Is HONK nothing sacred HONK? It’s 2019 and an evil save file can pwn much-loved HONK Untitled Goose Game


is-honk-nothing-sacred-honk?-it’s-2019-and-an-evil-save-file-can-pwn-much-loved-honk-untitled-goose-game

Please don’t forget to HONK deserialize your data safely HONK

Screencap from Untitled Goose Game

Fans of Untitled Goose Game should update their copy of the indie smash-hit following the discovery of a bug that can lead to malicious save files hijacking players’ systems.

Pulse Security bug-hunter Denis Andzakovic took credit for finding and responsibly disclosing the vulnerability, which does not appear to have been assigned a CVE number. Publisher House House has emitted a patch for the remote-code-execution hole.

Released last month for Windows PCs, Macs, and the Nintendo Switch to an instant cult following, Untitled Goose Game pits the player as an evil goose intent on raising havoc in an unsuspecting village of humans. As it turns out, taking on the persona of an angry bird tasked with stealing a child’s glasses and forcing a gardener to maim himself makes for surprisingly satisfying gameplay.

Now back to the flaw, which is more amusing that scary. But, you know, patch anyway.

Andzakovic discovered a deserialization error in the way Goose Game reads game save files. A hacker who was aware of the flaw would be able to create a poisoned game save file that, when loaded, executes arbitrary code, leading to the installation of spyware and other software nasties.

head of 50s-style robot

Christmas is coming, the goose is getting fat, look out for must-have toys that are ‘easily hacked’ ♪

READ MORE

“Untitled Goose Game used the .NET BinaryFormatter to read and deserialize save game files. As no SerializationBinder was specified, an attacker who can control the save game file can exploit the deserialization process and execute arbitrary code,” the bug-hunter wrote in his summary.

“This is achieved by writing out a malicious serialized object to a save game file which is later read by Untitled Goose Game.”

In practice, a gamer would have to be tricked into downloading and opening a booby-trapped save game file. For example, a miscreant could by promise a saved game that was near completion, or at a point beyond one of the more difficult challenges in the game.

To demonstrate, Andzakovic crafted a proof-of-concept save file that when opened by the goose game, runs the Windows Calculator. Replace that with something else, and well, now you have code execution on their machine.

This story does have a happy ending, unlike the villagers’ day. House House patched the flaw last week, and anyone who is running a version of the game updated since then will have the bug fixed. If you want to be really careful, don’t open anyone else’s game saves.

In closing, HONK. ®

Sponsored:
Serverless Computing London – 6-8 Nov 2019

Previous WhatsApp slaps app hacker chaps on the rack for booby-trapped chat: NSO Group accused of illegal hacking by Facebook
Next Europe's digital identity system needs patching after can_we_trust_this function call ignored