Researchers have unearthed four game modes that could successfully exploit a critical vulnerability that remained unpatched in the popular Dota 2 video game for 15 months after a fix had become available.
A hacker took advantage of the delay by publishing a custom game mode last March that exploited the vulnerability, researchers from security firm Avast said. That same month, the same hacker published three additional game modes that very likely also exploited the vulnerability. Besides patching the vulnerability last month, Valve also removed all four modes.
Custom modes are extensions or even completely new games that run on top of Dota 2. They allow people with even basic programming experience to implement their ideas for a game and then submit them to Valve. The game maker then puts the submissions through a verification process and, if they’re approved, publishes them.
The first game mode published by Valve appears to be a proof-of-concept project for exploiting the vulnerability. It was titled “test addon plz ignore” (ID 1556548695) and included a description that urged people not to download or install it. Embedded inside the mode was exploit code for CVE-2021-38003. While some of the exploit was taken from proof-of-concept code published in the Chromium bug tracker, the mode developer wrote much of it from scratch. The mode included lots of commented-out code and a file titled “evil.lua” further suggesting the mode was a test.
Avast researchers went on to find three more custom modes that the same developer had published to Valve. These modes—titled “Overdog no annoying heroes” (id 2776998052), “Custom Hero Brawl” (id 2780728794), and Overthrow RTZ Edition X10 XP (id 2780559339)—took a much more covert approach.
Avast researcher Jan Vojtěšek explained:
The server these three modes contacted was no longer working when Avast researchers discovered the modes. But given they were published by the same developer 10 days after the first mode, Avast says there’s a high likelihood that downloaded code also exploited CVE-2021-38003.
In an email, Vojtěšek described the operation flow of the backdoor this way:
The victim enters a game, playing one of the malicious game modes.
Valve representatives didn’t respond to an email seeking comment for this story.
The researchers looked for additional Dota 2 game modes that exploited the vulnerability, but their trail went cold. Ultimately, that means it’s not possible to determine precisely what the developer’s intentions for the modes were, but the Avast post said there were two reasons to suspect they weren’t purely for benign research.
“First, the attacker did not report the vulnerability to Valve (which would generally be considered a nice thing to do),” Vojtěšek wrote. “Second, the attacker tried to hide the exploit in a stealthy backdoor. Regardless, it’s also possible that the attacker didn’t have purely malicious intentions either, since such an attacker could arguably abuse this vulnerability with a much larger impact.”