Remote Code Execution in Marvel Rivals Game

Original Article ↗ Hacker News Discussion ↗

Exploit & Technical Design Issues

  • Game client runs with admin privileges “for anti-cheat,” but several commenters call this inexcusable and note sane designs separate a privileged anti-cheat service from the unprivileged game.
  • Core flaw: the game downloads Python bytecode as part of a hotfix/patch system (e.g., to update the in‑game store) and executes it, enabling remote code execution.
  • Traffic to this patch mechanism is reportedly not protected with TLS/DTLS, making MITM trivial for any party on the route: ISPs, cloud providers, compromised routers, LAN cafés, etc.
  • Some compare this to Log4Shell in spirit: an overly powerful, code‑driven mechanism used for simple content updates where a data‑only JSON API would suffice.

Scope & Platforms (PC, LAN cafés, PS5)

  • While many see limited impact for typical home users, others stress risk where networks are less trusted (LAN cafés, some regions, shared machines).
  • On PS5, this yields userland code execution inside the game sandbox. Commenters note it could be a step in a future jailbreak chain but still requires separate kernel/hypervisor exploits to escape the VM.

Anti‑Cheat, Privileges & Effectiveness

  • Strong criticism of kernel‑mode anti‑cheat and always‑on privileged services; they increase attack surface and compromise user control.
  • Several argue anti‑cheat doesn’t even work well: cheating remains rampant, so the tradeoff mainly harms honest players.
  • Others counter that even imperfect anti‑cheat substantially reduces cheating and can rescue games that were overrun.

Security Culture in Game Development

  • Many see this as part of a broader pattern: AAA game engineering often prioritizes shipping, monetization, and performance over security.
  • Debate over whether “game devs” should be held to security standards similar to web/backend engineers:
    • One side: any software shipped to millions with deep system access must meet basic security bar; lack of training is no excuse.
    • Other side: most game devs are not infosec specialists, work under harsh conditions, and responsibility should lie with publishers and dedicated security teams, which in this case seemingly failed.

User Responses & Mitigations

  • Suggestions include: separate gaming PCs or OS partitions, GPU‑passthrough VMs, Steam Deck/SteamOS as semi‑isolated gaming boxes, and treating Windows gaming machines as inherently untrusted.
  • Some share practical Windows workarounds (RunAsInvoker, scheduled tasks) to avoid constant UAC prompts, implicitly acknowledging how normalized elevated‑privilege games have become.