SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Half-Life Vendors:   Valve Software
Half-Life Game Server and Client Can Be Crashed With Specially Crafted Packet Spliting Data
SecurityTracker Alert ID:  1010678
SecurityTracker URL:  http://securitytracker.com/id/1010678
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 12 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Prior to 07 July 2004
Description:   Luigi Auriemma reported a vulnerability in Sierra's Half-Life engine. A remote user can cause the game to crash.

A remote user can reportedly send a specially crafted packet to the target system to cause the target game service to crash (affecting both the client and the server).

It is reported that the software does not properly process split data, causing the target application to attempt to write to read-only memory and crash.

A demonstration exploit packet is provided:

"\xFE\xFF\xFF\xFF\x00\x00\x00\x00"

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/hlboom.zip

Terry Henning (aka Soul Beaver) is credited with discovering this flaw.

Impact:   A remote user can cause the target game client or server to crash.
Solution:   The vendor has issued a fix (via Steam).
Cause:   Exception handling error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Remote crash of Half-Life servers and clients (versions before the



#######################################################################

                              Luigi Auriemma

Application:  Half-Life engine
               http://half-life.sierra.com
               http://www.steampowered.com
Versions:     before the 07 July 2004 (both Steam and not-Steam)
Platforms:    Windows and Linux
Bug:          writing on a read-only memory zone causing crash
Risk:         high
Exploitation: remote, versus server and client
Date:         12 July 2004
Bug found by: Terry Henning (aka Soul Beaver)
Advisory:     Luigi Auriemma
               e-mail: aluigi@altervista.org
               web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Half-Life is the most famous FPS game existent, no doubts.
It has been developed by Valve (http://www.valvesoftware.com) and has
been released in the far 1998, but also after all this time it
continues to be the most played game with its MODs like Counter-Strike,
Natural selection, Sven-coop and many others.
Everyday there are about 37.000 servers online!

As already specified in the header of this advisory I want to underline
that this bug has been found by Terry Henning.


#######################################################################

======
2) Bug
======


The problem is a crash of the game (both servers and clients are
vulnerables) caused by a malformed packet.
Each Half-Life packet is composed by the first 8 bytes used to track
packets and to reassemble splitted data, just this second feature is
the cause of the crash because the game doesn't correctly manage the
empty splitted packets (so composed by the first 8 bytes only).
The crash is the effect of the copying of data to a read-only part of
memory (.reloc of swds.dll).

An example of malicious packet is the following:

   "\xFE\xFF\xFF\xFF\x00\x00\x00\x00"

Naturally spoofing is possible.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/hlboom.zip


#######################################################################

======
4) Fix
======


If you use Steam you are already patched by some days.

To note that Half-Life is now supported ONLY via Steam, the half hated
or loved content management system of Valve.
The latest non-Steam patch is stopped at the 1.1.1.0 (affected by other
worst bugs) and is no longer supported.


#######################################################################


---
Luigi Auriemma
http://aluigi.altervista.org



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC