A code execution security vulnerabilty has been identified in all games built with Unity 2017 and later

Apparently the biggest risk is that another malicious application could modify the intent urls of the runtime to pass extra arguments to the command line and run arbitrary code whenever you start a unity game. Apparently permissions could be escalated on windows but only if you registered the app as a custom URL schema handler

It’s an easy attack vector to drain crypto wallets!

Honestly, I am pretty shocked at how simple and easy it was to apply the patch. Kinda surprising from the Unity team, but a welcome surprise, to be sure.

Some Unity games may be launched with a parameter that causes them to execute arbitrary code. It seems like it only makes sense on Android. Windows and Linux games can normally only be launched by a process with the same or greater privileges than the process being created, but on Android you can elevate privileges by invoking another app. In practical terms, another app can access the save data of your mobile games.

There was also something about games that register to be launchable directly from a webpage, which would allow web sites to escape the browser sandbox, but it didn’t sound likely.

looks

For Linux, my off-the-cuff take is that I’m not that excited about it. It means that if you can launch a Unity game and pass it command-line arguments, then you can cause it to take actions that you want. Okay, but usually the security context of someone who can do that and the game that’s running should probably be the same. If you can launch a game with specified parameters to do something bad, you can probably also just do something bad and cut the game out of the picture.

This is why you have few suid binaries on a Limux system (and should never make something large and complex, like a Unity game, suid) — because then the binary does have a different security context than the launching process.

Now, it’s possible that there are scenarios where you could make this badly exploitable. Say games have chosen to trust command-line arguments from a remote system, and that game has community servers. Like, maybe they have a lobby app that launches a Unity binary with remotely-specified command line arguments. But in that case, I think that the developer is already asking for trouble.

Most games are just not going to be sufficiently hardened to avoid problems if an attacker can pass arbitrary command lines anyway. And as the bug points out, on Linux, you can achieve something similar to this for many binaries via using LD_PRELOAD anyway — you can use that route to make fixes for closed-source Linux games. Windows has similar routes, stuff like DLL injection.

It’s possible that this is more serious on Android. I don’t know if there’s a way to pass command line parameters there, and doubt it, but part of the Android security model is that apps run in isolation, and so if that’s exploitable by any local app, that could cause that model to break down.

But on Linux — GNU/Linux — I’d think that if someone malicious can already launch games with arbitrary command line parameters on your system, you’re probably not really in much worse trouble due to this bug than you already are.

This is a pretty big deal and should be patched, but it’s not the worst case scenario. The worst case scenario would be if an attacker could do this remotely through your game.

Basically, if someone has the ability to change the shortcut on an end machine to specify additional arguments, your game could be used to run malicious code on that machine under the guise of your game, making detection harder.

The benefit is that modifying a shortcut is not an easy thing to do without tricking the user, or using an already established remote control of the endpoint.

However, this is still a vulnerability and one that should have a minimal impact if it were patched. You should install this patch if you make games with Unity.