Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Squirrel Bug – Lets Attackers Execute Code in Games & Cloud Services!

Squirrel Bug – Lets Attackers Execute Code in Games & Cloud Services!

An out-of-bounds read vulnerability in the Squirrel programming language lets attackers break out of sandbox restrictions & execute arbitrary code within a Squirrel virtual machine (VM), therefore giving a malicious player complete access to the underlying machine.

The out-of-bounds read vulnerability enables an attacker to escape a Squirrel VM in games with millions of monthly players – such as Counter-Strike: Global Offensive and Portal 2 & in cloud services such as Twilio Electric Imp.

Potentially Endangers

Given where this Squirrel lives – in games & embedded in the internet of things (IoT) – the bug potentially endangers the millions of monthly gamers who play video games such as Counter-Strike: Global Offensive & Portal 2, as well as cloud services such as the Twilio Electric Imp IoT platform, with its ready-to-use open-source code library.

Squirrel is an open-source, object-oriented programming language used by video games & cloud services for customisation & plugin development. It is a lightweight scripting language that suits the size, memory bandwidth & real-time requirements of applications like video games & embedded systems.

Both of the games mentioned use the Squirrel Engine game library to enable anyone to create custom game modes & maps.

Squirrel Engine

Tracked as CVE-2021-41556, the Squirrel out-of-bounds read vulnerability can be exploited when a Squirrel Engine is used to execute untrusted code, as it is with Twilio Electric Imp or certain video games.

The vulnerability was discovered by Sonar Source & detailed in a post published on Tues.

In that writeup, vulnerability researchers Simon Scannell & Niklas Breitfeld suggested a real-world situation in which an attacker could embed a malicious Squirrel script into a community map & distribute it via the trusted Steam Workshop: a mod repository for Steam Games that lets creators upload their mods for a large built-in audience while providing regular players with an easy way to obtain mods.

Class Definition

“When a server owner downloads & installs this malicious map onto his server, the Squirrel script is executed, escapes its VM, & takes control of the server machine,” the researchers explained.

The security flaw concerns an “out-of-bounds access via index confusion” when defining Squirrel classes. “The fact that bitflags are set within indexes is problematic as it is entirely possible for an attacker to create a class definition with 0x02000000 methods,” the researchers explained.

They created the following, “very simple” proof of concept (PoC): just a small amount of code that could be exploited to hijack a program & grant an attacker full control of the Squirrel VM.

Trigger the Vulnerability

“The rawset & rawget functions allow us to handily access members of a given class,” according to the analysis. “In this PoC, the squirrel interpreter will dereference a null pointer & segfault because the _defaultvalues array has not been allocated yet.”

An attacker could trigger the vulnerability by:

  1. Creating a class definition with 0x02000005 methods & 0x1 fields
  2. Accessing the method with the corresponding index 0x02000005
  3. The _isfield() macro returns true for this index as the bitflag 0x02000000 is set
  4. The _defaultvalues array is accessed with index 0x5. However, it only contains 0x1 entries & so the attacker has accessed out of bounds.

The vulnerability is dangerous because a malicious player could set up a fake array that could read & write values. By doing so themselves, the researchers found they could “hijack the control flow of the program & gain full control of the Squirrel VM,” which they did by overwriting function pointers.

Squirrel GitHub Repository Patched

The maintainer of the Squirrel GitHub repository acknowledged the vulnerability in August. A patch was put out as part of a code commit on Sept. 16.

As noted by The Hacker News, the changes haven’t been included in a new stable release, with the last official version (v3.1) released on March 27, 2016.

Apply the Available Fix

The researchers who discovered the vulnerability are “highly” recommending that maintainers who use Squirrel in their projects apply the available fix commit in order to protect against attacks.

https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/

 

SHARE ARTICLE