Double KO! Capcom's Street Fighter V installs hidden rootkit on PCs
Fatality – wait, no, what? That's the other game
A fresh update for Capcom's Street Fighter V for PCs includes a knock-out move: a secret rootkit that gives any installed application kernel-level privileges.
This means any malicious software on the system can poke a dodgy driver installed by SFV to completely take over the Windows machine. Capcom claims it uses the driver to stop players from hacking the high-def beat 'em up to cheat. Unfortunately, the code is so badly designed, it opens up a full-blown local backdoor.
Let's drill down to the technical details: the capcom.sys kernel-level driver provides an IOCTL service to applications that disables SMEP on the computer, executes code at a given pointer, and then reenables SMEP. In other words, it switches off a crucial security defense in the operating system, then runs whatever instructions are given to it by the application, and then switches the protection back on.
SMEP [PDF] is a feature in modern Intel and AMD x86 processors that, when enabled, prevents kernel-level software from executing code in user-owned memory pages. It's there to stop hackers from tricking the operating system into running malicious software smuggled into an application's virtual memory space – the OS should only be able to run its own trusted code, not anything provided by any old app.
Capcom.sys completely blows this away on Windows: an application simply has to pass control codes 0xAA012044 and 0xAA013044 to the IOCTL, and a pointer to some instructions, and the driver will then jump to that block of code with full kernel permissions.
oh dear god this capcom.sys has an ioctl that disables smep and calls a provided function pointer, and sets SMEP back what even pic.twitter.com/jBCXO7YtNe— slipstream/RoL (@TheWack0lian) September 23, 2016
Capcom is seemingly using this driver to allow its user-mode game to poke around the machine at the lowest level and spot any attempts by the player to cheat. The tool was bundled within an update, issued earlier this week, to Street Fighter V that brought in a new character, Urien. The title went on sale in February this year.
"As a part of the new content and system update releasing later today, we’re also rolling out an updated anti-crack solution (note: not DRM) that prevents certain users from hacking the executable," a Capcom rep explained on Thursday.
"The solution also prevents memory address hack that are commonly used for cheating and illicitly obtaining in-game currency and other entitlements that haven’t been purchased yet.
"The anti-crack solution does not require online connectivity in order to play the game in offline mode; however, players will be required to click-confirm each time they boot up the game. This step allows ‘handshake’ to take place between the executable and the dependent driver prior to launch."
Gamers realized something was a little off when the upgrade brought in a new driver and demanded operating-system-grade access to the computer before the game starts. A number of players say they couldn't even get the new version to work at all. A full-blown online meltdown ensued.
Just after we published this article, a Capcom rep tweeted:
We are in the process of rolling back the security measures added to the PC version of Street Fighter V. After the rollback process to the PC version, all new content from the September update will still be available to players. We apologize for the inconvenience and will have an update on the time-frame for the PC rollback solution soon.
A lesson quickly learned, it seems. ®