[OPS] [2.0.28] Updater does not verify the SSL certificates
Posted: Sun Dec 29, 2024 5:54 pm
What did you do?
I have spoofed the updater.factorio.com DNS record in my LAN to point to a different IP address - with a "fake" update server that serves a modified latest update (2.0.27 to 2.0.28) with a completely different content.
What happened?
Factorio connected to my fake update server (with invalid certificate), downloaded the update, installed it and started the modified binary.
What did you expect to happen instead? It might be obvious to you, but do it anyway!
I expected Factorio not to download the update as the certificate did not correspond to the hostname. Or somehow validate that the update is authentic with some form of signature validation...
Does it happen always, once, or sometimes?
Always... I have successfully tested this on Windows (ZIP version), MacOS (this was a bit unexpected, because I did believe that MacOS had some signature checking, but alas...) and Linux versions.
I am quite sure that this is a security issue as it allows to execute possibly malicious application on the target. There is an older report in "not a bug" bin with some incorrect assumptions - viewtopic.php?f=23&t=926
I have spoofed the updater.factorio.com DNS record in my LAN to point to a different IP address - with a "fake" update server that serves a modified latest update (2.0.27 to 2.0.28) with a completely different content.
What happened?
Factorio connected to my fake update server (with invalid certificate), downloaded the update, installed it and started the modified binary.
What did you expect to happen instead? It might be obvious to you, but do it anyway!
I expected Factorio not to download the update as the certificate did not correspond to the hostname. Or somehow validate that the update is authentic with some form of signature validation...
Does it happen always, once, or sometimes?
Always... I have successfully tested this on Windows (ZIP version), MacOS (this was a bit unexpected, because I did believe that MacOS had some signature checking, but alas...) and Linux versions.
I am quite sure that this is a security issue as it allows to execute possibly malicious application on the target. There is an older report in "not a bug" bin with some incorrect assumptions - viewtopic.php?f=23&t=926