Page MenuHomeFeedback Tracker
Create Task
Maniphest T114627

A game (including anti-cheat services) requiring administrative privileges is an open security hole
New, WishlistPublic
Actions

Description

Since Steam's launch process and DayZ_BE.exe run the game (DayZ.exe) with Administrator access (in my case), DayZ.exe becomes relevant.

BattleEye client was already installed by version 0.58 as a necessity for nearly all servers. Having the BattleEye client running as a service means that Administrator level access is not only required for installation, but that it is (by design) monitoring users' computers beyond the scope of the game while interacting with a game's process(es) and possibly being affected directly by the game (and anything else that is aware of the service). Meanwhile, only other services and kernel level objects (such as rootkits) have a chance at interfering with any changes the service decides to make or it actions it takes.

Details

Legacy ID
3359526246
Severity
None
Resolution
Open
Reproducibility
Always
Steps To Reproduce

Install DayZ and allow any game-related executable file to run with Administrator privileges.
and/or
Install BattleEye Client and allow the service to run.

Additional Information

Attempting to avoid granting Administrator rights to DayZ.exe led to report 0028325.

I'm not going to describe how to abuse this scenario, but the situation is asking for abuse. Responses of "do not play the game" or similar are not appropriate as other users will play the game, and me not playing the game has no influence on whether or not exploits or errors in programming affect others.

Event Timeline

CP44 edited Steps To Reproduce. (Show Details)Oct 28 2015, 6:04 AM
CP44 edited Additional Information. (Show Details)
CP44 set Category to category:glitchabuse.
CP44 set Reproducibility to Always.
CP44 set Severity to None.
CP44 set Resolution to Open.
CP44 set Legacy ID to 3359526246.May 8 2016, 11:58 PM
© Bohemia Interactive a.s. Bohemia Interactive® is a registered trademark of Bohemia Interactive a.s. All rights reserved. · Privacy Policy · Terms and Conditions