###################################################################### Applications: Half-Life (http://half-life.sierra.com) MODs. Versions: 1.1.1.0 Platforms: Windows Bugs: Buffer overflow in liblist.gam and arbitrary code execution through customized DLL files Risk: High Author: Auriemma Luigi Senior Security Researcher, PivX Solutions, LLC e-mail: aluigi@pivx.com web: http://www.pivx.com/luigi/ ###################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix 5) Philosophy ###################################################################### =============== 1) Introduction =============== Valve's Half-Life was released in 1998 but still remains as the worlds most popular FPS game. The success of the game is largely due to the overwhelming community support, which has spawned a range of MODs for the game - including the popular Counter-Strike MOD and Day Of Defeat. The cause of these problems are MODs. One of these problems is an inherent flaw in the basic structure of Half-Life and cannot be fixed without fundamental changes. ###################################################################### ====== 2) Bug ====== The 2 bugs are: --------------------------------- [A] Buffer-overflow in liblist.gam --------------------------------- Liblist.gam is a text file present in every MOD. The problem is a buffer overflow caused by long values. The following liblist.gam demonstrate the problem: ---liblist.gam--- game "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaEIPxaaaaaaaaaaaa" gamedll "what you want" ----------------- The buffer-overflow happens when there is a value of 276 bytes and only when the gamedll parameter is specified. NOTE: The important and "strange" thing to see is that the stored return address is overwritten by the 4 bytes at offset 260 of the value. We need to add another 12 bytes after it to cause the buffer-overflow and successfully overwriting the stored EIP. -------------------------------------- [B] Do you know the DLL files in MODs? -------------------------------------- A lot of MODs are distributed with custom DLL files that are contained in the folders "dlls" and "cl_dlls". The problem is easily explained: The DLL files used by MODs are real binary libraries that can contain all the code you want! Which means that I can create a malicious DLL that I distribute with a MOD and everyone that use it will run my malicious code. This problem "CANNOT" be fixed by Valve, so be careful when you use an unknown MOD or you download a MOD from an non-trusted site. ###################################################################### =========== 3) The Code =========== --------------------------------- [A] Buffer-overflow in liblist.gam --------------------------------- ---liblist.gam--- game "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaEIPxaaaaaaaaaaaa" gamedll "what you want" ----------------- -------------------------------------- [B] Do you know the DLL files in MODs? -------------------------------------- Create a Half-Life DLL or add any malicious code in a existent DLL. ####################################################################### ====== 4) Fix ====== Valve was notified of this vulnerability on April 14 2003, and replied that they were working to patch these bugs. Since that last point of contact, Valve and it's representatives have been contacted on multiple occasions for a status update on the patch, without any replies. ####################################################################### ========================== 5) Researcher's Philosophy ========================== Be free. The researchers' community needs your reversing, your programs, and your research. Never let your passion die and don't stop your work! Disclosure: Full and responsible disclosure can lead to a quick fix, and prevent a problem before it gets into the wrong hands. ####################################################################### ==================== About PivX Solutions ==================== PivX Solutions, is a premier network security consultancy offering a myriad of network security services to our clients. For more information go to http://www.PivX.com ####################################################################### --- Researcher http://www.pivx.com/luigi/
