[NEWS] Half-Life Client Connect Buffer Overflow (g_engfuncs.pfnClientCommand)
From: support@securiteam.comDate: 09/25/01
- Previous message: support@securiteam.com: "[UNIX] Squid Mkdir-only PUT Requests Denial of Service Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] Half-Life Client Connect Buffer Overflow (g_engfuncs.pfnClientCommand) Message-Id: <20010925052635.1180A138C1@mail.der-keiler.de> Date: Tue, 25 Sep 2001 07:26:35 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Half-Life Client Connect Buffer Overflow (g_engfuncs.pfnClientCommand)
------------------------------------------------------------------------
SUMMARY
Half-Life Client contains a security vulnerability that allows attackers
running Half-Life Servers to cause it to execute arbitrary code by
overflowing an internal buffer.
DETAILS
Vulnerable systems:
Half-Life version 1.1.0.8 (September 19, 2001) and all previous versions
Immune systems:
Half-Life version 1.1.0.9
There is a buffer overflow in the console command "connect" on Windows
Half-Life clients. The "connect" command is a command available in the
client console that is used to connect to game servers when given a
specific IP address and port. The format of the command is as follows:
/connect IP:port
By running the command with about 128 characters, it is possible to
overflow the buffer and execute arbitrary code. While this problem is on
the client side it is still a serious issue, since servers have a function
named "g_engfuncs.pfnClientCommand" which allows the server to force
clients to execute whatever console command they want. This means that
this overflow can be exploited remotely by means of this function. A
server administrator could easily take advantage of this and exploit
clients automatically as they connected to the server. An example of this
would be Admin-Mod a popular remote administration plugin for many
Half-Life mods like Counter-Strike, Team Fortress Classic, Day of Defeat,
and Firearms. Admin-Mod has a command named admin_execclient that allows
administrators to force users to execute commands, including "connect".
Vendor status:
Valve Software was contacted on September 18, 2001 and informed me it will
be fixed in the next patch (presumably v1.1.0.9). They did not believe it
to be a serious threat.
Solution:
Install the patch when it becomes available.
ADDITIONAL INFORMATION
The information has been provided by <mailto:stan@ccs.neu.edu> Stanley G.
Bubrouski.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Squid Mkdir-only PUT Requests Denial of Service Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
