The gaming community of Dota 2 was attacked by four malicious custom game modes that were uploaded on Steam by the same author, all exploiting an old V8 vulnerability.
As Avast explains in a report published today, its security researchers found that Dota 2, a popular MOBA game, is vulnerable to CVE-2021-38003, a high-severity flaw in the V8 JavaScript engine used in the game.
Unfortunately, Dota 2 was using an outdated version of V8, which had available proof-of-concept exploits on the internet, and the author of the malicious mods knew about it and took advantage of the situation to perform zero-day attacks.
“We discovered that one of these vulnerabilities, CVE-2021-38003, was exploited in the wild in four custom game modes published within the game. Since V8 was not sandboxed in Dota, the exploit on its own allowed for remote code execution against other Dota players.”
-Avast
Avast informed Valve, the publisher of Dota 2, and the company released an update that upgraded V8 to a secure version on January 12, 2023.
Valve also removed the offending game mods from Steam and notified all players affected by the attacks.
Avast reports that the first of the four mods for Dota 2 was a test of the exploit uploaded to Steam to verify that the attack was possible without using a payload. The custom game mode also contained a file named “evil.lua” where the attacker tested various server-side Lua execution capabilities, including logging, dynamic compilation, executing system commands, and
Read more