Valve waited 15 months to patch high-severity flaw. A hacker pounced | Tech Zen

Researchers have found 4 recreation modes that might efficiently exploit a vital vulnerability that remained unpatched within the well-liked dota 2 online game for 15 months after a repair grew to become out there.

The vulnerability, tracked as CVE-2021-38003, resided in Google’s open supply JavaScript engine often known as V8, which is constructed into dota 2. Though Google patched the vulnerability in October 2021, dota 2 Developer Valve didn’t replace its software program to make use of the patched V8 engine till final month, after researchers privately alerted the corporate that the vital vulnerability was being attacked.

unclear intentions

A hacker took benefit of the delay by publishing a customized recreation mode final March that exploited the vulnerability, researchers at safety agency Avast mentioned. That very same month, the identical hacker revealed three further recreation modes that almost certainly additionally exploited the vulnerability. Along with patching the vulnerability final month, Valve additionally eliminated all 4 modes.

Customized modes are extensions and even fully new video games that run on high of dota 2. They permit individuals with even fundamental programming expertise to implement their concepts for a recreation after which submit them to Valve. The sport creator then places the submissions by a verification course of and, if authorised, publishes them.

The primary gameplay launched by Valve seems to be a proof-of-concept mission to take advantage of the vulnerability. It was titled “take a look at addon plz ignore” (ID 1556548695) and included an outline urging individuals to not obtain or set up it. Embedded inside the mode was the exploit code for CVE-2021-38003. Whereas a number of the exploit was taken from proof-of-concept code posted on the Chromium bug tracker, the mod’s developer wrote a lot of it from scratch. The mode included loads of commented code and a file titled “evil.lua” which additional steered that the mode was a take a look at.

Avast researchers discovered three different customized modes that the identical developer had revealed on Valve. Titled “No Pesky Heroes Overdog” (id 2776998052), “Customized Hero Brawl” (id 2780728794), and Overthrow RTZ Version X10 XP (id 2780559339), these modes took a way more covert method.

Avast researcher Jan Vojtěšek defined:

The malicious code in these three new recreation modes is rather more refined. There is no such thing as a file named evil.lua and no immediately seen JavaScript exploit within the supply code. As an alternative, there may be only a easy backdoor consisting of solely about twenty traces of code. This backdoor can execute arbitrary JavaScript downloaded over HTTP, giving the attacker not solely the power to cover the exploit code, but in addition the power to replace it at their discretion with out having to replace your entire customized recreation mode ( and undergo the Dangerous Sport Verification Course of).

The server that these three modes have been contacted was not working when Avast researchers found the modes. However since they have been revealed by the identical developer 10 days after the primary mod, Avast says that there’s a excessive likelihood that the downloaded code additionally exploited CVE-2021-38003.

In an e mail, Vojtěšek described the stream of the backdoor operation this manner:

1. The sufferer enters a recreation, taking part in one of many malicious recreation modes.

2. The sport hundreds as anticipated, however within the background, malicious JavaScript contacts the sport mode server.

3. The sport mode server code reaches the backdoor C&C server, downloads a bit of JavaScript code (presumably the exploit for CVE-2021-38003) and returns the downloaded code to the sufferer.

4. The sufferer dynamically executes the downloaded JavaScript. If this have been the exploit for CVE-2021-38003, this may end in shellcode being executed on the sufferer machine.

Valve representatives didn’t reply to an e mail in search of remark for this story.

The researchers looked for extra dota 2 recreation modes that exploited the vulnerability, however its path went chilly. Finally, which means it is not doable to pinpoint what the developer’s intentions have been for the mods, however Avast’s put up did say there have been two causes to suspect they weren’t purely for benign analysis.

“First, the attacker didn’t report the vulnerability to Valve (which might usually be thought of a pleasant factor),” Vojtěšek wrote. “Second, the attacker tried to cover the exploit in a stealthy backdoor. Regardless, additionally it is doable that the attacker didn’t have purely malicious intent both, as such an attacker may arguably be capable to abuse this vulnerability with far higher affect.”