and patched within 2 weeks of our initial report. We believe that the vulnerability was introduced in a recent server side patch given that we found a different vulnerability before in early 2022 (we reported it and saw it getting patched) that achieved a similar effect but was harder to exploit. Usually clients should not be able to send the server Squirrel commands to execute. The discovered exploit allows an adversary to run any Squirrel script on the server within the bounds of Titanfall2’s commands by using the script command. Here’s what we found, how we reported it, and how it got resolved. Titanfall2 Security: Unrestricted server command execution via Squirrel ScriptĪ few weeks ago, we accidentally discovered that Squirrel server scripts were made accessible on public Titanfall2 servers.
0 Comments
Leave a Reply. |