Advisory: Half-life server buffer overflows and formatting vulnerabilities

["Stanley G. Bubrouski" <stan () CCS NEU EDU>]

Author:   Stan Bubrouski (stan () ccs neu edu)
Date:   March 9, 2001
Package:   Half-Life dedicated server for Windows and Linux and the
Windows client as well.
Versions affected:  All are believed vulnerable including latest builds
for Windows (Build 1572) and Linux (Build 1573)
Severity:  Remote users with access level high enough to execute the exec
or map commands can exploit two buffer overflows and a string formatting
vulnerability to crash the Half-Life server or execute commands to gain
access to the host the server is running on.

Problems:

1) When the 'map' command is sent more than 58 or 59 characters a
potentially exploitable buffer overflow occurs.

2) When 235 or more characters are used with the 'exec' command a buffer
is overflowed and the server crashes.

3) There is a string formatting vulnerabilitiy in the 'map' command.  When
it recieves any formatting characters like %s or %d it interprets them as format
characters and if crafted right a user could crash the server or execute
code as the user the server is running as.

4) There is a buffer overflow in the parsing of config files which could
be used to execute code as the user running the server.  This is dangerous
because someone could place code in the config file of a module and
distribute it to unsuspecting users.


Copyright 2001 Stan Bubrouski

--
Stan Bubrouski                                       stan () ccs neu edu
316 Huntington Ave. Apt #676, Boston, MA 02115       (617) 377-7222