####################################################################### Luigi Auriemma Applications: Half-Life (http://half-life.sierra.com) Versions: 1.1.1.0 and previous versions (including all MODs based on the game, such as Counter-Strike and DoD) Platforms: Windows Bugs: Remote buffer overflow Date: 29 Jul 2003 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Valve's Half-Life was released in 1998 but still remains as the worlds most popular FPS game. The success of the game is largely due to the overwhelming community support, which has spawned a range of MODs for the game - including the popular Counter-Strike MOD and Day Of Defeat. It is developed by Valve (http://www.valvesoftware.com) and published by Sierra (http://www.sierra.com). ####################################################################### ====== 2) Bug ====== There is a buffer overflow in the connection routine of the Half-Life client. The only limitation in this buffer-overflow is that some bytes can not be used in the shellcode because they are delimiters or otherwise reserved for use by the Half-Life protocol. This puts some minor constraints on the execution of the remote code, but is far from limiting. The problem is caused by a long string inserted as parameter or value of the data sent by the server to the client when it asks for information. An example of the parameter and value pair: \name\Test | | | value parameter To reach the stored return address the data in the parameter must be at least 516 bytes long and 268 for the value. In the dedicated server 1.1.1.0, the function that doesn't check the length of the buffer of the parameter starts at address 0x0041b410, and the loop that copies the bytes is: :0041B454 84C9 test cl, cl :0041B456 0F8488000000 je 0041B4E4 :0041B45C 880A mov byte ptr [edx], cl :0041B45E 8A4E01 mov cl, byte ptr [esi+01] :0041B461 42 inc edx :0041B462 46 inc esi :0041B463 80F95C cmp cl, 5C :0041B466 75EC jne 0041B454 The return address is stored at memory offset 0x0467a634 The same thing happens for the buffer-overflow in the value field: :0041B47E 84D2 test dl, dl :0041B480 740C je 0041B48E :0041B482 8811 mov byte ptr [ecx], dl :0041B484 8A5601 mov dl, byte ptr [esi+01] :0041B487 41 inc ecx :0041B488 46 inc esi :0041B489 80FA5C cmp dl, 5C :0041B48C 75F0 jne 0041B47E ####################################################################### =========== 3) The Code =========== The proof-of-concept exploit is a fake Half-Life server that sends the information back to the client with the oversized string in parameter or value (choose which of the 2 buffer-overflow you want to test). The exploit doesn't include demonstration code to execute remotely, but only a string of 'a' and 4 bytes ("EIP.") that will overwrite the stored return address. Use a debugger to see the program exception and the overwritten EIP. The code can be compiled on both Windows and Unix: http://aluigi.org/poc/hlbof-client.zip ####################################################################### ====== 4) Fix ====== Valve was notified of this vulnerability on April 14 2003, and replied that they were working to patch these bugs. Since that last point of contact, Valve and it's representatives have been contacted on multiple occasions for a status update on the patch, without any replies. #######################################################################