That sounds pretty reasonable to assume for any game, even those that are singleplayer, if they access the network.
Game code is particularly known to be "spaghetti", "code cowoy"-style, where the result is more important than the form or correctness. I mean, that's art, after all, so that seems obvious.
And do you think a lot of companies update their games after they are out? Most often, the code is definitive, refactors are out of the question, etc. I've never seen a bug that fixes a security issue (CVE), let alone for old titles.
And that's when RCE is not by design. It is in Garry's mod, but that's for client-side mode scripted with lua, so theoretically sandboxed. Unreal Tournament 99 though, has plenty of servers that put some dlls for "anti-cheat" software on your computer before you join. That one probably sn't sandboxed.
While we talk about anti-cheat software, can we think a moment about everything that could go wrong with a piece of software that has a very deep access to the system, is sometimes in-house, and not necessarily audited, and whose functionality often includes:
* downloading challenges from servers, patch them into RAM and see what happens
* scan the RAM of the whole system, plus the filesystem, for known exploits
* upload parts of that RAM and filesystem to random servers for analysis
* take screenshots, log keypresses, monitor the system and upload all of this.
Takeaway: sandbox your games. There's a reason I run Steam in a flatpak, on Wayland... Convenience is part of it, but that's not the main one.
I agree, and that's unfortunate, but I value it far less than I value the integrity of my computer and the data on it.
Steam itself has an interesting "Linux runtime" option for games, but it is unclear if that isolates things more than the status quo.
I don't know what I could do, short of replacing every executable in the steam directory with something that uses a mount namespace or a similar restrictive mechanism before launching the actual executable. Inject a modified libc to perform this on steam's exec call? I think the ball is in Valve's camp to improve this.
Battle.net has been doing that since day 1, so if you played any game on Battle.net you have downloaded server provided code and executed locally with the privileges of the user running the game.
(when a client connects to a battle.net server, one of the early handshake steps is to download a fixed named MPQ file, which is a Blizzard proprietary archive protocol which contains a DLL that is loaded and a certain fixed named function runs from it, which will checksum your client binary and send the result to the server to compare and allow you to progress further)
I think there's a big difference between the game downloading a DLL straight from the game developers (not all that different from an update) and a game downloading a DLL from a random server you join (that could be run by anyone that you have no reason to trust and that you don't realize you're giving them full read-write access to your computer).
Even if you actually believe this, Riot is not known for their high-quality code. This sounds a bit snarky but is entirely serious: Giving games root rights is bad enough, I absolutely don't want to run anything in kernel space from the same people who wrote the client for League of Legends.
And it's not even about trusting that Riot are not bad actors, tencent conspiracy nonsense aside, it's about leaving that trash running with that level of access in a way that some malicious process could use to elevate its permissions. That is the (ab)use case that worries me.
As someone who plays CSGO, I agree with you. I wish valve did something like this. I'm tired of matches getting ruined by cheaters, which happens very often.
Game code is particularly known to be "spaghetti", "code cowoy"-style, where the result is more important than the form or correctness. I mean, that's art, after all, so that seems obvious.
And do you think a lot of companies update their games after they are out? Most often, the code is definitive, refactors are out of the question, etc. I've never seen a bug that fixes a security issue (CVE), let alone for old titles.
And that's when RCE is not by design. It is in Garry's mod, but that's for client-side mode scripted with lua, so theoretically sandboxed. Unreal Tournament 99 though, has plenty of servers that put some dlls for "anti-cheat" software on your computer before you join. That one probably sn't sandboxed.
While we talk about anti-cheat software, can we think a moment about everything that could go wrong with a piece of software that has a very deep access to the system, is sometimes in-house, and not necessarily audited, and whose functionality often includes:
* downloading challenges from servers, patch them into RAM and see what happens
* scan the RAM of the whole system, plus the filesystem, for known exploits
* upload parts of that RAM and filesystem to random servers for analysis
* take screenshots, log keypresses, monitor the system and upload all of this.
Takeaway: sandbox your games. There's a reason I run Steam in a flatpak, on Wayland... Convenience is part of it, but that's not the main one.