####################################################################### Luigi Auriemma Application: Source Engine http://source.valvesoftware.com Games: Half-Life 2 http://www.half-life2.com Counter-Strike: Source http://store.steampowered.com/app/240/ OrangeBox / Team Fortress 2 http://store.steampowered.com/app/440/ Left 4 Dead http://www.l4d.com other games and mods Versions: <= build 3933 Platforms: Windows and Linux Bug: memory corruption through malformed fragments Exploitation: remote, versus server (in-game) Date: 20 Aug 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Source engine is the latest version and rewrite of the original Half-Life engine (GoldSrc) developed by Valve (http://www.valvesoftware.com). It's the engine used for games like Half-Life 2, Counter Strike Source, Team Fortress 2, Left 4 Dead and various others which are also the most played internet multiplayer games in absolute with over 10000 online servers. ####################################################################### ====== 2) Bug ====== The Source engine implements an enough complex method for the handling of the fragmented packets. Long story short, a small heap buffer is assigned to the containing of the entire total packet and the client can decide arbitrariarly the offset where placing the new fragment in a certain range bigger than the available memory. The range relative to the memory assigned for the packet where can be performed the writing goes from 0 to max 0x3ffff00 with a size of max 0x700 bytes per fragment. So the memory can be overflowed (corrupted or written in unallocated zones) with the content of the attacker's packets giving him a possible way of controlling the execution of the code flow through the overwriting of function pointers and other sensitive memory. ####################################################################### =========== 3) The Code =========== For quickly confirming the vulnerability and testing a LAN server it's enough to try the following stand-alone proof-of-concept: http://aluigi.org/poc/sourcefraghoflan.zip For testing the vulnerability in a real environment (internet with Steam) is necessary to use the following proof-of-concept: http://aluigi.org/poc/sourcefraghof.zip It's a plugin for sudppipe/proxocket which forges the malformed packets (compatible with HL2 and CSS) when the real client sends its first in-game packet. quick usage for proxocket (NOTE that some users report that this method could give problems with VAC): - download proxocket: http://aluigi.org/mytoolz.htm#proxocket - copy ws2_32.dll and the myproxocket.dll of the PoC in the same folder where is located the game executable of the client - start the client and join the server to test quick usage for sudppipe: - download sudppipe: http://aluigi.org/mytoolz.htm#sudppipe - copy myproxocket.dll in the same folder of sudppipe and start it: sudppipe -l myproxocket.dll SERVER PORT 1234 - start the client and join the server on 127.0.0.1:1234 ####################################################################### ====== 4) Fix ====== No fix. #######################################################################