Yesterday, I came across something hilarious that actually turned out to be more malicious than I thought.

A new post appeared on Reddit - NSFW showing someone observing a pornographic image in their CS2 game appearing on the Vote Kick screen. This is very unusual as there should be no graphics appearing on that panel in the game. At first I thought this has to be photoshop or fake but it turns out it was in fact real.

After a quick search I found the method of doing this which was posted on UnknownCheats.

As it appeared, setting your Steam profile to any HTML gets rendered when the VoteKick panel appears for CS2. There is no sanitization nor filtering of where the URI resource is located. I always assumed Valve would be smart enough to restrict these type of things to only load content from their CDN servers. I mean it’s bad they let you have any HTML render however it’s even worse that it doesn’t restrict the origin of the request.

So I gave it ago myself and it actually worked: :face_with_tears_of_joy:

Simply putting:

<img src="https://some.url/">

as your Steam name allows you to perform this trick. Note that Steam limits your name to a maximum of 32 characters. It seems however people got creative using URL shorteners. Some of them even patching Steam to bypass this character limit since CS2’s Panorama UI system allows up to 128 characters for names. This allowed them to space the image out properly so it doesn’t get resized the second time it’s rendered on the users client.

A well crafted PHP script

While drawing GIFs and eliciting reactions from teammates is fun, there’s a more serious issue. Since image tag origins aren’t filtered, the server hosting the resource can capture incoming requests.

I previously experimented with PHP, crafting a malicious file masquerading as an image. It does so by setting the ‘Content-Type’ header to an image and using imagecreatetruecolor to create a 1x1 image, outputting it to the browser/file with imagejpeg.

Alternatively, we can set ‘Content-Type’ to an image and load our own image with readfile.

Using a PHP script acting as an image gives us the ability to use variables such as:

$_SERVER['REMOTE_ADDR']
$_SERVER['HTTP_REFERER']

to retrieve the IP address of the client requesting the image resource. I created a POC demonstrating this yesterday which funny enough got picked up by Sparkles.

Here is a link to my original video.

What more can be achieved?

So you might be thinking this doesn’t seem that harmful; So what if my IP gets logged no big deal. However it is technically possible to execute Javascript through elements such a SVG images. Which is explained in a bit more detail here.

And it appears some people figured that out already:

Oh nevermind, you can totally get code execution with this :P@valvesoftware @CounterStrike please fix quick before anyone evil abuses this pic.twitter.com/9w7ETpH60X

— Rebane (@rebane2001) December 11, 2023

Current Day

Valve appears to have patched the exploit this morning, as reported by various people on X (Twitter). They’ve also made changes to the Workshop Tools, disabling custom scripting and UI modifications, following another video showing game client alterations simply by loading a workshop map.

Devs just fixed this exploit, but at the same time they disabled any custom panorama elements / scripts packed in maps. For example, previously it was possible to make a cinema gamemode with external video player, but now it's restricted :( https://t.co/zWzrGihczo pic.twitter.com/s9mQZITLzK

— ‎Gabe Follower (@gabefollower) December 12, 2023

Where have I seen this before.. :thinking_face:

A while ago in CSGO it was possible to do Remote Code Execution through loading workshop maps. I created a POC video showing this back then:

Lets see what else surfaces in the future for this game..