VRChat Addresses Security Vulnerability in Latest Update
/ 3 min read
Quick take - A recently discovered vulnerability in VRChat, which has been addressed in the latest update, raises security concerns due to the platform’s user-generated content and the specific nature of the exploit related to Unity’s texture allocation process.
Fast Facts
- A vulnerability in VRChat has raised security concerns and has been addressed in the latest update (version 2024.3.1p4).
- Several Unity versions have also been updated to fix this issue, but the vulnerability does not imply risks for all Unity-based games.
- The exploit involves manipulating memory addresses due to overflow issues in Unity’s texture allocation process, allowing unauthorized memory access.
- VRChat’s open nature and user-generated content create a larger attack surface, with the platform using a custom scripting language called Udon.
- The findings emphasize the need for vigilance in user-generated environments and the collaborative efforts to address such vulnerabilities.
VRChat Vulnerability Raises Security Concerns
A recent discovery of a vulnerability in VRChat, a popular online game known for its user-generated content, has raised significant concerns regarding security within the platform. This vulnerability has been addressed in the latest VRChat update, version 2024.3.1p4.
Unity Versions Updated
Several Unity versions, including 6000.0.20f1, 2022.3.48f1, and 2021.3.44f1, have also been updated to address this issue. Importantly, the presence of this vulnerability does not necessarily imply that other Unity-based games are at risk. Exploiting this particular bug requires a higher level of user control than is typically seen in many other gaming environments.
Attack Surface and Scripting Language
The open nature of VRChat, which allows users to create and upload their own worlds and avatars, creates a substantial attack surface for potential software vulnerabilities. The platform utilizes a scripting language called Udon, which operates on a custom bytecode virtual machine. Udon can be scripted through the Udon Node Graph, a graphical node-based environment, or UdonSharp, which compiles C# scripts into Udon bytecode.
While Udon is designed to sandbox untrusted user scripts, limiting access to potentially dangerous APIs, it exposes its own APIs along with a limited subset of Unity’s APIs and the C# standard library.
Texture Allocation Vulnerability
A significant aspect of the vulnerability lies in Unity’s texture allocation process. The function responsible for calculating texture sizes utilizes signed 32-bit integers, which can lead to overflow issues when managing large textures. This miscalculation can result in out-of-bounds heap read/write operations, creating a noteworthy security vulnerability.
Specifically, the exploit involves manipulating memory addresses, allowing unauthorized access to memory by overwriting the data pointer of a texture object to read or write memory at arbitrary addresses. Notably, VRChat employs IL2CPP, a Unity tool that precompiles C# code, influencing the execution of the exploit.
The game is distributed via Steam, which includes an in-game overlay with a hooking mechanism that creates writable and executable memory regions, providing additional avenues for exploitation. Importantly, the exploit does not depend on the Steam overlay being enabled, as it installs hooks irrespective of the overlay’s status.
An experiment with large texture creation revealed that allocating sizes just over the 32-bit unsigned integer limit could lead to unexpected behavior, including crashes due to memory issues. While a check for texture constructors has been added to prevent overflow, not all formats were addressed. Additionally, the ability to read uninitialized heap memory through intended Unity behavior was noted, although this was not utilized in the final exploit.
The findings highlight the importance of maintaining vigilance in user-generated content environments and underscore the collaborative efforts of individuals and teams involved in addressing such vulnerabilities in VRChat and Unity.
Original Source: Read the Full Article Here
