Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Format string bug in Half-Life client, but is it really exploitable???

From: Luigi Auriemma <aluigi () altervista org>
Date: Mon, 29 Sep 2003 19:01:39 +0000

Hey,

some weeks ago I found a format string bug in the Half-Life client.
The bug happens when an unknown command is used and the game returns a
string like the following:

\x02Unknown command: wrong_command_used\n
|   |                |                 |
|   |                |                 line feed
|   |                command used (exactly what has been written in the
|   |                console)
|   string
type of message


The function that shows this string is vulnerable to a format string bug, in
fact the following is a simple example:


]%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x
Unknown command:
270b4768.270b47e8.270b4868.270b48e8.27031ae9.0a07f128.00000002.01e11f28.01d
1105c

01e11f28 is the pointer to the string to use to format ("\x02Unknown
command: %08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n")
01d1105c instead is the return address of the function (however note that
Half-Life uses an encoded executable and in my test I have seen that this
address "sometimes" changes...):

...
01d11058   57         push edi
01d11059   56         push esi
01d1105a   ffd0       call eax    <--- 27031ad0 of client.dll
01d1105c   83c40c     add esp, 0c
..



Naturally the problem is not only locally... but remotely because all the
commands typed in the client's console are sent to the server that manages
them and if the command is unknown it returns the "Unknown command" message
to the client (data type 0x4d).
This means that a malicious server can send formatted strings to each
client.


Unfortunally, I haven't too much experience with the exploitation of format
string bugs so I can't be sure about the "real" exploitation of this problem
to execute remote code on client.


I have released a proof-of-concept to test the vulnerability (for both *nix
and Win) that sends the bad string to the connected client when the client
or the server sends a message (for example "say hello"):

http://aluigi.altervista.org/poc/hlclientfs.zip


(However remember that the bug can be tested also locally)


Does someone think this bug can be used to execute code remotely?
Can be really exploited?

Thanx in advance!


BYEZ




--- 
Luigi Auriemma
http://aluigi.altervista.org
Previous By Date Next
Previous By Thread Next

Current thread: