Hackers Prove Alarming Remote Code Execution Attack In Malicious CS:GO Game Servers

hackers get remote code execution through malicious counter strike global offensive server
Counter-Strike: Global Offensive (CS:GO) has been going strong since 2012, regularly hitting the “Top Games By Current Player Count” list on Steam. With this thriving community, it could make for a great opportunity to try and hack players through the game, and it seems that is indeed a potential threat. Researchers recently found a way to get reliable remote code execution on players’ computers just by joining a malicious community server.

The Secret Club is a group of like-minded hackers and researchers who believe in open research about security, reverse engineering malware, and game hacking. Concerning the last part about game hacking, it seems they targeted CS:GO due to its recurring popularity, thanks in part to the “ability for anyone to host their own community server.” While these community-hosted servers are free to use and allow for lots of creativity and fun, they also provide a rather large security attack surface, as players could connect to any number of malicious servers unwittingly.

server browser hackers get remote code execution through malicious counter strike global offensive server
CS:GO's Community Server Browser

Therefore, the group went on to test the idea of a malicious community server, and it appears they were successful. On Thursday, the group published a blog stating they had “managed to find and exploit two bugs that, when combined, lead to reliable remote code execution on a player’s machine when connecting to our malicious server.” The first bug is “an information leak that enabled us to break ASLR in the client’s game process,” while the second is an “out-of-bounds access of a global array in the .data section of one of the game’s loaded modules, leading to control over the instruction pointer.”

This works because when a player joins a server, the game client and community server begin communicating information and assets. While there is some more in-depth information about this, it all culminates in popping calculator.exe, as shown in the above video. Thankfully, these bugs have now been fixed, but it appears it was not without trouble as Valve went quiet about the situation initially. According to the blog post, the researchers “did not even receive an acknowledgment by a Valve representative,” in over four months. Seemingly, Valve also ignored other researchers with similar impacts over this timeframe, but it is unknown what they had reported.

In the future, we hope that Valve will correct its security program’s issues and make reporting bugs more worthwhile, rather than giving silent treatment to those trying to help. Either way, perhaps we will see more vulnerabilities of this type pop up in the future as research into CS:GO continues, so keep an eye on HotHardware for updates and let us know what you think of this in the comments below.