Dota 2 has a dangerous exploit
Avast antivirus developers found 4 malicious mods in Steam Workshop. They were used to hack players' systems. The security staff of the antivirus shared the work done in its blog.
The company reported that all of these modifications were created by the same author. He used a long-known JavaScript V8 exploit – CVE-2021-38003. It was fixed in 2021, but Valve used an older version of the engine.
At first, the attacker only tested his exploit in the custom game mode "test addon plz ignore." After a successful attack, he created 4 more modes, 3 of which contained the "evil.lua" backdoor. It allowed the author to remotely execute commands on infected devices.
List of malicious mods:
- test addon plz ignore
- Overdog no annoying heroes
- Custom Hero Brawl
- Overdrow RTZ Edition X10 XP
Avast developers immediately reported the problem to Valve. In response, the Dota 2 developer released an update on January 12, replacing the vulnerable V8 version. Also, the company promptly removed the malicious mods and warned all potential victims. According to the company, there were no more than 200 users.