vulnerabilities Archives - Include Security Research Blog

Hacking Unity Games with Malicious GameObjects, Part 2

September 13, 2022 — Jason Kielpinski

In my last post I talked about a way I found to execute arbitrary code in Unity using no custom scripts, only built-in components. This allowed potential attacks against Unity games that load AssetBundles from untrusted sources since, although AssetBundles can’t include custom scripts, they can include GameObjects containing these built-in components. The attack I outlined in that blog used UnityEvents, which are primarily exposed via Unity’s built-in UI elements, but the attack required user interaction to trigger.

In this post I am going to discuss a zero-click method of triggering UnityEvents, along with some additional things I’ve learned on this topic. I will also introduce a new exploit that does not use UnityEvents and removes one of the limitations of the UnityEvent-based attack (while adding limitations of its own). Finally, I will give some updated remediation thoughts.

Drive-By Compromise: A Tale Of Four Wifi Routers

December 19, 2022September 30, 2021 — IncludeSec

One of the bugs that was reported on fairly extensively had to do with this lovely page, hidden in the device’s webroot:

Customizing Semgrep Rules for Flask/Django and Other Popular Web Frameworks

July 23, 2021July 22, 2021 — by Ayaz Mammadov & Nick Fox - Technical Review by Kai Z and Grayson Hardaway(r2c)

We customize and use Semgrep a lot during our security assessments at IncludeSec because it helps us quickly locate potential areas of concern within large codebases. Static analysis tools (SAST) such as Semgrep are great for aiding our vulnerability hunting efforts and usually can be tied into Continuous Integration (CI) pipelines to help developers catch … Read more

Hacking Unity Games with Malicious GameObjects

June 9, 2021June 9, 2021 — IncludeSec

The Unity game engine provides various means for getting external assets into a game, such as AssetBundles, for adding assets at runtime and the Asset Store, for purchasing third-party assets.

It’s possible for a GameObject to execute arbitrary code using no custom scripts, only components that are available by default in Unity. If the game uses Bolt or another visual scripting system, there are even more paths to code execution. In this blog I will cover how a malicious GameObject might get into a game, two specific methods I’m aware of for the GameObject to execute code, and possible ways to mitigate the risk.

Announcing RTSPhuzz — An RTSP Server Fuzzer

February 17, 2021June 15, 2020 — IncludeSec

There are many ways software is tested for faults, some of those faults end up originating from exploitable memory corruption situations and are labeled vulnerabilities. One popular method used to identify these types of faults in software is runtime fuzzing. When developing servers that implement an RFC defined protocol, dynamically mutating the inputs and messages … Read more