###################################################################### Luigi Auriemma Applications: Half-Life (http://half-life.sierra.com) MODs. Versions: 1.1.1.0 Platforms: Windows Bugs: Buffer overflow in liblist.gam and arbitrary code execution through customized DLL files Date: 29 Jul 2003 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ###################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ###################################################################### =============== 1) Introduction =============== Valve's Half-Life was released in 1998 but still remains as the worlds most popular FPS game. The success of the game is largely due to the overwhelming community support, which has spawned a range of MODs for the game - including the popular Counter-Strike MOD and Day Of Defeat. It is developed by Valve (http://www.valvesoftware.com) and published by Sierra (http://www.sierra.com). The cause of these problems are MODs. One of these problems is an inherent flaw in the basic structure of Half-Life and cannot be fixed without fundamental changes. ###################################################################### ====== 2) Bug ====== The 2 bugs are: --------------------------------- [A] Buffer-overflow in liblist.gam --------------------------------- Liblist.gam is a text file present in every MOD. The problem is a buffer overflow caused by long values. The following liblist.gam demonstrate the problem: ---liblist.gam--- game "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaEIPxaaaaaaaaaaaa" gamedll "what you want" ----------------- The buffer-overflow happens when there is a value of 276 bytes and only when the gamedll parameter is specified. NOTE: The important and "strange" thing to see is that the stored return address is overwritten by the 4 bytes at offset 260 of the value. We need to add another 12 bytes after it to cause the buffer-overflow and successfully overwriting the stored EIP. -------------------------------------- [B] Do you know the DLL files in MODs? -------------------------------------- A lot of MODs are distributed with custom DLL files that are contained in the folders "dlls" and "cl_dlls". The problem is easily explained: The DLL files used by MODs are real binary libraries that can contain all the code you want! Which means that I can create a malicious DLL that I distribute with a MOD and everyone that use it will run my malicious code. This problem "CANNOT" be fixed by Valve, so be careful when you use an unknown MOD or you download a MOD from an non-trusted site. ###################################################################### =========== 3) The Code =========== --------------------------------- [A] Buffer-overflow in liblist.gam --------------------------------- ---liblist.gam--- game "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaEIPxaaaaaaaaaaaa" gamedll "what you want" ----------------- -------------------------------------- [B] Do you know the DLL files in MODs? -------------------------------------- Create a Half-Life DLL or add any malicious code in a existent DLL. ####################################################################### ====== 4) Fix ====== Valve was notified of this vulnerability on April 14 2003, and replied that they were working to patch these bugs. Since that last point of contact, Valve and it's representatives have been contacted on multiple occasions for a status update on the patch, without any replies. #######################################################################