Date: 29 Sep 2003 Hey, some weeks ago I found a format string bug in the Half-Life client. The bug happens when an unknown command is used and the game returns a string like the following: \x02Unknown command: wrong_command_used\n | | | | | | | line feed | | command used (exactly what has been written in the | | console) | string type of message The function that shows this string is vulnerable to a format string bug, in fact the following is a simple example: ]%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x Unknown command: 270b4768.270b47e8.270b4868.270b48e8.27031ae9.0a07f128.00000002.01e11f28.01d1105c 01e11f28 is the pointer to the string to use to format ("\x02Unknown command: %08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n") 01d1105c instead is the return address of the function (however note that Half-Life uses an encoded executable and in my test I have seen that this address "sometimes" changes...): ... 01d11058 57 push edi 01d11059 56 push esi 01d1105a ffd0 call eax <--- 27031ad0 of client.dll 01d1105c 83c40c add esp, 0c .. Naturally the problem is not only locally... but remotely because all the commands typed in the client's console are sent to the server that manages them and if the command is unknown it returns the "Unknown command" message to the client (data type 0x4d). This means that a malicious server can send formatted strings to each client. Unfortunately, I haven't too much experience with the exploitation of format string bugs so I can't be sure about the "real" exploitation of this problem to execute remote code on client. I have released a proof-of-concept to test the vulnerability (for both *nix and Win) that sends the bad string to the connected client when the client or the server sends a message (for example "say hello"): http://aluigi.org/poc/hlclientfs.zip (However remember that the bug can be tested also locally) Does someone think this bug can be used to execute code remotely? Can be really exploited? Thanx in advance!