#######################################################################

Applications: Half-Life (http://half-life.sierra.com)
Versions:     1.1.1.0 and previous versions (including all MODs 
              based on the game, such as Counter-Strike and DoD)
Platforms:    Windows
Bugs:         Remote buffer overflow
Risk:         High
Author:       Auriemma Luigi
              Senior Security Researcher, PivX Solutions, LLC
              e-mail: aluigi@pivx.com
              web:    http://www.pivx.com/luigi/


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix
5) Researcher's Philosophy


#######################################################################

===============
1) Introduction
===============


Valve's Half-Life was released in 1998 but still remains as the worlds
most popular FPS game.

The success of the game is largely due to the overwhelming community
support, which has spawned a range of MODs for the game - including
the popular Counter-Strike MOD and Day Of Defeat.



#######################################################################

======
2) Bug
======


There is a buffer overflow in the connection routine of the Half-Life
client.

The only limitation in this buffer-overflow is that some bytes can not
be used in the shellcode because they are delimiters or otherwise
reserved for use by the Half-Life protocol. This puts some minor
constraints on the execution of the remote code, but is far from
limiting.

The problem is caused by a long string inserted as parameter or value
of the data sent by the server to the client when it asks for
information.


An example of the parameter and value pair:

\name\Test
 |    |
 |    value
 parameter


To reach the stored return address the data in the parameter must be at
least 516 bytes long and 268 for the value.

In the dedicated server 1.1.1.0, the function that doesn't check the
length of the buffer of the parameter starts at address 0x0041b410, and
the loop that copies the bytes is:

:0041B454 84C9                    test cl, cl
:0041B456 0F8488000000            je 0041B4E4
:0041B45C 880A                    mov byte ptr [edx], cl
:0041B45E 8A4E01                  mov cl, byte ptr [esi+01]
:0041B461 42                      inc edx
:0041B462 46                      inc esi
:0041B463 80F95C                  cmp cl, 5C
:0041B466 75EC                    jne 0041B454


The return address is stored at memory offset 0x0467a634


The same thing happens for the buffer-overflow in the value field:

:0041B47E 84D2                    test dl, dl
:0041B480 740C                    je 0041B48E
:0041B482 8811                    mov byte ptr [ecx], dl
:0041B484 8A5601                  mov dl, byte ptr [esi+01]
:0041B487 41                      inc ecx
:0041B488 46                      inc esi
:0041B489 80FA5C                  cmp dl, 5C
:0041B48C 75F0                    jne 0041B47E



#######################################################################

===========
3) The Code
===========


The proof-of-concept exploit is a fake Half-Life server that sends the
information back to the client with the oversized string in parameter
or value (choose which of the 2 buffer-overflow you want to test).
The exploit doesn't include demonstration code to execute remotely, but
only a string of 'a' and 4 bytes ("EIP.") that will overwrite the
stored return address.
Use a debugger to see the program exception and the overwritten EIP.

The code can be compiled on both Windows and Unix:


http://www.pivx.com/luigi/poc/hlbof-client.zip




#######################################################################

======
4) Fix
======


Valve was notified of this vulnerability on April 14 2003, and replied
that they were working to patch these bugs.

Since that last point of contact, Valve and it's representatives have
been contacted on multiple occasions for a status update on the patch,
without any replies.



#######################################################################

==========================
5) Researcher's Philosophy
==========================


Be free.
The researchers' community needs your reversing, your programs, and
your research. Never let your passion die and don't stop your work!

Disclosure:
Full and responsible disclosure can lead to a quick fix, and prevent a 
problem before it gets into the wrong hands.



#######################################################################

====================
About PivX Solutions
====================


PivX Solutions, is a premier network security consultancy offering a
myriad of network security services to our clients.

For more information go to http://www.PivX.com


#######################################################################



--- 
Researcher
http://www.pivx.com/luigi/