[VulnWatch] Half-Life clients: buffer-overflow

From: Auriemma Luigi (aluigi_at_pivx.com)
Date: 07/29/03

  • Next message: Scott M. Algatt: "Re: [Full-Disclosure] Avoiding being a good admin - was DCOM RPC exploit (dcom.c)"
    Date: Tue, 29 Jul 2003 18:32:44 +0000
    
    

    #######################################################################

    Applications: Half-Life (http://half-life.sierra.com)
    Versions: 1.1.1.0 and previous versions (including all MODs
                  based on the game, such as Counter-Strike and DoD)
    Platforms: Windows
    Bugs: Remote buffer overflow
    Risk: High
    Author: Auriemma Luigi
                  Senior Security Researcher, PivX Solutions, LLC
                  e-mail: aluigi@pivx.com
                  web: http://www.pivx.com/luigi/

    #######################################################################

    1) Introduction
    2) Bug
    3) The Code
    4) Fix
    5) Researcher's Philosophy

    #######################################################################

    ===============
    1) Introduction
    ===============

    Valve's Half-Life was released in 1998 but still remains as the worlds
    most popular FPS game.

    The success of the game is largely due to the overwhelming community
    support, which has spawned a range of MODs for the game - including
    the popular Counter-Strike MOD and Day Of Defeat.

    #######################################################################

    ======
    2) Bug
    ======

    There is a buffer overflow in the connection routine of the Half-Life
    client.

    The only limitation in this buffer-overflow is that some bytes can not
    be used in the shellcode because they are delimiters or otherwise
    reserved for use by the Half-Life protocol. This puts some minor
    constraints on the execution of the remote code, but is far from
    limiting.

    The problem is caused by a long string inserted as parameter or value
    of the data sent by the server to the client when it asks for
    information.

    An example of the parameter and value pair:

    \name\Test
     | |
     | value
     parameter

    To reach the stored return address the data in the parameter must be at
    least 516 bytes long and 268 for the value.

    In the dedicated server 1.1.1.0, the function that doesn't check the
    length of the buffer of the parameter starts at address 0x0041b410, and
    the loop that copies the bytes is:

    :0041B454 84C9 test cl, cl
    :0041B456 0F8488000000 je 0041B4E4
    :0041B45C 880A mov byte ptr [edx], cl
    :0041B45E 8A4E01 mov cl, byte ptr [esi+01]
    :0041B461 42 inc edx
    :0041B462 46 inc esi
    :0041B463 80F95C cmp cl, 5C
    :0041B466 75EC jne 0041B454

    The return address is stored at memory offset 0x0467a634

    The same thing happens for the buffer-overflow in the value field:

    :0041B47E 84D2 test dl, dl
    :0041B480 740C je 0041B48E
    :0041B482 8811 mov byte ptr [ecx], dl
    :0041B484 8A5601 mov dl, byte ptr [esi+01]
    :0041B487 41 inc ecx
    :0041B488 46 inc esi
    :0041B489 80FA5C cmp dl, 5C
    :0041B48C 75F0 jne 0041B47E

    #######################################################################

    ===========
    3) The Code
    ===========

    The proof-of-concept exploit is a fake Half-Life server that sends the
    information back to the client with the oversized string in parameter
    or value (choose which of the 2 buffer-overflow you want to test).
    The exploit doesn't include demonstration code to execute remotely, but
    only a string of 'a' and 4 bytes ("EIP.") that will overwrite the
    stored return address.
    Use a debugger to see the program exception and the overwritten EIP.

    The code can be compiled on both Windows and Unix:

    http://www.pivx.com/luigi/poc/hlbof-client.zip

    #######################################################################

    ======
    4) Fix
    ======

    Valve was notified of this vulnerability on April 14 2003, and replied
    that they were working to patch these bugs.

    Since that last point of contact, Valve and it's representatives have
    been contacted on multiple occasions for a status update on the patch,
    without any replies.

    #######################################################################

    ==========================
    5) Researcher's Philosophy
    ==========================

    Be free.
    The researchers' community needs your reversing, your programs, and
    your research. Never let your passion die and don't stop your work!

    Disclosure:
    Full and responsible disclosure can lead to a quick fix, and prevent a
    problem before it gets into the wrong hands.

    #######################################################################

    ====================
    About PivX Solutions
    ====================

    PivX Solutions, is a premier network security consultancy offering a
    myriad of network security services to our clients.

    For more information go to http://www.PivX.com

    #######################################################################

    ---
    Researcher
    http://www.pivx.com/luigi/


  • Next message: Scott M. Algatt: "Re: [Full-Disclosure] Avoiding being a good admin - was DCOM RPC exploit (dcom.c)"

    Relevant Pages

    • Half-Life clients: buffer-overflow
      ... Bug ... Fix ... Valve's Half-Life was released in 1998 but still remains as the worlds ... of the data sent by the server to the client when it asks for ...
      (Bugtraq)
    • [VulnWatch] Half-Life clients: buffer-overflow
      ... Bug ... Fix ... Valve's Half-Life was released in 1998 but still remains as the worlds ... of the data sent by the server to the client when it asks for ...
      (VulnWatch)
    • Re: All together now...
      ... You have started coding a new feature without a fork hoping that you can finish the new feature in a couple of days. ... Your client calls and tell you that he needs a really urgent bug fix / modification, but the new feature is half-baked. ...
      (borland.public.delphi.non-technical)
    • Half-Life servers: buffer-overflow and freeze
      ... Valve's Half-Life was released in 1998 but still remains as the worlds ... Both the dedicated server and the game server are vulnerable. ... The explanation of the bug is divided into 4 sections used to show the effects of the long string as parameter and value on the graphical game and on the dedicated server: ... I want to explain the buffer overflow that only occurs within the Half-Life dedicated server. ...
      (Bugtraq)
    • [VulnWatch] Half-Life servers: buffer-overflow and freeze
      ... Valve's Half-Life was released in 1998 but still remains as the worlds ... Both the dedicated server and the game server are vulnerable. ... The explanation of the bug is divided into 4 sections used to show the effects of the long string as parameter and value on the graphical game and on the dedicated server: ... I want to explain the buffer overflow that only occurs within the Half-Life dedicated server. ...
      (VulnWatch)