The Dark Souls exploit responsible for taking down the PvP servers for multiple From Software titles on PC has been explained by those who originally found the issue. The remote code execution (RCE) vulnerability allowed certain hackers to execute malicious code on other players, including the remote control of another player’s PC.
How did the Dark Souls exploit work?
The PvP servers for Dark Souls 1, Dark Souls Remastered, Dark Souls 2, and Dark Souls 3 were brought offline in January this year. And while the user who discovered the exploit says that it has been “completely fixed,” according to a statement to VGC, they have remained offline since.
The user behind the discovery of the Dark Souls exploit has now publicly disclosed full details of the vulnerability via Github. It contains proof of concept code and documentation of the exploit, which could be present in Demon’s Souls and Sekiro as well.
As an example of what the exploit could allow, the user says that in Dark Souls III, “a malicious attacker abusing this would have been able to reliably execute a payload of up to 1.3MiB of shellcode on every online player’s machine within seconds.”
The user explains that the vulnerability is actually not due to what most people think it comes from:
“Contrary to popular belief, this is NOT a peer-to-peer networking exploit. It is related to the matchmaking server and thus much more severe, since you do not need to partake in any multiplayer activity to be vulnerable due to another matchmaking server vulnerability.”
As Bandai Namco had ignored his warning of the exploit for 40 days and he was concerned at the time about the release of Elden Ring, the user was compelled to publish a demonstration of the exploit on Twitch. This forced Bandai Namco to take swift action, releasing a statement of the issue and taking the PvP servers offline. While they remain offline for the time being, the entire situation seemed to have cleared any similar exploit for Elden Ring before its release.
In other news, the PvP beta for Overwatch 2 will begin April 26, and Square Enix has “no plans” to abandon Babylon’s Fall.
