Valve Software's Half-Life Gaming Server Can Be Crashed Remotely By Users and Could Give Users OS-Level Access to the Server's Host
SecurityTracker Alert ID: 1001079|
SecurityTracker URL: http://securitytracker.com/id/1001079
(Links to External Site)
Date: Mar 13 2001
Denial of service via network, Execution of arbitrary code via network, User access via network|
Version(s): through Windows (Build 1572) and Linux (Build 1573)|
It was reported that the Half-Life dedicated server (a gaming server) contains a vulnerability that allows certain authorized users to crash the server or execute arbitrary commands on the server.|
It was reported that remote users with an access level high enough to execute the "exec" or "map" commands can exploit several buffer overflows and a formatting vulnerability to crash the Half-Life server or to execute arbitrary commands to gain access to the host running the server software.
When the "map" command is sent with more than approximately 58 or 59 characters, a buffer overflow occurs.
When the "exec" command is sent with 235 or more characters, a buffer overflow occurs and the server crashes.
When the "map" command is used with certain characters such as "%s" or "%d", these characters may be interpreted as format characters. This vulnerability could allow a remote user to crash the server or cause arbitrary commands or code to be executed on the server.
Finally , there is also a buffer overflow that occurs during the parsing of config files which can reportedly be used to execute code with the privileges of the user running the server.
An authorized user with appropriate privileges could crash the server or could cause arbitrary code to be executed on the server, resulting in OS-level access on the host.|
No solution was available at the time of this entry.|
Vendor URL: www.valvesoftware.com (Links to External Site)
Boundary error, Input validation error|
|Underlying OS: Linux (Any), Windows (Any)|
Source Message Contents
Subject: Advisory: Half-life server buffer overflows and formatting|
From:Stanley G. Bubrouski
Sent: Friday, March 09, 2001 3:39 PM
Subject: Advisory: Half-life server buffer overflows and formatting
Author: Stan Bubrouski (email@example.com)
Date: March 9, 2001
Package: Half-Life dedicated server for Windows and Linux and the
Windows client as well.
Versions affected: All are believed vulnerable including latest builds
for Windows (Build 1572) and Linux (Build 1573)
Severity: Remote users with access level high enough to execute the exec
or map commands can exploit two buffer overflows and a string formatting
vulnerability to crash the Half-Life server or execute commands to gain
access to the host the server is running on.
1) When the 'map' command is sent more than 58 or 59 characters a
potentially exploitable buffer overflow occurs.
2) When 235 or more characters are used with the 'exec' command a buffer
is overflowed and the server crashes.
3) There is a string formatting vulnerabilitiy in the 'map' command. When
it recieves any formatting characters like %s or %d it interprets them as
characters and if crafted right a user could crash the server or execute
code as the user the server is running as.
4) There is a buffer overflow in the parsing of config files which could
be used to execute code as the user running the server. This is dangerous
because someone could place code in the config file of a module and
distribute it to unsuspecting users.
Copyright 2001 Stan Bubrouski
Stan Bubrouski firstname.lastname@example.org
316 Huntington Ave. Apt #676, Boston, MA 02115 (617) 377-7222
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: email@example.com