Potential Security Loophole via System() in the c++

Dear Friends at Epic,

I do hope I’ve made it clear through all my posts that all I care about is the absolute success of UE4 :slight_smile:

So I am only bringing this to your attention as someone concerned for maximum success of UE4.

I was trying to get an OS file browser to show up from within UE4, and I ran across the System command.

I ran the command (from within my player controller class)

system("explorer C:\\");

And it worked!

A new windows explorer window popped up open to my c:\

I dont know much about System() myself, or how you have set up System() to work within the UE4 context, but I read this about System() online in this article:

In this example the author is illustrating how a simple program could be included with the main game install and then run from within UE4 to activate malicious software.

Begin Article

include 

    int main()
      {
      printf( "Bwah, hah, hah, hah, hah!\n" );
      return 0;
      }

Compile it and name the executable “notepad.exe” if you are on Windows

The danger is that when you directly execute a program, it gets the same privileges as your program – meaning that if, for example, you are running as system administrator then the malicious program you just inadvertently executed is also running as system administrator. If that doesn’t scare you silly, check your pulse.

It doesn’t matter if you aren’t sysadmin either. Anything you can do it can do.

------------- Anti-Virus Programs Hate It (System()) -------------

The last thing is simply a matter of perception. If your users are running any sort of anti-virus, like ZoneAlarm, Norton, McAfee, etc. then they will get a very unpleasant message about your program trying to do something considered dangerous. Remember, the AV software doesn’t say what you are trying to do, only that it is trying to do something uncouth. Users treat such programs with suspicion.

End Article


#My Main Point

With the upcoming release of UE4 to the public while also allowing c++ access, the potential for someone to download the UDK version of UE4 with the sole purpose of running malicious software through System() could very much hurt the reputation of UE4.

The Scenario:

Someone designs a superficial game, and they package a malicious program with the game install.

Unsuspecting user installs the game, and the game runs System() on the malicious exectuable.

Because the innocent user chose to run the game install with system administrator privileges, one of two things happens

  1. the malicious program runs and UE4 has been hijacked to abuse someone’s computer
  2. antivirus software deflects the attack, but now the end user is being told that the UE4 game is a virus, and will likely get mad at UE4 rather than the author who wrote the malicious software. This will hurt the UE4UDK.exe’s rating among anti virus programs, causing future downloads of the UDK to perhaps be inhibited for others.

#Removing The Ability to Call System() for UDK Users of UE4

I imagine that for companies who have true c++ access, you have some sort of legal agreement with them that makes them liable if they allow or inadvertently enable their game to support spreading of viruses / malicious software

But for UDK UE4 users, I cannot see any reason to avoid disabling the use of System() to prevent people from hurting UE4 and Epic’s reputation.

Is there any reason to not disable the use of System()?


#Summary

Again I hope it is clear I am writing this out of my concern for Epic and UE4’s success,

and because the UE4 UDK will probably be the first time that non-contracted / legally bound entities will have the chance to write c++ in the Unreal Engine.

Please dont remove the C++ access!

I am absolutely loving coding directly in C++ for UE4

But I felt it was my duty to bring this potential loophole to your attention if it was not already on your radar

:heart:

Rama

There is no way to prevent people from building and shipping malicious games. And it really isn’t our problem to solve.

well disabling System() could really help reduce the potential, unless you feel it is really necessary part of the UDK version of UE4.

Always great to hear from you Gil!

Rama

How would we “Disable” access to System? I don’t think it is possible.

well that’s the part I had not figured out either, I was hoping one of you Awesome Epic Devs could :slight_smile:

I would not be opposed to calls to System() even throwing an Exception

it just seems like a such a big loophole that could have a fix that would dramatically reduce complications later

even if people hijacking ue4 to spread virus is not your problem to solve, if people did this a lot it could affect the UE4UDK.exe file name’s rating among antivirus software, ultimately causing trouble for nice happy ue4-udk users trying to install the udk.

The public has never had access to unreal engine c++ at a udk level before, this is where my concern comes from.

I have not thought of or encountered any other situation where spreading malicious software via the c++ of UE4 is possible, especially since FileManager does not allow recursive call to path names that are basic drive letters like "c:"

so I thought plugging this one hole would just be a great thing to do, if it is possible.

As always, just trying to help out, and great to hear from you Gil

I am loving UE4 C++ !

My multiplayer in-game editor is well on its way!

Rama

Could you make calls to System() throw a compile error?

Rama

I could make it throw a compile error, perhaps by redefining it. But how does that help prevent a mallicious person from doing anything they want? It doesn’t.

We offer the power of native code. With that comes the power to do anything the platform allows, including malicious stuff. It would have been fairly trivial to do malicious things with UDK, UE3, with script code too, one just would need to be a little more clever.

Well it would stop the less-clever malicious people more readily :slight_smile:

The fact is that methods of abusing System() are widely posted on the internet, so its a well-known loop hole that less-clever malicuous people could find relatively easily.

I personally like the compile error idea just to keep one less avenue open for the less-clever potential trouble-makers

I agree you cant stop people completely,

but if there’s a super easy inconsequential (to game code utility) way to make the engine more secure I cant see a reason to not do it :slight_smile:

I leave the remainder of this in your and Epic’s hands, I hope you know how much I am enjoying UE4

Thanks for making UE4!

Rama