####################################################################### Luigi Auriemma Application: Source Engine http://source.valvesoftware.com Games: Half-Life 2 http://www.half-life2.com Counter-Strike: Source http://store.steampowered.com/app/240/ possibly other games and mods Versions: <= build 3698 Valve has confirmed this vulnerability also in build 3933 used by games like OrangeBox, Team Fortress 2 and Left 4 Dead but in my tests my TF2 3933 server didn't seem vulnerable Platforms: Windows and Linux Bug: NULL pointer Exploitation: remote, versus server (in-game) Date: 18 Aug 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Source engine is the latest version and rewrite of the original Half-Life engine (GoldSrc) developed by Valve (http://www.valvesoftware.com). It's the engine used for games like Half-Life 2, Counter Strike Source, Team Fortress 2, Left 4 Dead and various others which are also the most played internet multiplayer games in absolute with over 10000 online servers. ####################################################################### ====== 2) Bug ====== The Source engine implements an interesting feature called SourceTV (http://developer.valvesoftware.com/wiki/SourceTV) which allows to record the online matches. When this component is activated ("tv_enable 1" and starting of a new match/map) a global structure is allocated and used in some operations (SourceTV is handled by the engine like an additional client). By default SourceTV is disabled and so this structure points to a NULL address and there is a particular condition in which the engine tries to call a function pointer located in it with the resulting crash of the server due to the access to the NULL structure. This condition is met when a client (the attacker) is recognized as a SourceTV client through a particular type of packet and it's disconnected from the server with the reason "ProcessClientInfo: SourceTV can not connect to game directly.". The access to the NULL pointer happens immediately after the visualization of this message. The vulnerability is exploitable in-game so the attacker must be able to join the target server (no banning, valid Steam credentials, valid password and so on) and obviously SourceTV must be disabled (default). ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/sourcenotvnull.zip It's a plugin for sudppipe/proxocket which forges the malformed packet (compatible with HL2 and CSS) when the real client sends its first in-game packet. quick usage for proxocket (NOTE that some users report that this method could give problems with VAC): - download proxocket: http://aluigi.org/mytoolz.htm#proxocket - copy ws2_32.dll and the myproxocket.dll of the PoC in the same folder where is located the game executable of the client - start the client and join the server to test quick usage for sudppipe: - download sudppipe: http://aluigi.org/mytoolz.htm#sudppipe - copy myproxocket.dll in the same folder of sudppipe and start it: sudppipe -l myproxocket.dll SERVER PORT 1234 - start the client and join the server on 127.0.0.1:1234 For quickly confirming the vulnerability with a LAN server it's enough to use my other stand-alone proof-of-concept instead of the game client and following the previous step-by-step: http://aluigi.org/poc/sourcefslan.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################