CDPR's Cyberpunk 2077 Mods Warning Just Scratches The Surface Of Deeper Game Code Issues
Yesterday, we reported that CD Projekt Red sent out a warning that was effectively against "downloading mods", but it appears that we did not have the full story from the developers of Cyberpunk 2077. According to users on the CD Projekt Red forums, the Cyberpunk 2077 devs are partially to blame for what seems to be several vulnerabilities used in conjunction, which led to the outcry.
Yesterday, forum user yamamushi replied to the main warning thread, which disclosed a vulnerability in Cyberpunk 2077. He explained that since the announcement, modders were getting blamed for the vulnerability when that line of reasoning was entirely wrong. Specifically, "What CDPR posted [in the thread] is WRONG, it isn't caused by an external DLL, the vulnerability is caused by a buffer overflow in a function they use to load strings, this function is used more than 100 times in the game, it is used to load the save games, the archive assets and other parts that we haven't investigated." In short, a malicious person could use any Cyberpunk 2077 data file to start exploiting.
Now knowing this, we spoke to PixelRick, who appears to have initially reported the problem. He explained to us that someone could use the buffer overflow to get at functions inside xinput1_3.dll. This happens because Address Space Layout Randomization (ASLR) is not supported by the library, thanks to Microsoft's implementation of the DLL back in 2010. Effectively, malicious code could jump to a DLL function time and time again with no memory location randomization. The DLL functions can then be "strung together" to bypass Data Execution Prevention (DEP), which would allow the execution of malicious code sent in with the overflow on the victim's system. If you want to read the more in-depth explanation available to the public, it available on PixelRick's Github in a readme.
At the end of the day, it seems that not all mods and modders are to blame as initially interpreted. Moreover, CD Projekt Red could have done a better job disclosing the issue at hand rather than using a simple tweet. Hopefully, we will not have to worry about all of this soon once CDPR patches the buffer overflow issue and Microsoft fixes the DLL. It even appears that PixelRick has a Cyberpunk 2077 update branch named after him, so hopefully a patch is just over the horizon. Overall, still be wary of what you download, but well-regarded mods for Cyberpunk 2077 are not going to be a massive danger to players at this time.