An out-of-bounds read vulnerability in the Squirrel programming language lets attackers break out of sandbox restrictions & execute arbitrary code within a Squirrel virtual machine (VM), therefore giving a malicious player complete access to the underlying machine.
The out-of-bounds read vulnerability enables an attacker to escape a Squirrel VM in games with millions of monthly players – such as Counter-Strike: Global Offensive and Portal 2 & in cloud services such as Twilio Electric Imp.
Potentially Endangers
Given where this Squirrel lives – in games & embedded in the internet of things (IoT) – the bug potentially endangers the millions of monthly gamers who play video games such as Counter-Strike: Global Offensive & Portal 2, as well as cloud services such as the Twilio Electric Imp IoT platform, with its ready-to-use open-source code library.
Squirrel is an open-source, object-oriented programming language used by video games & cloud services for customisation & plugin development. It is a lightweight scripting language that suits the size, memory bandwidth & real-time requirements of applications like video games & embedded systems.
Both of the games mentioned use the Squirrel Engine game library to enable anyone to create custom game modes & maps.
Squirrel Engine
Tracked as CVE-2021-41556, the Squirrel out-of-bounds read vulnerability can be exploited when a Squirrel Engine is used to execute untrusted code, as it is with Twilio Electric Imp or certain video games.
The vulnerability was discovered by Sonar Source & detailed in a post published on Tues.
In that writeup, vulnerability researchers Simon Scannell & Niklas Breitfeld suggested a real-world situation in which an attacker could embed a malicious Squirrel script into a community map & distribute it via the trusted Steam Workshop: a mod repository for Steam Games that lets creators upload their mods for a large built-in audience while providing regular players with an easy way to obtain mods.
Class Definition
“When a server owner downloads & installs this malicious map onto his server, the Squirrel script is executed, escapes its VM, & takes control of the server machine,” the researchers explained.
The security flaw concerns an “out-of-bounds access via index confusion” when defining Squirrel classes. “The fact that bitflags are set within indexes is problematic as it is entirely possible for an attacker to create a class definition with 0x02000000 methods,” the researchers explained.
They created the following, “very simple” proof of concept (PoC): just a small amount of code that could be exploited to hijack a program & grant an attacker full control of the Squirrel VM.
Trigger the Vulnerability
“The rawset & rawget functions allow us to handily access members of a given class,” according to the analysis. “In this PoC, the squirrel interpreter will dereference a null pointer & segfault because the _defaultvalues array has not been allocated yet.”
An attacker could trigger the vulnerability by:
- Creating a class definition with 0x02000005 methods & 0x1 fields
- Accessing the method with the corresponding index 0x02000005
- The _isfield() macro returns true for this index as the bitflag 0x02000000 is set
- The _defaultvalues array is accessed with index 0x5. However, it only contains 0x1 entries & so the attacker has accessed out of bounds.
The vulnerability is dangerous because a malicious player could set up a fake array that could read & write values. By doing so themselves, the researchers found they could “hijack the control flow of the program & gain full control of the Squirrel VM,” which they did by overwriting function pointers.
Squirrel GitHub Repository Patched
The maintainer of the Squirrel GitHub repository acknowledged the vulnerability in August. A patch was put out as part of a code commit on Sept. 16.
As noted by The Hacker News, the changes haven’t been included in a new stable release, with the last official version (v3.1) released on March 27, 2016.
Apply the Available Fix
The researchers who discovered the vulnerability are “highly” recommending that maintainers who use Squirrel in their projects apply the available fix commit in order to protect against attacks.
https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/