OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Half-Life Dedicated Server Vulnerability
From: Vulnerability Help (vulnhelpSECURITYFOCUS.COM)
Date: Mon Oct 16 2000 - 12:27:57 CDT


-----BEGIN PGP SIGNED MESSAGE-----

                        Vulnerability Report by Mark Cooper

Date Published: 16th October 2000

Advisory ID: N/A

Bugtraq ID: 1799

http://www.securityfocus.com/bid/1799

CVE CAN: N/A

Title: Half-Life Dedicated Server Vulnerability

Class: Buffer Overflow

Remotely Exploitable: Yes

Locally Exploitable: Yes

Release Mode: FORCED RELEASE

This vulnerability is actively being exploited in the wild.

Vulnerable Packages/Systems:

Half-Life Dedicated Server for Linux 3.1.0.3 & Previous

Vulnerability Description:

A buffer overflow vulnerability was discovered in a Half-Life
dedicated server
during a routine security audit. A user shell was found running on
the ingreslock
port of the server which lead to an investigation into how this had
been achieved.
- From the logs left on the server, it was ascertained that a
predefined exploit
script was used and that the perpetrator failed to further compromise
the server
due to the Half-Life software running as a non-priveledged user.

The vulnerability appears to exist in the changelevel rcon command
and does not
require a valid rcon password. The overflow appears to exist after
the logging
function as the following was found in the last entries of the
daemon's logs:-

     # tail server.log.crash | strings
     L 08/23/2000 - 23:28:59: "[CiC]Foxdie<266>" say "how so?"
     Bad Rcon from x.x.x.x:4818:
     rcon werd changelevel
     bin
     sh!
     Privet ADMcrew\
     rcon werd changelevel

The actual raw exploit code is logged, along with what appears to be
the script
authors, ADM ( http://adm.freelsd.net/ADM/ ). If they could shed some
light on
this?

Solution/Vendor Information/Workaround:

Valve Software promised a patch which has yet to appear. Interim
measures would
include:-

A) Consider not running the HalfLife software at all!
B) Remove the world execute bit from inetd to 'break' the exploit
code - this
would only stop the script kiddies
C) Ensure sane ipfwadm/ipchains filters are inplace

Vendor notified on: 14th September 2000

Credits:

Credit for the vulnerability discovery presumably lies with ADM. :)
The forensic
work which discovered this problem was performed by Mark Cooper.

This advisory was drafted with the help of the SecurityFocus.com
Vulnerability
Help Team. For more information or assistance drafting advisories
please mail
vulnhelpsecurityfocus.com.

Exploit/Concept Code:

Try http://adm.freelsd.net/ADM/ ?

Referance:
http://www.valvesoftware.com

DISCLAIMER:
No responsibility whatsoever is taken for any correct/incorrect use
of this
information. This is for informational purposes only.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQEVAwUBOes6XV15pZzZvm7VAQEJdQf+JH07d2Of2fyZj5GAwH4Hyw43kBHysnqn
9K6faf1tON7RqkJXxvbTRbokEHv4lE4um1mUnYcWsDSv58xfgCJ8Fctq9aK1iTUA
qd3Hm/jcDe+uQrPhjTM+jKg1c2xa7XXltXO2bcYBO29EjXJmp6bF2kr6M/c8z0vr
/s9CpbUZ4cmG71hi/eM+VvhBPndeqE1iqfHaD6esrvnKWuXEvGO1XIn8SMwZXs4p
HKTExgAd88M1OoMwtKCk0J7xFSU7W5r/f/QvkDb2gmn9vpOuOIZlBltTTpxriXQG
xh3jIL/Ku6SIBVWx34WrgsoZe1Rj8BrPWFdBWz5taRDggKAmScrtrw==
=aUch
-----END PGP SIGNATURE-----