- Feb 4, 2016
- 2,520
A vulnerability in Valve's Source SDK, a library used by game vendors to support custom mods and other features, allows a malicious actor to execute code on a user's computer, and optionally install malware, such as ransomware, cryptocurrency miners, banking trojans, and others.
The issue came to light today when security researcher Justin Taft of One Up Security published a report detailing his findings.
The vulnerability is a simple buffer overflow in the Source SDK. The buffer overflow can be exploited by an attacker to append a piece of malicious code and execute it on a targeted machine.
Flaw exploited via custom maps and mods
Games based on the Source engine use the Source SDK as a way to let third-party companies or independent developers to create custom mods for their games. In addition, Source engine map files also allow developers to pack custom content to be loaded with a custom map.
Taft says that an attacker could use mod or map files to load the exploit code for the vulnerability he discovered.
For example, a malware dev could create a malicious rag model, which is a file that defines how players' characters move when they die. Taft says that a malware dev can load exploit code in the rag model file that they pack inside malicious map files and game mods.
When users connect to servers, in most cases, their games automatically download and load these resources. All it takes is for one player to get shot and die for the malicious code to execute, loading malicious instructions.
Vulnerability could be exploited to target enterprises
Even if the vulnerability affects games, this issue poses some security threats to companies, not only casual gamers.
"As video games are common inside employee break rooms and homes of employees, exploitation of a vulnerability could be used in a targeted attack to jump the air gap to a private network," Taft explains. "As a mitigation, games should not be installed on work devices. Gaming machines should be moved to an untrusted network, and business devicess should not connect to the untrusted network."