[CS:GO] Unchecked texture file name with TEXTUREFLAGS_DEPTHRENDERTARGET can lead to Remote Code Execution

Title: [CS:GO] Unchecked texture file name with TEXTUREFLAGS_DEPTHRENDERTARGET can lead to Remote Code Execution Scope: csgo.exe Weakness: Stack Overflow Severity: High (8.0) Link: https://hackerone.com/reports/550625 Date: 2019-04-29 17:52:46 +0000 By: @nyancat0131 Details: ## Summary A texture with long file name and has `TEXTUREFLAGS_DEPTHRENDERTARGET` set can trigger a Stack Buffer Overflow, which leads to Arbitrary Code Execution due to return pointer (EIP) being overwritten. ## Affects Tested: CS:GO Potentially affected: All Valve's Source Engine games ## Steps to reproduce - Download F478261, extract it to `<csgo_install_dir>/csgo` folder - Start CS:GO, attach WinDBG or any other debugger - Host a new game on map `aim_pwn` - Observe the crash with the attached debugger. The EIP will be overwritten to `0x61616161` NOTE: The path to CS:GO installation directory must not be too long, so that the accompanied texture file can be extracted successfully. ## Attack scenario This vulnerability can be exploited remotely because anyone can host a CS:GO server with custom maps. When the victim connects to a malicious server, the custom map will be downloaded along with its resources. ## Impact Attackers can execute arbitrary code on victim's computer. They can compromise victim's important data, accounts, ... and many things more.