Valve left JavaScript vulnerability in Dota 2 for 15 months

Valve has left a JavaScript vulnerability unpatched for 15 months in the online game Dota 2, which uses the library, according to Avast security researchers. In the meantime, the security hole has been exploited by an attacker, but on a small scale.

According to an Ars Technica storywhich is based on the Avast research reportis it about CVE-2021-38003. It has a severity score of 8.8 and can be used to execute a chain of exploits, because JavaScript is not sandboxed in this case. This vulnerability is in the JavaScript Engine V8 and is patched by Google in October 2021but Valve did not release an update until January 2023 for Dota 2 where this was fixed. It did so after Avast notified the company of the situation. The hacker was active until March 2022.

The vulnerability was exploited in the form of custom game modes for the game. A single user had four game modes to their credit that exploited the vulnerability in their code. It is striking that at first he or she seemed to handle this fairly cleanly, with the name ‘test addon plz ignore’ and a file called ‘evil.lua’, which is not very inconspicuous. The other three game modes exploiting the vulnerability were called Overdog no annoying heroes, Custom Hero Brawl, and Overthrow RTZ Edition X10 XP. Also in the code, the exploit was much less noticeable here.

The researchers tell Ars how the exploit eventually worked. Players would launch the rogue game mode and in the background contact the command-and-control server that pulls in the suspected exploit code for the aforementioned CVE, which the target then executes, resulting in shellcode execution capability on the target. Valve told the researchers that fewer than 200 players were affected by this exploit.

The researchers have some doubts, but still assume that the intentions of the hacker were malicious. Even though they couldn’t find evidence of malicious payloads and were initially advised not to download a game mode, the researcher blames the individual for not reporting the vulnerability to Valve. “That’s generally a nice thing to do.” The progress in concealing the malice is also significant.

Ars asked Valve for comment for this story. Presumably they also asked why the company waited so long to introduce this patch. Valve has not responded.

The first game mode (left), which is still not recommended to download, and the more subtle mode (right) that may have made victims. Source: Avast