A security vulnerability was identified that affects games and applications built on Unity versions 2017.1 and later for Android, Windows, and macOS operating systems. Download the patching tool here and read on for further instructions.
Landed on my radar recently- thought I’d post it here
For Linux, my off-the-cuff take is that I’m not that excited about it. It means that if you can launch a Unity game and pass it command-line arguments, then you can cause it to take actions that you want. Okay, but usually the security context of someone who can do that and the game that’s running should probably be the same. If you can launch a game with specified parameters to do something bad, you can probably also just do something bad and cut the game out of the picture.
This is why you have few suid binaries on a Limux system (and should never make something large and complex, like a Unity game, suid) — because then the binary does have a different security context than the launching process.
Now, it’s possible that there are scenarios where you could make this badly exploitable. Say games have chosen to trust command-line arguments from a remote system, and that game has community servers. Like, maybe they have a lobby app that launches a Unity binary with remotely-specified command line arguments. But in that case, I think that the developer is already asking for trouble.
Most games are just not going to be sufficiently hardened to avoid problems if an attacker can pass arbitrary command lines anyway. And as the bug points out, on Linux, you can achieve something similar to this for many binaries via using LD_PRELOAD anyway — you can use that route to make fixes for closed-source Linux games. Windows has similar routes, stuff like DLL injection.
It’s possible that this is more serious on Android. I don’t know if there’s a way to pass command line parameters there, and doubt it, but part of the Android security model is that apps run in isolation, and so if that’s exploitable by any local app, that could cause that model to break down.
But on Linux — GNU/Linux — I’d think that if someone malicious can already launch games with arbitrary command line parameters on your system, you’re probably not really in much worse trouble due to this bug than you already are.
looks
For Linux, my off-the-cuff take is that I’m not that excited about it. It means that if you can launch a Unity game and pass it command-line arguments, then you can cause it to take actions that you want. Okay, but usually the security context of someone who can do that and the game that’s running should probably be the same. If you can launch a game with specified parameters to do something bad, you can probably also just do something bad and cut the game out of the picture.
This is why you have few suid binaries on a Limux system (and should never make something large and complex, like a Unity game, suid) — because then the binary does have a different security context than the launching process.
Now, it’s possible that there are scenarios where you could make this badly exploitable. Say games have chosen to trust command-line arguments from a remote system, and that game has community servers. Like, maybe they have a lobby app that launches a Unity binary with remotely-specified command line arguments. But in that case, I think that the developer is already asking for trouble.
Most games are just not going to be sufficiently hardened to avoid problems if an attacker can pass arbitrary command lines anyway. And as the bug points out, on Linux, you can achieve something similar to this for many binaries via using
LD_PRELOADanyway — you can use that route to make fixes for closed-source Linux games. Windows has similar routes, stuff like DLL injection.It’s possible that this is more serious on Android. I don’t know if there’s a way to pass command line parameters there, and doubt it, but part of the Android security model is that apps run in isolation, and so if that’s exploitable by any local app, that could cause that model to break down.
But on Linux — GNU/Linux — I’d think that if someone malicious can already launch games with arbitrary command line parameters on your system, you’re probably not really in much worse trouble due to this bug than you already are.