Valve and/or MS, pls fix (or: How I Learned To Love the WebDAV)
Yup, that's me. You're probably wondering how Garry's Mod got there. Well, it's quite simple actually.
Here's the simplistic explanation: With steam:// URLs, rungameid allows you to pass console arguments. I use one of those to tell Garry's Mod its files are on a remote server. It dutifully loads them, DLLs and all.
But how exactly does this work? Well, it's quite dumb actually. You see, normal Windows file operations contain a secret hidden trapdoor in them called “network shares.” Anyway, you can host them for other people using a protocol called WebDAV. This allows you to load files from across the net using a simple command, which is nice for you if you're the small percentage of users who want this in their daily lives.
However, it can lead to a lot of mischief. That little tidbit may, if you have been around the infosec community, remind you of a certain thing called “pass-the-hash.” (For the record, I'm 99% sure you can do pass-the-hash with this. I think it would be fair to question your reasoning, but you can.) Here, we use it to set the working game directory for the Source Engine to a remote share, causing it to load info remotely.
Valve, in their infinite wisdom, made it so that you can't use more than two backslashes in rungameid. Why is this the limit? No clue. However, it's easy to bypass by just...having all your stuff at the root folder, which is a thing you're allowed to do.
So, start a WebDAV server and point -game to it in your GMod instance. It takes a bit, and then immediately complains about gameinfo.txt not existing.
So. Start a WebDAV server, copy gameinfo.txt from your GMod folder into the root of the WebDAV folder, and then sit on your butt and watch Procmon. Garry's Mod immediately starts flipping the fuck out, filling your screen with pure white. That's great. Kill it, and then check your logs. You'll find a ton of DLLs that it loads — picking any of the ones in bin/ named game_shader_dx█.dll will immediately get your DLL loaded, word of the wise.
Any DLL that runs anything on DLL_PROCESS_ATTACH or such will immediately run their payloads.
Now, here's the fun part: I know for a fact that last I checked, this could be vaguely replicated in CS:GO. But I don't wanna install it, and I don't wanna check. If you figure it out, props to you, and maybe report it to Valve so they'll actually start doing something about this because it sucks man lol
How to mitigate, for the layman:
Don't open any steam:// links that look long, don't open steam from a browser, open your games directly from the Steam interface if you wanna do anything.
How to mitigate, for Valve:
Either breaking change rungameid, push out a critical engine update that doesn't allow -game to load from a network share, or be exceedingly lazy and start stripping two backslashes instead of three. Also, please don't ban me.
Vendor Notification Timeline:
- June 13, 2018: Reported
- June 13, 2018: Report accepted
- July 23, 2018: Asked for updates
- March 8, 2019: Received apology for late reply
- July 19, 2019: Severity was downgraded from 8.0 to 4.3 due to “no actual RCE”, $750 bounty awarded
- October 4th, 2019: Asked for update
- March 1st, 2021: Posted this blog