####################################################################### Luigi Auriemma Application: Source Engine http://source.valvesoftware.com Games: Half-Life 2 http://www.half-life2.com Counter-Strike: Source http://store.steampowered.com/app/240/ OrangeBox / Team Fortress 2 http://store.steampowered.com/app/440/ Left 4 Dead http://www.l4d.com other games and mods Versions: <= build 3933, bug B affects also build 3964 bug A affects also build 3939 (\folder\file.txt) Platforms: Windows and Linux Bugs: A] arbitray file uploading B] arbitray file deletion C] disk space consumption with file uploading Exploitation: remote, versus server (in-game) Date: 19 Aug 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Source engine is the latest version and rewrite of the original Half-Life engine (GoldSrc) developed by Valve (http://www.valvesoftware.com). It's the engine used for games like Half-Life 2, Counter Strike Source, Team Fortress 2, Left 4 Dead and various others which are also the most played internet multiplayer games in absolute with over 10000 online servers. ####################################################################### ======= 2) Bugs ======= -------------------------- A] arbitray file uploading -------------------------- By default the Source engine allows to download and upload files. While the download operation is denied if there is a slash or a ".." or an unsupported extension in the requested file (to avoid directory traversal bugs although \file is allowed) in the upload operation there are just no checks. The result is that an attacker can upload files in arbitrary locations in the hard disks of the server like "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\bad.exe" or "\file.txt" or "../file.txt" and so on. The existent files cannot be replaced (will be showed the console message "Download file 'FILENAME' already exists!") but is possible to put place malicious programs in the Startup folder for being executed at the next logon/reboot of the system. Note that these "file uploading" vulnerabilities can be exploited even with uploads and downloads disabled, indeed using "sv_allowupload 0" does NOT solve the situation. ------------------------- B] arbitray file deletion ------------------------- As said previously, the Source engine doesn't allow to overwrite the existent files for security reasons but exists an interesting bug which allows to delete any file on the system and at the same time make it impossible to recreate/update it. If the name of the file to upload contains a slash or backslash at its end (like "c:\file.txt/" or "c:\file.txt\") will be created a folder with the same name of the file and the original file will no longer exist. UPDATE 17 Sep 2009: Although it was obvious for me I want to explain that this bug exists because the engine creates all the full path specified in the string so if the client sends "mydir1\mydir2\mydir3\myfile.txt" will be created all the 3 subdirectories in the main path of the game. What I said about appending the slash/backslash at the end of the filename was only a quick example and I thought it was enough to understand the real cause of the bug. So if the attacker specifies the file "c:\autoexec.bat/" the original file "c:\autoexec.bat" will be removed and will be created the folder "c:\autoexec.bat" at its place. This bug can be exploited for two malicious purposes: - game related: is possible to delete any file which allows the game to work or to maintain its configuration and security, that means deleting logs, configuration files ("cfg\server.cfg/", "motd.txt/", "cfg\banned_ip.cfg/", "../ClientRegistry.blob\" and so on), maps, resources, mods and everything else used by the game server - system related: is possible to delete any file in any disk arbitrariarly like Windows files, programs files, files located in the user folder ("Documents and Settings") and so on The fact that are created folders with the same name of the original files make also impossible to update or regenerate the deleted files automatically because the operating system doesn't allow it so the admin must manually remove these folders to restore (partially) the situation. UPDATE 17 Sep 2009: The patch that Valve released does NOT really fix this bug. indeed it only filters the files with a slash/backslash at the end (like my quick example) and so it fixes NOTHING. that's why "cfg\server.cfg\hello.txt" will delete the file "cfg\server.cfg". --------------------------------------------- C] disk space consumption with file uploading --------------------------------------------- Due to the particular "bugged" handling of the uploaded files and the packets in which they are transmitted is possible to generate zeroed files with a size of max 64 megabytes using only a packet of some bytes. This can lead to the complete consuming of the disk space (of any disk because the locations are arbitrary) of the server, useful for example to fill the current disk avoiding the creation of the logs and other game files (I guess that the server quits if no disk space is available for its writes) and then there is ever a high lag effect caused by the creation of the files in real-time which temporary freezes the server. ####################################################################### =========== 3) The Code =========== The following is the stand alone proof-of-concept for confirming the vulnerabilities with the LAN server quickly and easily: http://aluigi.org/poc/sourceupfilelan.zip For the testing of the server in an internet/Steam environment I have released the following plugin for proxocket/sudppipe which MUST be recompiled or hex edited for substituiting the XXXXXXXXXXX...XXX string in it with the desired filename to test (bug A and B) without modifying the length of the dll file (so the result will be "c:\myfile.txt.XXXXXXXX...XXXX" with a 0x00 byte after the name of the file as delimiter): http://aluigi.org/poc/sourceupfile.zip note that for bug A these proof-of-concepts will NOT upload a real file on the test server but will only created an empty one at the provided location. quick usage for proxocket (NOTE that some users report that this method could give problems with VAC): - download proxocket: http://aluigi.org/mytoolz.htm#proxocket - copy ws2_32.dll and the myproxocket.dll of the PoC in the same folder where is located the game executable of the client - start the client and join the server to test quick usage for sudppipe: - download sudppipe: http://aluigi.org/mytoolz.htm#sudppipe - copy myproxocket.dll in the same folder of sudppipe and start it: sudppipe -l myproxocket.dll SERVER PORT 1234 - start the client and join the server on 127.0.0.1:1234 UPDATE 17 Sep 2009: note that this proof-of-concept can't be used to test the file deletion bug in versions >= 3939 because it uses a particular work-around to reach the upload function (the protocol has been not figured at 100% yet). ####################################################################### ====== 4) Fix ====== No fix. #######################################################################