#######################################################################

                             Luigi Auriemma

Application:  Half-Life engine
              http://half-life.sierra.com
              http://www.steampowered.com
Versions:     before the 07 July 2004 (both Steam and not-Steam)
Platforms:    Windows and Linux
Bugs:         problems with splitted packets
Exploitation: remote, versus server and client
Date:         12 July 2004
Bug found by: Terry Henning (aka Soul Beaver)
Advisory:     Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Half-Life is the most famous FPS game existent, no doubts.
It has been developed by Valve (http://www.valvesoftware.com) and has
been released in the far 1998, but also after all this time it
continues to be the most played game with its MODs like Counter-Strike,
Natural selection, Sven-coop and many others.
Everyday there are about 37.000 servers online!

As already specified in the header of this advisory I want to underline
that this bug has been found by Terry Henning.


#######################################################################

=======
2) Bugs
=======


UPDATE 31 Mar 2007:

A] old hlboom

Half-life uses a header in the splitted packets which is 9 bytes big.
When a splitted packet is found (the first 4 bytes are "fe ff ff ff")
the game performs a memcpy() on the data after this header.
If the packet if compsed by a total of 8 bytes (instead of at least 9)
the game will try to copy "packet_size - header_size" bytes, so "8 - 9"
which means 0xffffffff.


B] new hlboom

Exists also another problem which happens during the handling of the
data in the splitted packets.
This bug is not 100% clear anyway seems related to the position of the
splits and the resulted size.
On Windows for example is possible to force the reading of the data in
an arbitrary offset of the memory.
No other debugging has been made on this bug.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/hlboom.zip


#######################################################################

======
4) Fix
======


If you use Steam you are already patched by some days.

To note that Half-Life is now supported ONLY via Steam, the half hated
or loved content management system of Valve.
The latest non-Steam patch is stopped to the 1.1.1.0 (affected by other
worst bugs) and is no longer supported.

UPDATE 31 Mar 2007:

I have released an unofficial patch for both the bugs which can be
applied only to versions x.1.1.1e of the dedicated server of both
Windows and Linux:

  http://aluigi.org/patches/hlboomfix.lpatch

UPDATE 27 Aug 2006:
Unofficial patches for the Windows WON version are available here:

  http://www.steamlessproject.nl


#######################################################################