####################################################################### Luigi Auriemma Application: Half-Life engine http://half-life.sierra.com http://www.steampowered.com Versions: before the 07 July 2004 (both Steam and not-Steam) Platforms: Windows and Linux Bug: writing on a read-only memory zone causing crash Risk: high Exploitation: remote, versus server and client Date: 12 July 2004 Bug found by: Terry Henning (aka Soul Beaver) Advisory: Luigi Auriemma e-mail: aluigi@altervista.org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Half-Life is the most famous FPS game existent, no doubts. It has been developed by Valve (http://www.valvesoftware.com) and has been released in the far 1998, but also after all this time it continues to be the most played game with its MODs like Counter-Strike, Natural selection, Sven-coop and many others. Everyday there are about 37.000 servers online! As already specified in the header of this advisory I want to underline that this bug has been found by Terry Henning. ####################################################################### ====== 2) Bug ====== The problem is a crash of the game (both servers and clients are vulnerables) caused by a malformed packet. Each Half-Life packet is composed by the first 8 bytes used to track packets and to reassemble splitted data, just this second feature is the cause of the crash because the game doesn't correctly manage the empty splitted packets (so composed by the first 8 bytes only). The crash is the effect of the copying of data to a read-only part of memory (.reloc of swds.dll). An example of malicious packet is the following: "\xFE\xFF\xFF\xFF\x00\x00\x00\x00" Naturally spoofing is possible. ####################################################################### =========== 3) The Code =========== http://aluigi.altervista.org/poc/hlboom.zip ####################################################################### ====== 4) Fix ====== If you use Steam you are already patched by some days. To note that Half-Life is now supported ONLY via Steam, the half hated or loved content management system of Valve. The latest non-Steam patch is stopped at the 1.1.1.0 (affected by other worst bugs) and is no longer supported. ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org