HTML Injection in Game Chat

fra

fra

New member
Hello,
I have discovered a vulnerabilty in the chat feature that allows users to use HTML tags.

Steps to Reproduce:
In game, send a message containing any HTML tag, in my example, I've used the <img src> one.

The UI will actually render the HTML tag, an attacker can use this to disrupt gameplay by making the UI render content on the whole screen, showing NSFW media, or even log other players' IPs.

As for attachment, there is how I was able to obtain my friend's IP address just by sending an image on the game chat.
I don't have tried if this can be used as an RCE, but I suggest to fix it before anyone does.

All the tools that I've used are freely available online, and everything is censored for privacy reasons.

Looking forward to help,
-fra
Update 1: The game won't render the resources from the page but IP grabbing is still possible.
View attachment ip_grab_poc.mp4
 
Last edited:
left4dead2nf said:
That's crazy. Hopefully they fix this asap, that could be really damaging potentially if RCE is found.
Click to expand...
I don’t have time right now, but if it’s not solved for tomorrow I want to toy with it a bit more and see how much I can obtain from this.

But probably it will be nothing because the UI system should be the same as CS2, in fact, that game had the same exploit during its early release. I tried to see if I was able to run some JS code but I need to do more investigation about that.
 
Huge bump on this. We had a player in our game posting GIFs and causing extreme amounts of lag. Please sanitize all chats and or places people can put customized text. I wonder if player names are sanitized? 🤔

Example: match 77282 player Bot Keith was posting GIFs and it causes end-client lag.
 
This reported many times and directly sended to Yoshi (08.06.2024).
It produced because game messages using HTML code.
10.06.2024 not fixed
 
In cs 2, using this vulnerability, they could run js codes, and remove the limit on the number of characters in the nickname.
 
Can confirm as well. Last night, a player sent a slightly inappropriate gif in a match I was in.

PS: Today's small patch didn't fix it either. I could reproduce it in the hero sandbox.
 
Leo said:
Can confirm as well. Last night, a player sent a slightly inappropriate gif in a match I was in.

PS: Today's small patch didn't fix it either. I could reproduce it in the hero sandbox.
Click to expand...
Can confirm the issue is still there.
I will attach the console output when I try to load www.google.com with this method:
1718051893883.png
I used www.google.com because it was the only page that gave me a more detailed error log because of the "Unsupported resource type" line, but when I put images / .php pages it goes without a problem.

I tried to make the client download stuff but with no luck, so I really think a RCE it's not possible, I feel like some inputs are sanitized but not everything, and the funny thing is that when I load PHP pages it executes them without any issues (until it's a GET request).

I am starting to think this isn't a big deal but it can still piss other people off, honestly I don't mind having my IP leaked but it can be an issue for others.
 
UI issue seems to be gone (after today's third patch), but I think IP grabbing might still be possible. Could someone verify on their end? I might have tested it wrong.
 
Leo said:
UI issue seems to be gone (after today's third patch), but I think IP grabbing might still be possible. Could someone verify on their end? I might have tested it wrong.
Click to expand...
UI doesn't render the image anymore, but the game still tries to load the content, thus IP grabbing is still possible.
 
  • Like
Reactions: Leo
Update:
Today's update has fixed the issue about the UI rendering from the <img src> tag, but the game will still load the page.
In the attachment below, there is an example of how a PHP page was still able to run.
The PHP page that I ran is a simple logger, when someone visits that page a file called "log.txt" will be created with info I want to retrieve, like user agent or even public ip.

View attachment 2024-06-12 00-22-46.mp4
 
Sorry for the fast new reply but I was thinking about this:
maybe the game will run that command only to the player that is executing it, need to get a friend to test it.
 
You must log in or register to reply here.
Back
Top