OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Stanley G. Bubrouski (stanCCS.NEU.EDU)
Date: Fri Mar 09 2001 - 16:38:30 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Author: Stan Bubrouski (stanccs.neu.edu)
    Date: March 9, 2001
    Package: Half-Life dedicated server for Windows and Linux and the
    Windows client as well.
    Versions affected: All are believed vulnerable including latest builds
    for Windows (Build 1572) and Linux (Build 1573)
    Severity: Remote users with access level high enough to execute the exec
    or map commands can exploit two buffer overflows and a string formatting
    vulnerability to crash the Half-Life server or execute commands to gain
    access to the host the server is running on.

    Problems:

    1) When the 'map' command is sent more than 58 or 59 characters a
    potentially exploitable buffer overflow occurs.

    2) When 235 or more characters are used with the 'exec' command a buffer
    is overflowed and the server crashes.

    3) There is a string formatting vulnerabilitiy in the 'map' command. When
    it recieves any formatting characters like %s or %d it interprets them as format
    characters and if crafted right a user could crash the server or execute
    code as the user the server is running as.

    4) There is a buffer overflow in the parsing of config files which could
    be used to execute code as the user running the server. This is dangerous
    because someone could place code in the config file of a module and
    distribute it to unsuspecting users.

    Copyright 2001 Stan Bubrouski

    --
    Stan Bubrouski                                       stanccs.neu.edu
    316 Huntington Ave. Apt #676, Boston, MA 02115       (617) 377-7222