As a result, there are thousands of game modes available, some of which are extremely popular. This might be why game modes can be installed with a single click from within the game. After all, Dota itself started out as a game mode for Warcraft III: The Frozen Throne. Custom game modes play an important role in Dota, and Valve is well aware of the benefits of letting players express their creativity by developing custom game modes. These are essentially brand-new games that leverage Dota’s powerful game engine to allow anyone with a bit of programming experience to implement their ideas for a game. Crucially, there are also custom community-developed game modes. However, Dota is very open to customization by the player community, which opens the doors for threat actors to attempt to sneak malicious pieces of JavaScript to their unsuspecting victims.Ĭustomization of Dota can take many forms: There are custom wearable in-game items, announcer packs, loading screens, chat emoticons, and more. This wouldn’t be such an issue for the unmodified game, because by default, only legitimate Valve-authored scripts should get executed. Thus, malicious JavaScript could exploit a V8 vulnerability and gain control over the victim’s machine. The JavaScript part here was problematic because it got executed by the vulnerable version of V8. This is a framework designed by Valve itself to enable user interface development using the well-known web triad of HTML, CSS, and JavaScript. One component that will be of particular interest to us is the Panorama framework. Like other popular games, Dota is a complex piece of software under the hood, assembled from multiple separate components. Despite being almost 10 years old (or perhaps 20 if counting the original Dota 1), it is still attracting a large player base of around 15 million active monthly players. Backgroundĭota 2 is a MOBA game that was initially released on July 9, 2013. Valve also took additional action, by taking down the offending custom game modes, notifying the affected players, and introducing new mitigations to reduce the game’s attack surface.ĭota changelog for the January 12 update. This update took effect immediately, since Dota has to be up to date for players to participate in online games. In response, Valve pushed an update for Dota on January 12, upgrading the old and vulnerable version of V8. We disclosed our findings to the developer of Dota 2, Valve. Since V8 was not sandboxed in Dota, the exploit on its own allowed for remote code execution against other Dota players. We discovered that one of these vulnerabilities, CVE-2021-38003, was exploited in the wild in four custom game modes published within the game. It’s no surprise that this build was vulnerable to a range of CVEs, many of them even being known exploited vulnerabilities with public proof-of-concept (PoC) exploits. Dota used an outdated build of v8.dll that was compiled in December 2018. One such issue affected the massively popular Dota 2 video game. ![]() And where a JavaScript engine is used across a security boundary to execute potentially untrusted code, security issues may arise. While the browser may be the most interesting target for V8 exploits, we shouldn’t forget that this open-source JavaScript engine is also embedded into countless projects other than the browser. ![]() When we think about V8 exploits, the first things that come to mind are probably related to sophisticated browser zero-day exploit chains.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |