Bugtraq mailing list archives
Advisory: Half-life server buffer overflows and formatting vulnerabilities
From: "Stanley G. Bubrouski" <stan () CCS NEU EDU>
Date: Fri, 9 Mar 2001 17:38:30 -0500
Author: Stan Bubrouski (stan () ccs neu edu) Date: March 9, 2001 Package: Half-Life dedicated server for Windows and Linux and the Windows client as well. Versions affected: All are believed vulnerable including latest builds for Windows (Build 1572) and Linux (Build 1573) Severity: Remote users with access level high enough to execute the exec or map commands can exploit two buffer overflows and a string formatting vulnerability to crash the Half-Life server or execute commands to gain access to the host the server is running on. Problems: 1) When the 'map' command is sent more than 58 or 59 characters a potentially exploitable buffer overflow occurs. 2) When 235 or more characters are used with the 'exec' command a buffer is overflowed and the server crashes. 3) There is a string formatting vulnerabilitiy in the 'map' command. When it recieves any formatting characters like %s or %d it interprets them as format characters and if crafted right a user could crash the server or execute code as the user the server is running as. 4) There is a buffer overflow in the parsing of config files which could be used to execute code as the user running the server. This is dangerous because someone could place code in the config file of a module and distribute it to unsuspecting users. Copyright 2001 Stan Bubrouski -- Stan Bubrouski stan () ccs neu edu 316 Huntington Ave. Apt #676, Boston, MA 02115 (617) 377-7222
Current thread:
- Advisory: Half-life server buffer overflows and formatting vulnerabilities Stanley G. Bubrouski (Mar 11)