Squirrel Engine Bug lets attackers hack games and cloud services

Lavanya Rao K

October 20, 2021

Squirrel is an open-source, object-oriented programming language used for scripting video games and in IoT devices and distributed transaction processing platforms such as Enduro/X. Researchers have disclosed an out-of-bounds read vulnerability in the Squirrel programming language that attackers can abuse to break out of the sandbox restrictions and execute arbitrary code within a SquirrelVM, giving the attacker complete access to the underlying machine. The bug has been tracked as CVE-2021-41556, and the issue occurs when a game library referred to as Squirrel Engine is used to execute untrusted code and affects the stable release branches 3. x and 2. x of Squirrel. When a server owner installs this malicious map onto his server, the Squirrel script is executed, escapes its VM, and takes control of the server machine. The issue has been addressed as part of a code commit pushed on September 16. The bug potentially endangers millions of monthly gamers who play video games. Vulnerability researchers Simon Scannell and Niklas Breitfeld suggested a real-life scenario where an attacker could embed a malicious Squirrel script into a community map and distribute it through the trusted Steam Workshop: a mod repository for Steam Games. The identified security flaw relates to an "out-of-bounds access via index confusion" when defining squirrel classes that can be exploited to hijack the control sequence and gain complete control over the Squirrel VM. The vulnerability is risky because a malicious actor could set up a fake array to read and write values. This lets the hackers hijack the program's control flow and gain complete control of the Squirrel VM by overwriting function pointers.

Abridged fromThreat Post