Reliable remote code execution (1)

Leading to the global offensive of the anti terrorist elite （ hereinafter referred to as “CS:GO”） One of the most popular factors is that anyone can host their own community server . These community servers can be downloaded and installed for free , And allow high-level customization . Server administrators can create and leverage custom assets （ For example, maps ）, So as to realize the innovative game mode .

However , This design choice opens up a large attack surface . Players can connect to potentially malicious servers , Exchange complex binary assets such as game messages and textures .

We managed to find and exploit two mistakes , When they come together , When connecting to our malicious server , It can reliably execute code remotely on the player's machine . The first error is information leakage , It allows us to destroy the client during the game ASLR. The second mistake is .data Out of bounds access to the global array in the game loading module section , Causes control of the instruction pointer .

Community server list

Players can use the built-in user-friendly server browser to join the community server ：

Once the player joins the server , Their game clients and community servers will start talking to each other . As a security researcher , Our task is to understand CS:GO The network protocol used and the type of message sent , So that we can find the vulnerability .

The fact proved that ,CS:GO Use your own UDP To serialize 、 Compress 、 Segment and encrypt data sent between client and server . We won't go into details about the network code , Because it has nothing to do with the errors we will present .

what's more , This is based on UDP The custom protocol carries Protobuf Serialized payload .Protobuf yes Google A technology developed , It allows you to define messages and provides the... For serializing and deserializing these messages API.

Here are CS:GO Defined and used by developers protobuf Message example ：

message CSVCMsg_VoiceInit {
	optional int32 quality = 1;
	optional string codec = 2;
	optional int32 version = 3 [default = 0];
}

Found in CS:GO Use Protobuf after , We found this message definition through Google search . We encountered a problem that included Protobuf Message definition list SteamDatabase GitHub The repository .

As the name of the message implies , It is used to initialize some kind of voice message transmission from a player to the server . The message body carries some parameters , For example, the codec and version used to interpret voice data .

Development CS:GO agent

With this message list and its definition , We can gain insight into the types of data sent between the client and the server . However , We still don't know in what order messages will be sent and what values are expected . for example , We know that there is a message to initialize the voice message with some codec , But we don't know CS:GO Which codecs are supported .

For this reason , We are CS:GO Developed an agent , Allow us to view communications in real time . The idea is that we can start CS:GO Game and connect to any server through proxy , Then dump any messages received by the client and send them to the server . So , We reverse engineer the network code to decrypt and unpack the messages .

We also added changes to be sent / The function of the value of any message received . Because the attacker finally controls the messages sent between the client and the server Protobuf Serialize any value in the message , So it becomes a possible attack surface . We can find the error in the code responsible for initializing the connection , Instead of reverse engineering the message by changing interesting fields .

following GIF Shows how the game sends messages and is dumped in real time by the agent , Corresponding to shooting 、 Events such as changing weapons or moving ：

Equipped with this tool , Now it's up to us to flip protobuf Some bits in the message to find the error .

OOB visit CSVCMsg_SplitScreen

We found that CSVCMsg_SplitScreen A field in a message can be represented by （ malice ） The server sends it to the client , Can lead to OOB visit , This leads to controlled virtual function calls .

The definition of this message is ：

message CSVCMsg_SplitScreen {
	optional .ESplitScreenMessageType type = 1 [default = MSG_SPLITSCREEN_ADDUSER];
	optional int32 slot = 2;
	optional int32 player_index = 3;
}

CSVCMsg_SplitScreen It looks interesting , Because the called field player_index Controlled by the server . However , Contrary to intuition ,player_index Fields are not used to access arrays ,slot The fields are . The fact proved that , The slot Field is used as a location in the file .data The index of the split screen player object array in the section ,engine.dll No, whatever Boundary check .

Watching the crash , We can already observe some interesting facts ：

1. The array is stored in .data Internal department engine.dll
2. After accessing the array , An indirect function call to the access object occurs

The following screenshot of the decompiled code shows how to player_splot Used as an index without any checks . If the first byte of the object is not 1, Then enter a branch ：

This mistake proved to be very promising , Because some instructions entering the branch will dereference a vtable And call a function pointer . This is shown in the next screenshot ：

Considering the information leakage , We are very excited about this loophole , Because it seems easy to use . Because the pointer to the object is from From the global array within engine.dll, At the time of writing this article, it is a 6MB Binary array , So we are sure that we can find pointers to the data we control . Pointing the above object to the data controlled by the attacker will result in arbitrary code execution .

however , We still have to forge one at a known location vtable, Then point the function pointer to something useful . Because of this limitation , We decided to look for another error that could lead to information leakage .