Jobs Store Support Register
PC
XBOX
PLAYSTATION

[SOLVED] IMPORTANT: PC version vulnerability

+
Kescham

Kescham

Forum regular
#22
Vattier said:
If you plan to use Cyberpunk mods/custom saves on PC, use caution. Blabla
Click to expand...

Phew ... Lucky me im not even plan to play the game in the near or distant future.
Who would have known that there are some serious security leaks in this product.
Wait ... Maybe Sony did? :D
 
RajeeMama007

RajeeMama007

Forum regular
#24
yamasushi said:
Ok, I feel like I need to say something, this kind of bad practice has to stop.

Let me introduce myself, I am yamashi the creator of Cyber Engine Tweaks.

I wasn't planing on saying anything but since we, the modders, are getting blamed for this, I can't just stand on the sidelines and take it.

What CDPR posted above is WRONG, it isn't caused by an external DLL, the vulnerability is caused by a buffer overflow in a function they use to load strings, this function is used more than 100 times in the game, it is used to load the save games, the archive assets and other parts that we haven't investigated. This is 100% CDPR's fault, it isn't anybody else's fault. This is caused by a lack of proper unit testing.

What happened to owning up to your mistakes CDPR? Not only did PixelRick communicate this a week ago and you didn't do anything (this should have been hotfixed a few hours after you knew about it), but then you go public lying about the nature of the vulnerability so that modders take the fall for this? What we do, we do for free, we aren't your scapegoat, and this is definitely on you. The fact that we redirect the buffer overflow to xinput because it doesn't have ASLR does not mean that it's xinput's fault, we shouldn't be able to access xinput in the first place.

Just so you know everyone this isn't just a PC issue, every platform is affected.

It has been exploited to gain access to Geforce NOW already, maybe you should explain to NVIDIA how it is not your fault CDPR, I am not sure that's going to work once they audit the exe.
Click to expand...
Firstly, cool to have you here telling us your side of things. I won't go as far as to say like I'm honored or anything 'cos, you must forgive me, I'm not familiar in the least bit with your work. But from what you say you are and have said in your post, you seem like you're good at what you do :). So let me be honest right off the bat here - I had absolutely NO idea what you were talking about back there, ok! (the technical parts anyway) :LOL:
Nevertheless, what I want to say is that now that you've explained what the reason/s for this problem eminating was, we will need a response from CDPR on the matter ASAP to confirm whether this is the case or not. If what you're saying is indeed true then they must take responsibility and be accountable for what has happened here. If, according to you, CDPR is making you guys as the cause of the problem despite it being their fault then that's just plain wrong. I mean, you know...You are the guys that are trying to reinvigorate the game here (for the PC community anyway) while trying to fix issues and implement features that should have been or needed to be in the game. That work was supposed to have been done by CDPR in the first place. They should be thanking you guys 'cos you'll are the ones who's gonna be making them money by keeping their game alive; without it even costing them anything in the process. :)
 
Last edited:
Proto2149

Proto2149

Forum regular
#25
yamasushi said:
Ok, I feel like I need to say something, this kind of bad practice has to stop.

Let me introduce myself, I am yamashi the creator of Cyber Engine Tweaks.

I wasn't planing on saying anything but since we, the modders, are getting blamed for this, I can't just stand on the sidelines and take it.

What CDPR posted above is WRONG, it isn't caused by an external DLL, the vulnerability is caused by a buffer overflow in a function they use to load strings, this function is used more than 100 times in the game, it is used to load the save games, the archive assets and other parts that we haven't investigated. This is 100% CDPR's fault, it isn't anybody else's fault. This is caused by a lack of proper unit testing.

What happened to owning up to your mistakes CDPR? Not only did PixelRick communicate this a week ago and you didn't do anything (this should have been hotfixed a few hours after you knew about it), but then you go public lying about the nature of the vulnerability so that modders take the fall for this? What we do, we do for free, we aren't your scapegoat, and this is definitely on you. The fact that we redirect the buffer overflow to xinput because it doesn't have ASLR does not mean that it's xinput's fault, we shouldn't be able to access xinput in the first place.

Just so you know everyone this isn't just a PC issue, every platform is affected.

It has been exploited to gain access to Geforce NOW already, maybe you should explain to NVIDIA how it is not your fault CDPR, I am not sure that's going to work once they audit the exe.
Click to expand...
How can we know yamasushi is indeed yamasushi, I don't see any hint that of a certified user or a coloured banner on his post, for all we know it could be burgermountain using yamas alias :LOL:
 
-PixelRick-

-PixelRick-

Fresh user
#26
I explained the issue with some details in the readme of my save editor project here:
https://github.com/PixelRick/CyberpunkSaveEditor/blob/main/README.md

I have put the proof of concept on github too but it is currently held private for the usual 45+ days of non-disclosure as half of the issue concerns a microsoft library.

Proto2149 said:
How can we know yamasushi is indeed yamasushi, I don't see any hint that of a certified user or a coloured banner on his post, for all we know it could be burgermountain using yamas alias :LOL:
Click to expand...
I added a mini-comment in the readme to prove that yamasushi is indeed yamashi.
 
D

Disturbed_Man

Senior user
#27
Great. Instead of just owning it up, you practically shift the balme to the moddes who are working their asses off to keep the game alive with all the changes they make that YOU should have implmented in the first place. Instead of being grateful for their work you blame them. Shows how much support and care you really give about them. It is not their fault that the game & base EXE file was programmed in such way. It is not them who didn't do proper testing in the first place. It is YOU. Really smooth move CDP, really a good one. You know, I wish the modders would just stop making mods and let the game die.
 
ElsonsoJannus

ElsonsoJannus

Forum regular
#30
Casualclick said:
Why did it take CDPR so long to disclose when Mod authors began patching their own programs first?
Click to expand...

If I had to toss out a guess, I would say that they held off making any public statement until they had a fix in the works. We will see that fix, probably 1.12, once it completes QA and certification.
 
surethingman

surethingman

Fresh user
#31
Been tracking things since before release and i'm amazed at how the studio constantly tries to hande things in "glass is half full" kind of manner.

Game State?
It's not like the game has the issues, it's just that the last-gens are slightly broken BUT THE PC IS GREAT AND WE'RE PROUD OF IT.
No it's not, it's slightly less broken, please stop pretending there's a "good version" anywhere.

Modding?
Here are some basic format chewers that don't allow for any edits or repackaging, "go wild" (but please don't lewd Keanu chan).

Literal Arbitrary Code Execution exploits?
It's not exactly our fault, it's kinda bordering on mods, you know kinda our thing, kinda not.
No. It's absolutely your thing and don't pretend it's not, stop trying to piss in peoples ears and telling them it's raining, it's a core game vulnerability and mods have nothing to do with this.
Even if the exploit is patched, base game discs are entryways into userland space code execution on all consoles and until it's patched GFNow can be exploited by syncing forged saves from cloud. So i assume you're trying to shift the blame and dodge the questions to pretend in front of Sony, Microsoft and NVIDIA that it isn't your fault.

You literally cannot genuinely own-up to a single mistake you made and it seems that with this game every step of the road turns into a stinker around the corner.

With that said, PixelRick should've gotten not only a direct thank you but also AT THE VERY LEAST some sort of hefty merch package for discovering this and letting you know with a head start (which you did nothing with).
Not even going to mention that usually the industry standard for such heavy weighted exploits are bounties measured in thousands of dollars.
Same to a certain extent goes to Yamashi who managed to at least plug the hole before your corporate gears even started turning.

Whole handling of this game prior and post release just keeps letting me down, with every move on REDs behalf finding a new low that i didn't knew they could reach. I never knew i could be this let down and disillusioned by a company i once admired.
 
personagrata

personagrata

Forum veteran
#32
oh boy
giwinfs_13.gif
 
Last edited:
romulus2k4

romulus2k4

Fresh user
#34
Sigh. After reading some of the posts in this thread, I sometimes wonder if the playerbase is actually worth protecting.

And this is coming from u/Romulus_is_here.

What's worse, most of the websites that are picking up on this news are presenting it incorrectly. There's even a website that is supposed to be a veteran when it comes to anything PC, but refers to DLL files as DDL files.

I'd like to make something abundantly clear. Tools like CyberEngineTweaks or PixelRick's Cyberpunk Save Editor has absolutely nothing to do with the vulnerability itself.

Yamashi being the gentleman he is, hasn't let out the fact that even for a band-aid like fix, simply changing some value from 511 to 255 should be enough to patch the buffer overflow.
 
Last edited:
ElsonsoJannus

ElsonsoJannus

Forum regular
#37
Moonded said:
It can be used to get behind the security messures and load custom software on playstation, litteraly jailbreaking the playstation 4 an 5.
Click to expand...
Intersting. For that to happen, a malicious save file or mod archive has to be on the PS4 such that the game will read it. I wasn't aware that this was something a common user could do. 🤷‍♂️
 
Blurts

Blurts

Forum regular
#38
Ironic, as mods are probably the only thing that might revive many player's interest in this game right now, and stop it languishing several places below Euro Truck Simulator 2 on Steam's most played.
 
GHOSTMD

GHOSTMD

Forum veteran
#40
yamasushi said:
Ok, I feel like I need to say something, this kind of bad practice has to stop.

Let me introduce myself, I am yamashi the creator of Cyber Engine Tweaks.

I wasn't planing on saying anything but since we, the modders, are getting blamed for this, I can't just stand on the sidelines and take it.

What CDPR posted above is WRONG, it isn't caused by an external DLL, the vulnerability is caused by a buffer overflow in a function they use to load strings, this function is used more than 100 times in the game, it is used to load the save games, the archive assets and other parts that we haven't investigated. This is 100% CDPR's fault, it isn't anybody else's fault. This is caused by a lack of proper unit testing.

What happened to owning up to your mistakes CDPR? Not only did PixelRick communicate this a week ago and you didn't do anything (this should have been hotfixed a few hours after you knew about it), but then you go public lying about the nature of the vulnerability so that modders take the fall for this? What we do, we do for free, we aren't your scapegoat, and this is definitely on you. The fact that we redirect the buffer overflow to xinput because it doesn't have ASLR does not mean that it's xinput's fault, we shouldn't be able to access xinput in the first place.

Just so you know everyone this isn't just a PC issue, every platform is affected.

It has been exploited to gain access to Geforce NOW already, maybe you should explain to NVIDIA how it is not your fault CDPR, I am not sure that's going to work once they audit the exe.
Click to expand...

[...]
This launch and the events that happend afterwards, drive me personally more and more into resignation.
This comes from a quite frustrated and sad long term member of this community.
 
Last edited by a moderator:

Similar threads

[SPOiLERS][IDEA] Faction opportunities - Dark Comedy
0
2K
Bugs in 1.10
45
4K
Unofficial FAQ for The Witcher 3: Wild Hunt
311
15K
Linux issues and user solutions
58
7K
The Witcher 2 for PC Technical FAQ
0
6K
Top Bottom