We could find bugs in the code responsible for initializing a connection without reverse-engineering it by mutating interesting fields in messages. Since an attacker ultimately controls any value in a Protobuf serialized message sent between clients and the server, it becomes a possible attack surface. We also added the ability to modify the values of any message that would be sent/received. For this, we reverse-engineered the networking code to decrypt and unpack the messages. The idea was that we could launch the CS:GO game and connect to any server through the proxy and then dump any messages received by the client and sent to the server. For example, we knew that a message exists to initialize a voice message with some codec, but we had no idea which codecs are supported by CS:GO.įor this reason, we developed a proxy for CS:GO that allowed us to view the communication in real-time. However, we still had no idea in which order messages would be sent and what kind of values were expected. Having this list of messages and their definitions enabled us to gain insights into what kind of data is sent between the client and server. The message body carries some parameters, such as the codec and version used to interpret the voice data. We came across the SteamDatabase GitHub repository containing a list of Protobuf message definitions.Īs the name of the message suggests, it’s used to initialize some kind of voice-message transfer of one player to the server. We found this message definition by doing a Google search after having discovered CS:GO utilizes Protobuf. Here is an example of a protobuf message defined and used by the CS:GO developers: Protobuf is a technology developed by Google which allows defining messages and provides an API for serializing and deserializing those messages. More importantly, this custom UDP-based protocol carries Protobuf serialized payloads. We won’t go into detail about the networking code, as it is irrelevant to the bugs we will present. As security researchers, it was our task to understand the network protocol used by CS:GO and what kind of messages are sent so that we could look for vulnerabilities.Īs it turned out, CS:GO uses its own UDP-based protocol to serialize, compress, fragment, and encrypt data sent between clients and a server. Once the player joins a server, their game client and the community server start talking to each other. Players can join community servers using a user friendly server browser built into the game: data section of one of the game’s loaded modules, leading to control over the instruction pointer. The second bug is an out-of-bounds access of a global array in the. The first bug is an information leak that enabled us to break ASLR in the client’s game process. We’ve managed to find and exploit two bugs that, when combined, lead to reliable remote code execution on a player’s machine when connecting to our malicious server. Players can connect to potentially malicious servers, exchanging complex game messages and binary assets such as textures. However, this design choice opens up a large attack surface. Server administrators can create and utilize custom assets such as maps, allowing for innovative game modes. These community servers are free to download and install and allow for a high grade of customization. One of the factors contributing to Counter-Strike Global Offensive’s (herein “CS:GO”) massive popularity is the ability for anyone to host their own community server. Brymko, dezk, Simon Scannell May 13, 2021
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |