As an on again, off again NBA fan, I do enjoy a bit of virtual basketball from time to time. The undisputed champion of NBA gaming is of course 2K Sports' NBA 2K series, which saw its latest iteration released in the form of 2K19 a little over a month ago.
2K19 is a network heavy game due to its focus on multiplayer modes like the flagship 'MyPlayer' mode, which involves creating your own aspiring NBA star character and playing through a mixture of mostly online game types and side tasks, like 3 v 3 pickup and full court 'Jordan Rec Center', all set inside a virtual 'Neighbourhood' with a few hundred of your closest online randoms running around with you. It's a bit like a MMO, but for basketball. With this in mind, I thought it might be interesting to see what the network activity of 2K19 actually looked like, so I configured the PS4 to use a Linux box with forwarding enabled and Wireshark running as its gateway.
Typically when I check out the network activity of a game these days, I'll see a load of TLS connections for handling tasks like transactions (e.g. syncing point totals between client and server) and the usual assortment of UDP connections for when actual in-game action is occurring, and 2K19 was no different. However there was one needle in the haystack of network activity that stood out - a regularly reoccurring DNS request to a rather strange looking domain, that kept failing to find a record:
This lookup request is asking for the address of a .corp domain, which is a domain currently under proposal for release as an Internet TLD by ICANN although it appears to have been blocked indefinitely due to concerns that it is commonly used by private/internal networks, which I believe is the case here - Take-Two Interactive is the parent company of 2K, and so it seems a safe bet this "t2.corp" domain is in fact an internal domain used by 2K.
It's a good thing for 2K Games and Take-Two that this is not going to be an Internet domain anytime soon, as if it did become available and someone managed to register t2.corp, then they would be privy to the IP addresses of potentially all 2K19 gamers currently online. However, that is not an immediate concern, so what else can we do with this strange request? If I setup a DNS server to respond to the domain being requested with an IP address under my control, the following request is made by the PS4:
It looks like it is sending a HTTP request to port 17117. If I
nc -l 17117 on the box I configured as the destination for the
xxx.2kgames.t2.corp record, it gets this request from the PS4:
POST /vcrp/v2/VCReport/frequent_reports?title_id=0x601E HTTP/1.1 User-Agent: VISUAL_CONCEPTS_PS4/19.0 Host: xxx.2kgames.t2.corp:17117 Connection: Keep-Alive Content-Length: 0
The fact that this is plain text HTTP and not HTTPS is interesting, as it means it is trivial to do just this - stand up a DNS server and take control of the domain and respond to HTTP requests arbitrarily, and as far as my PS4 and copy of 2K19 are concerned they are communicating with the real
xxx.2kgames.t2.corp. If it were HTTPS, then it would be very likely this couldn't be done, as the HTTP client would be expecting a certificate in the TLS handshake that proves ownership of the domain, signed by an authority the client is configured to trust.
Based on the path being requested and the fact the request body is zero length, this appears to be a check-in or beacon of some sort. It's worth pointing out that the letters "VC" in the NBA 2K world can mean two distinct things - it is either referring to the much maligned in-game currency, or the development studio responsible for the game itself as the user agent shows, i.e. Visual Concepts, so it isn't clear what "VC" in the path may be referring to.
From here, there is not much more to report. Perhaps there is a specific response that causes further requests to be made or causes some side effect on the game itself - it seems unlikely that during development of 2K19 a request like this would be added just to act as a glorified ping. There is also always the possibility a response could be crafted that causes a buffer overflow or targets some other vulnerability, perhaps in a superfluous feature found within the (presumably) C++ HTTP client making this request. With that said, there were a few characteristics about this HTTP client worth noting:
2XXresponse stops further requests being made. Responses in the 300's, 400's, 500's etc do not.
- After a
200, if you close and re-open the game, the requests start up again.
- If you respond with, say, a
400 Bad Requestand include a
Set-Cookieheader in the response, future requests include the cookie you set.
- Cookies don't survive closing and re-opening the game, suggesting no persistent cookie storage for the HTTP client.
- The client does not follow
- The client closes the connection after 60 seconds of inactivity.
- Sending large responses (1GB+) with a
application/octet-stream, and playing around with
Content-Disposition, had no noticeable affect (although, I'm not sure what I was expecting here).
I'm not familiar with attacking HTTP clients via responses, and I haven't had much luck finding existing research on this area. If you can offer some advice, please do so.
I reported this issue to 2K Games on October 12th 2018, through their standard support channels, which I was told was escalated to the relevant department but have not heard back since. I was unable to find a direct contact for their security team. As of today 2K19 has seen two patches since then (v1.05 and v1.06), and it remains at large so I'm assuming it is not considered a significant issue.