GVID-2021-0002: Unity3D AssetBundle Corruption Crash

Posted byvidyasecPosted invrchat, Vulnerability DisclosuresTags:, ,

Title: Unity3D AssetBundle Corruption Crash
Advisory ID: GVID-2021-0002
Allocation Date: July 2nd, 2021
Publication Date: December 12th, 2021
Update Date: May 17th, 2022
Publication URL: https://vidyasec.org/2021/12/12/gvid-2021-0002-unity3d-assetbundle-corruption-crash/

Vulnerability Details

Affected Vendor: Unity Technologies
Affected Product: Unity3D (incl. Pro)
Affected Versions: 2018.4.20f1, 2019.4.29f1 LTS, 2020.3.13f1 LTS, probably more.
Platform: Windows
CWE Classification: CWE-20: Improper Input Validation
CVE ID: N/A
Unity Security Case Number: 1747

Product Description

Unity3D is a flexible development platform and engine designed for a wide variety of applications, including gaming, simulation, presentations, and more.

Vulnerability Description

Attackers can make use of a vulnerability in Unity to crash games that allow user-generated content by loading corrupted Unity asset packages, resulting in a denial of service.

Technical Information

Attackers have been uploading malformed Unity3D assetpackages to games that permit user-generated content, resulting in crashes from Unity, resulting in Denial of Service. After much research, we’ve determined that any sort of structural corruption to embedded assets can result in AssetBundles triggering one of many checks in Unity’s asset loading systems, resulting in an unrecoverable condition. The same conditions can be triggered by merely creating a sufficiently old assetbundle that the engine cannot load.

Attempting to load one of these AssetBundle results in Unity triggering an uncatchable error in native Unity code, meaning Unity-based products cannot defend against this attack without reverse-engineering the files themselves to check for this particular issue. This error cannot be intercepted by try/catch statements or any other exception-handling method, and results in a crash to desktop, sometimes with an error message in the player log or a dialog box in the Unity editor.

Remediation Recommendation

Avoiding use of third-party undocumented, proprietary packaging formats, such as Unity AssetBundles is likely the best path to avoiding these kinds of attacks, but will require significant infrastructure changes and conversion of existing UGC. Because of this conclusion, it is likely most established titles will need to wait for Unity to issue a patch.

The best final solution to this issue by Unity would be to throw a catchable error rather than hard-crashing the process.

Timeline

  • Experienced at various points in the past in VRChat, began research
  • 2021.07.01 – Randomly met some gray-hats who were able to verify some exploits and provided additional contacts within the gray- and black-hat communities. This specific vulnerability was independently verified by this group.
  • 2021.07.24 – Discovered sample in the wild being used maliciously.
  • 2021.07.25 @ 06:34 UTC – Initial notification sent via Unity bug reporting tool.
  • 2021.07.25 @ 06:34 UTC – Automated acknowledgement of receipt
  • 2021.07.26 @ 11:51 UTC – Issue dismissed by Unity due to testing on unsupported Unity versions.
  • Issues in meatspace take priority
  • 2021.09.04 @ 23:15 UTC – Tested on Unity 2019.4.29f1 LTS, Unity 2020.3.13f1 LTS with same results.
  • 2021.09.05 @ 00:17 UTC – Initial notification via email
  • 2021.09.05 @ 00:17 UTC – Automatic reply confirming receipt, Unity security case number assigned.
  • 2021.09.07 @ 13:26 UTC – Automated reply informing us of BugBounty’s existence.
  • 2021.09.07 @ 20:08 UTC – Human escalates issue to a team for review.
  • 2021.09.30 @ 19:21 UTC – Human closes issue after claiming the errors can indeed be caught. Our testing concludes this is not the case.
  • 2021.12.12 @ 08:35 UTC – Publicly addressed in a MelonLoader plugin.

Source/Credits

Discovered in active exploits in the wild.

This advisory is (c)2021-2022 VidyaSEC Contributors and is licensed under the Creative Commons Attribution Share-Alike (United States) 4.0 license. https://creativecommons.org/licenses/by-sa/4.0/

Our public disclosure policy is available at https://vidyasec.org/public-vulnerability-disclosure-policy/.

The “VRChat” name is a registered trademark of VRChat INC. VidyaSEC and its contributors are not affiliated with nor condoned by VRChat or VRChat INC in any capacity. The “VRChat” registered trademark is used in this article in a referential capacity, which is fair use under US trademark law.

The “Unity” name is a registered trademark of Unity Technologies. VidyaSEC and its contributors are not affiliated with nor condoned by Unity or Unity Technologies in any capacity. The “Unity” registered trademark is used in this article in a referential capacity, which is fair use under US trademark law.

Leave a comment