[NEWS] Half-Life Clients Buffer Overflow Vulnerability (Client Connection Routine)
From: SecuriTeam (support_at_securiteam.com)
Date: 07/31/03
- Previous message: SecuriTeam: "[UNIX] Buffer Overflow in Sun Solaris Runtime Linker"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 31 Jul 2003 14:39:22 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Get Thawte's New Step-by-Step SSL Guide for Apache.
In this guide you will find out how to test, purchase,
install and use a Thawte Digital Certificate on you Apache web server.
Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates. Get you copy of this new guide now:
http://ad.doubleclick.net/clk;5903117;8265118;i
- - - - - - - - -
Half-Life Clients Buffer Overflow Vulnerability (Client Connection
Routine)
------------------------------------------------------------------------
SUMMARY
Valve's Half-Life was released in 1998 but still remains as the world's
most popular FPS game.
The success of the game is largely due to the overwhelming community
support, which has spawned a range of MODs for the game - including the
popular Counter-Strike MOD and Day of Defeat.
There is a buffer overflow in the connection routine of the Half-Life
client, allowing remote attackers to cause the product to execute
arbitrary code.
DETAILS
Vulnerable systems:
* Half-Life version 1.1.1.0 and prior
The only limitation in this buffer-overflow is that some bytes cannot be
used in the shellcode because they are delimiters or otherwise reserved
for use by the Half-Life protocol. This puts some minor constraints on the
execution of the remote code, but is far from limiting.
The problem is caused by a long string inserted as parameter or value of
the data sent by the server to the client when it asks for information.
An example of the parameter and value pair:
\name\Test
| |
| value
parameter
To reach the stored return address the data in the parameter must be at
least 516 bytes long and 268 for the value.
In the dedicated server 1.1.1.0, the function that does not check the
length of the buffer of the parameter starts at address 0x0041b410, and
the loop that copies the bytes is:
:0041B454 84C9 test cl, cl
:0041B456 0F8488000000 je 0041B4E4
:0041B45C 880A mov byte ptr [edx], cl
:0041B45E 8A4E01 mov cl, byte ptr [esi+01]
:0041B461 42 inc edx
:0041B462 46 inc esi
:0041B463 80F95C cmp cl, 5C
:0041B466 75EC jne 0041B454
The return address is stored at memory offset 0x0467a634
The same thing happens for the buffer-overflow in the value field:
:0041B47E 84D2 test dl, dl
:0041B480 740C je 0041B48E
:0041B482 8811 mov byte ptr [ecx], dl
:0041B484 8A5601 mov dl, byte ptr [esi+01]
:0041B487 41 inc ecx
:0041B488 46 inc esi
:0041B489 80FA5C cmp dl, 5C
:0041B48C 75F0 jne 0041B47E
Exploit code:
The proof-of-concept exploit is a fake Half-Life server that sends the
information back to the client with the oversized string in parameter or
value (choose which of the 2 buffer-overflow you want to test). The
exploit does not include demonstration code to execute remotely, but only
a string of 'a' and 4 bytes ("EIP.") that will overwrite the stored return
address. Use a debugger to see the program exception and the overwritten
EIP.
The code can be compiled on both Windows and Unix:
<http://www.pivx.com/luigi/poc/hlbof-client.zip>
http://www.pivx.com/luigi/poc/hlbof-client.zip
Fix:
Valve was notified of this vulnerability on April 14 2003, and replied
that they were working to patch these bugs.
Since that last point of contact, Valve and it's representatives have been
contacted on multiple occasions for a status update on the patch, without
any replies.
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@pivx.com> Auriemma
Luigi.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Buffer Overflow in Sun Solaris Runtime Linker"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
