September 29, 2023
Valve waited 15 months to patch high-severity flaw. A hacker pounced


Researchers have unearthed 4 recreation modes that would efficiently exploit a essential vulnerability that remained unpatched within the fashionable Dota 2 online game for 15 months after a repair had turn out to be obtainable.

The vulnerability, tracked as CVE-2021-38003, resided within the open supply JavaScript engine from Google often called V8, which is integrated into Dota 2. Though Google patched the vulnerability in October 2021, Dota 2 developer Valve didn’t replace its software program to make use of the patched V8 engine till final month after researchers privately alerted the corporate that the essential vulnerability was being focused.

Unclear intentions

A hacker took benefit of the delay by publishing a customized recreation mode final March that exploited the vulnerability, researchers from safety agency Avast said. That very same month, the identical hacker printed three further recreation modes that very probably additionally exploited the vulnerability. Moreover patching the vulnerability final month, Valve additionally eliminated all 4 modes.

Customized modes are extensions and even utterly new video games that run on high of Dota 2. They permit folks with even primary programming expertise to implement their concepts for a recreation after which submit them to Valve. The sport maker then places the submissions by way of a verification course of and, in the event that they’re accepted, publishes them.

The primary recreation mode printed by Valve seems to be a proof-of-concept mission for exploiting the vulnerability. It was titled “check addon plz ignore” (ID 1556548695) and included an outline that urged folks to not obtain or set up it. Embedded contained in the mode was exploit code for CVE-2021-38003. Whereas a number of the exploit was taken from proof-of-concept code printed within the Chromium bug tracker, the mode developer wrote a lot of it from scratch. The mode included numerous commented-out code and a file titled “evil.lua” additional suggesting the mode was a check.

Avast researchers went on to search out three extra customized modes that the identical developer had printed to Valve. These modes—titled “Overdog no annoying heroes” (id 2776998052), “Customized Hero Brawl” (id 2780728794), and Overthrow RTZ Version X10 XP (id 2780559339)—took a way more covert method.

Avast researcher Jan Vojtěšek defined:

The malicious code in these new three recreation modes is far more delicate. There isn’t any file named evil.lua nor any JavaScript exploit instantly seen within the supply code. As an alternative, there’s only a easy backdoor consisting of solely about twenty strains of code. This backdoor can execute arbitrary JavaScript downloaded through HTTP, giving the attacker not solely the power to cover the exploit code, but in addition the power to replace it at their discretion with out having to replace the whole customized recreation mode (and going by way of the dangerous recreation mode verification course of).

The server these three modes contacted was not working when Avast researchers found the modes. However given they have been printed by the identical developer 10 days after the primary mode, Avast says there’s a excessive probability that downloaded code additionally exploited CVE-2021-38003.

In an e mail, Vojtěšek described the operation movement of the backdoor this manner:

  1. The sufferer enters a recreation, taking part in one of many malicious recreation modes.

  2. The sport masses as anticipated, however within the background, a malicious JavaScript contacts the sport mode’s server.

  3. The sport mode’s server code reaches out to the backdoor’s C&C server, downloads a bit of JavaScript code (presumably, the exploit for CVE-2021-38003), and returns the downloaded code again to the sufferer.

  4. The sufferer dynamically executes the downloaded JavaScript. If this was the exploit for CVE-2021-38003, this is able to end in shellcode execution on the sufferer machine.

Valve representatives did not reply to an e mail searching for remark for this story.

The researchers regarded for extra Dota 2 recreation modes that exploited the vulnerability, however their path went chilly. Finally, meaning it’s not attainable to find out exactly what the developer’s intentions for the modes have been, however the Avast put up stated there have been two causes to suspect they weren’t purely for benign analysis.

“First, the attacker didn’t report the vulnerability to Valve (which might usually be thought of a pleasant factor to do),” Vojtěšek wrote. “Second, the attacker tried to cover the exploit in a stealthy backdoor. Regardless, it’s additionally attainable that the attacker didn’t have purely malicious intentions both, since such an attacker might arguably abuse this vulnerability with a a lot bigger affect.”