Squirrel Bug Lets Attackers Execute Code in Games, Cloud Services


Level 85
Thread author
Honorary Member
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
An out-of-bounds read vulnerability in the Squirrel programming language lets attackers break out of sandbox restrictions and execute arbitrary code within a Squirrel virtual machine (VM), thus giving a malicious actor complete access to the underlying machine.

Given where Squirrel lives – in games and embedded in the internet of things (IoT) – the bug potentially endangers the millions of monthly gamers who play video games such as Counter-Strike: Global Offensive and Portal 2, as well as cloud services such as the Twilio Electric Imp IoT platform, with its ready-to-use open-source code library.

Squirrel is an open-source, object-oriented programming language used by video games and cloud services for customization and plugin development. It’s a lightweight scripting language that suits the size, memory bandwidth and real-time requirements of applications like video games and embedded systems.

Both of the games mentioned above use the Squirrel Engine game library to enable anyone to create custom game modes and maps.

Tracked as CVE-2021-41556, the Squirrel out-of-bounds read vulnerability can be exploited when a Squirrel Engine is used to execute untrusted code, as it is with Twilio Electric Imp or certain video games.

The vulnerability was discovered by SonarSource and detailed in a post published on Tuesday. In that writeup, vulnerability researchers Simon Scannell and Niklas Breitfeld suggested a real-world scenario in which an attacker could embed a malicious Squirrel script into a community map and distribute it via the trusted Steam Workshop: a mod repository for Steam Games that lets creators upload their mods for a massive built-in audience while providing regular players with an easy way to obtain mods.

“When a server owner downloads and installs this malicious map onto his server, the Squirrel script is executed, escapes its VM, and takes control of the server machine,” the researchers explained.