#######################################################################

                             Luigi Auriemma

Applicazione: Half-Life engine
              http://half-life.sierra.com
              http://www.steampowered.com
Versioni:     precedenti al 07 July 2004 (sia versioni Steam che non)
Piattaforme:  Windows and Linux
Bugs:         problemi nella gestione dei pacchetti splittati
Exploitation: remoto, contro server e client
Date:         12 July 2004
Bug found by: Terry Henning (aka Soul Beaver)
Advisory:     Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduzione
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduzione
===============


Half-Life e' l'FPS piu' famoso esistente, senza dubbi.
E' stato sviluppato da Valve (http://www.valvesoftware.com) ed e' stato
rilasciato nel lontano 1998, ma anche dopo tutto questo tempo continua
ad essere il videogioco piu' giocato grazie ai suoi MODs come
Counter-Strike, Natural selection, Sven-coop e molti altri.
Ogni giorno ci sono quasi 37.000 servers online!

Come gia' specificato nell'intestazione di questo advisory ci tengo a
sottolineare che il bug e' stato trovato da Terry Henning.


#######################################################################

=======
2) Bugs
=======


UPDATE 31 Mar 2007:

A] old hlboom

Half-life uses a header in the splitted packets which is 9 bytes big.
When a splitted packet is found (the first 4 bytes are "fe ff ff ff")
the game performs a memcpy() on the data after this header.
If the packet if compsed by a total of 8 bytes (instead of at least 9)
the game will try to copy "packet_size - header_size" bytes, so "8 - 9"
which means 0xffffffff.


B] new hlboom

Exists also another problem which happens during the handling of the
data in the splitted packets.
This bug is not 100% clear anyway seems related to the position of the
splits and the resulted size.
On Windows for example is possible to force the reading of the data in
an arbitrary offset of the memory.
No other debugging has been made on this bug.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/hlboom.zip


#######################################################################

======
4) Fix
======


If you use Steam you are already patched by some days.

To note that Half-Life is now supported ONLY via Steam, the half hated
or loved content management system of Valve.
The latest non-Steam patch is stopped to the 1.1.1.0 (affected by other
worst bugs) and is no longer supported.

UPDATE 31 Mar 2007:

I have released an unofficial patch for both the bugs which can be
applied only to versions x.1.1.1e of the dedicated server of both
Windows and Linux:

  http://aluigi.org/patches/hlboomfix.lpatch

UPDATE 27 Aug 2006:
Unofficial patches for the Windows WON version are available here:

  http://www.steamlessproject.nl


#######################################################################