Counter-Strike Zero-Day Flaw

Neodyme researchers discovered three distinct RCE vulnerabilities in Counter-Strike: Global Offensive, where each vulnerability is exploited through a malicious Python server upon game client connection.

Despite fixing several critical vulnerabilities with a patch dated 04/28/2021, Counter-Strike: Global Offensive remains popular with 21 million monthly players, largely due to the range of game modes available on community servers.


Multiple Counter-Strike Zero-Day Flaw

The extensive availability of game modes, community servers, and modding support in Counter-Strike: Global Offensive results in a significant attack surface, with various parsers handling potentially malicious data directly from the game’s server.

The source engine’s TCP-like network stack, which is based on UDP, presents inherent complexities and vulnerabilities that have been exploited in previous attacks.

While cheater communities like UnknownCheats are frustrating for gamers, they provide valuable resources for security researchers, such as detailed reverse engineering posts and cheat tools that aid in understanding the network protocols.

Debug symbols, which provide recognizable function names and class structures, are a useful reverse engineering aid that can inadvertently be included in the final binaries of a game when programmers forget to remove them.

The April 2017 version of CS: GO for macOS unintentionally included full debug symbols, which could be automatically identified through tools like SteamDB and old repositories. However, Valve appears to have disabled the ability to download older versions via SteamCMD.

Vulnerabilities that are Discovered

Here below, we have mentioned all the vulnerabilities that the cybersecurity researchers discover:-

  • Bug 1: Execution of privileged commands from the server
  • Bug 2: Arbitrary file download due to extension stripping
  • Bug 3: Arbitrary text file is written in the game directory
  • Bug 4: Fallback to disabled signature checks

All four bugs are used as part of the entire bug chain to perform the following illicit tasks:-

  • Execute privileged commands on the client.
  • Download a malicious DLL to the game directory.
  • Replace the gameinfo.txt so that the malicious DLL is loaded on game startup.
  • Corrupt the client.dll to achieve a fallback to the insecure mode.

Here in the below video, you can see the flaws in action:-

Moreover, security researchers (Felipe and Alain) affirmed that it’s impossible to say the time they have spent on this bug-hunting project.

Meeting on Discord in the evenings to collaborate, program, and analyze findings, Alain, with around 250 hours of CS: GO gameplay but no online matches, joined forces with others to quickly discover bugs.

However, a significant amount of time was dedicated to creating an elaborate RCE demonstration required by Valve’s bug bounty program.

Following considerable pressure and the threat of full disclosure, the identified bugs were eventually patched, but the resulting payout of 7.5k per bug fell below their initial expectations.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.