[Tower Unite] Security Model with Posters

In your most recent development twitch stream (06/27/2015), you guys showed off posters where you simply type in the URL of a image, and the server will download this, and then displayed it.

Am I correct in assuming you guys will be taking the security threat this may create seriously? As in image urls that aren’t actually images at all, but malicious code, or even malicious code injected in normal images that might get executed when displayed on the poster?

Sorry this isn’t a game play question, but as someone interested heavily into security, and knowledge of past GMOD security vulnerabilities, I don’t want Tower to be pledged by the same issues.

This would be an issue… if the image data were downloaded onto the stack and the attacker were somehow able to overflow it’s allocated space (possibly through an altered HTTP content header) to perform a “return-to-libc” attack.

Low-level code injection requires that you somehow manage to overflow into an executable address space ( somewhere in the execution path of the program ) and jump into the malicious code.

Another kind of code injection involves exploiting unsanitized data, but since we’re dealing with raw bytes, this isn’t really applicable

In our implementation, the HTTP query is executed through libcurl ( a reputable library that has been thoroughly tested and vetted ) and the results are loaded into Unreal’s memory manager.

The image at this point exists in the memory heap not the stack. The heap is strictly a non-executable address space. If you overflow that your just gonna end up in more non-executable RAM. ( and crash Unreal if you overflow past the heap address space the kernel has allotted for the application instance ).

Unless you do something stupid like smacking the data into a woefully tiny array on the stack (which we don’t), the image parser isn’t gonna just arbitrarily execute data as code.

Rest assured that if such an exploit were to surface, we would immediately pull the feature in question until we had fixed it and audited it thoroughly.


Bam, computer science all up in our faces.

In general it’s gonna be very difficult to spoof those HTTP headers, because libcurl checks them before reporting them to the client application.

Thank you so much for your detailed reply. Great to know we’re in good hands in terms of security.