OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Stanley G. Bubrouski (stanccs.neu.edu)
Date: Thu Sep 20 2001 - 19:53:51 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Author: Stan Bubrouski (stanccs.neu.edu)
    Date: September 20, 2001
    Program: Half-Life
    Versions Affected: 1.1.0.8 (September 19, 2001) and all previous versions
    Severity: A Half-Life server can exploit buffer overflow in Client to
              execute arbitrary code on their machines.
    Vendor: Valve Software (http://www.valvesoftware.com)
    Vendor Contacted: September 18, 2001
    Vendor Status: A fix will be included in the next update

    Details: There is a buffer overflow in the console command "connect" on
    Windows Half-Life clients. The "connect" command is a command available
    in the client console which is used to connect to game servers when given
    a specific IP address and port. The format of the command is as follows:

    /connect IP:port

    By running the command with around 128 characters it is possible to
    overflow the buffer and execute arbitrary code. While this problem is on
    the client side it is still a serious issue, since servers have a function
    named "g_engfuncs.pfnClientCommand" which allows the server to force
    clients to execute whatever console command they want. This means that
    this overflow can be exploited remotely by means of this function. A
    server administrator could easily easily take advantage of this and
    exploit clients automatically as they connected to the server. An example
    of this would be Admin-Mod a popular remote administration plugin for many
    Half-Life mods like Counter-Strike, Team Fortress Classic, Day of Defeat,
    and Firearms. Admin-Mod has a command named admin_execclient which allows
    admins to force users to execute commands, including "connect."

    Alfred Reynolds one of the maintainers of Admin-Mod was quick to point out
    to me that Admin-Mod's admin_execclient command only holds 100 characters
    and therefore would have to be modified to make use of this. He then also
    mentioned that since Admin-Mod is opensource anyone could modify the
    source and increase the buffer size anyways. Only part of one line of
    code in the Admin-Mod source would need to be changed to exploit this.

    Of course this is not an issue with Admin-Mod I was just using it as an
    example.

    Valve Software was contacted on September 18, 2001 and informed me it will
    be fixed in the next patch (presumably v1.1.0.9). They did not believe it
    to be a serious threat.

    Solution: Install the patch when it becomes available.

    Regards,

    Stan

    --
    Stan Bubrouski                                       stanccs.neu.edu
    23 Westmoreland Road, Hingham, MA 02043        Cell:   (617) 835-3284