
valve
Researchers have discovered four game modes that can exploit critical unpatched vulnerabilities in popular games. dota 2 Video games for 15 months after a hotfix becomes available.
The vulnerability, tracked as CVE-2021-38003, exists in Google’s open source JavaScript engine known as V8, dota 2Google patched the vulnerability in October 2021, but dota 2 Developer Valve didn’t update its software to use the patched V8 engine, but researchers privately warned the company last month that a critical vulnerability was being targeted. After
unclear intent
Hackers took advantage of the delay by releasing a custom game mode exploiting the vulnerability last March, according to researchers at security firm Avast. That same month, the same hacker unveiled his three additional game modes, which also very likely exploited vulnerabilities. Valve patched the vulnerability last month and removed all four modes.
Custom modes are extensions or completely new games on which to run. Dota 2Anyone with basic programming experience can implement a game idea and submit it to Valve. The game maker then puts the submission through a verification process and, if approved, publishes it.
The first game mode released by Valve appears to be a proof-of-concept project for exploiting the vulnerability. It was titled “test addon plz ignore” (ID 1556548695) and included instructions not to download or install. This mode contained exploit code for CVE-2021-38003. Some of the exploits were taken from proof-of-concept code published on the Chromium bug tracker, but mod developers created much of it from scratch. This mode contains a lot of commented out code and a file titled “evil.lua”, further suggesting that this mode is a test.
Avast researchers found three more custom modes published to Valve by the same developer. These modes (“Overdog Annoying Hero” (id 2776998052), “Custom Hero Brawl” (id 2780728794), and Overthrow RTZ Edition X10 XP (id 2780559339)) took a much more covert approach .
Avast researcher Jan Vojtěšek explains:
The malicious code in these three new game modes is much more sophisticated. There is no file named Evil.lua and no JavaScript exploits appearing directly in the source code. Instead there is a simple backdoor consisting of about 20 lines of code. This backdoor can execute arbitrary JavaScript downloaded over HTTP, allowing an attacker to not only hide exploit code, but also without having to update the entire custom game mode (and through dangerous game modes). ) and can update the code at the attacker’s discretion. verification process).
When Avast researchers discovered the mods, the servers that these three mods connect to were not working. However, given that they were published by the same developer 10 days after his first mode, it’s likely that the downloaded code also exploited his CVE-2021-38003, Avast said. I’m here.
In an email, Vojtěšek explains the backdoor’s operational flow:
The victim joins the game and plays one of the malicious game modes.
The game loads as expected, but in the background malicious JavaScript connects to the Game Mode servers.
The game mode server code accesses a backdoor C&C server, downloads some JavaScript code (presumably exploiting CVE-2021-38003), and returns the downloaded code to the victim.
Victims dynamically execute downloaded JavaScript. If this is her exploit for CVE-2021-38003, it will run shellcode on the victim’s machine.
A representative for Valve did not respond to an email seeking comment on the story.
Researchers have additional Dota 2 There were game modes exploiting vulnerabilities, but their footsteps were cold. Ultimately, that means it’s impossible to determine exactly what the developers’ intentions for the mode were.
“First, the attacker did not report the vulnerability to Valve (which is generally considered a good thing),” Vojtěšek wrote. “Second, the attacker tried to hide the exploit behind a secret backdoor. Anyway, it is also possible that the attacker was not purely malicious. can be misused to have much greater impact.”