CD Projekt Red said Cyberpunk 2077 players should use caution when midding the game or using custom save games. The developer has disclosed that an active Cyberpunk 2077 vulnerability exists within the game’s code that would allow arbitrary code execution.
The vulnerability was disclosed by Cyberpunk 2077 community member PixelRick. The report included details that the exploit targets the way the game’s DLLs handle certain code. DLL stands for Dynamic-link library, which is a library that allows the game or program using it to store code and execute it throughout the process, not just at runtime. This is normally secure, as long as checks are in place to verify data integrity. In the case of remote or arbitrary code execution, the afflicted DLL will pass unchecked code to the program and it will then be executed. This would allow a malicious programmer to run unverified code from with the program, in this case Cyberpunk 2077.
The vulnerability bypasses ASLR (Address Space Layout Randomization and Data Execution Protection (DEP) in Windows, making it possible to pivot the style of attack into other software beyond a modded video game. The attack itself accesses certain datastreams within certain filetypes and can be used to run arbitrary code. Through some complicated chicanery with vulnerable files, the game will inject the malicious code into memory when you do things like, save a game. This could even spread the exploit and payload around if you share infected save files.
Here’s how PixelRick, the modder who disclosed the problem, described it:
The vulnerability impacts DATA files. A buffer overflow can be triggered in the game when it loads those files. The reason is that the game uses a buffer of 512 bytes to serialize a maximum of 512 wide-characters for identifier strings, and that is 1024 bytes (a wide-character is 2 bytes). This buffer overflow can be exploited with the help of a second vulnerability that is a third-party library that the game uses: xinput1_3.dll. This dynamic library is not relocatable and thus is a direct bypass for a security feature called ASLR (Address Space Layour Randomization). Also, this library is enough to build a ROP-chain to bypass DEP (Data Execution Prevention) in order to execute code that has been inlined in the overflowed buffer. (This ROP-chain won’t be disclosed any time soon as it represents a risk not only for CP77 but for every piece of software using it..)
CDPR has acknowledged the issue and plans to issue a patch soon. Their advice is to wait for the patch for now. It also can’t hurt to run a malware scan on your systems if you think they might be infected. Stay away from any mods that include executables for now, but this vulnerability is very dangerous because it can turn any non-executable file into something like one.
When the developers issue the patch, it should stop any malicious code from being run through the game files. Although that’s good, it’s still a very good idea to run a cursory check of any mods you download for viruses or malware afterwords. Frankly, you should be doing that for any mods you download. Some modders, like yamashi, have already patched part of the problem within their own mods.
As we are all no doubt aware by this point, Cyberpunk 2077 has not been the best of launches. Sure, the PC version ran fine, but the same could not be said for the console ports. Despite the massive launch sales of more than 13 million units, the game was hit with a wave of ongoing criticism. That’s without taking into account the massive wave of refunds. Microsoft offered an indefinite refund period for the game. Best Buy even began accepting returns of opened boxed copies. More than 80% of players have already stopped playing. And without major updates, a lot of those players won’t come back.
And a lot of that is due to the buggy state of the game on launch. CDPR has tried to fix things, but people continue to find issues like this. Another recent patch also introduced a major bug that blocked game progress.
