Format string bug in Half-Life client, but is it really exploitable???

2003-09-3000:00:00

vulners.com

JSON

Hey,

some weeks ago I found a format string bug in the Half-Life client.
The bug happens when an unknown command is used and the game returns a
string like the following:

The function that shows this string is vulnerable to a format string bug, in
fact the following is a simple example:

]%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x
Unknown command:
270b4768.270b47e8.270b4868.270b48e8.27031ae9.0a07f128.00000002.01e11f28.01d
1105c

01e11f28 is the pointer to the string to use to format ("\x02Unknown
command: %08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n")
01d1105c instead is the return address of the function (however note that
Half-Life uses an encoded executable and in my test I have seen that this
address "sometimes" changes…):

…
01d11058 57 push edi
01d11059 56 push esi
01d1105a ffd0 call eax <— 27031ad0 of client.dll
01d1105c 83c40c add esp, 0c
…

Naturally the problem is not only locally… but remotely because all the
commands typed in the client's console are sent to the server that manages
them and if the command is unknown it returns the "Unknown command" message
to the client (data type 0x4d).
This means that a malicious server can send formatted strings to each
client.

Unfortunally, I haven't too much experience with the exploitation of format
string bugs so I can't be sure about the "real" exploitation of this problem
to execute remote code on client.

I have released a proof-of-concept to test the vulnerability (for both *nix
and Win) that sends the bad string to the connected client when the client
or the server sends a message (for example "say hello"):

http://aluigi.altervista.org/poc/hlclientfs.zip

(However remember that the bug can be tested also locally)

Does someone think this bug can be used to execute code remotely?
Can be really exploited?

Thanx in advance!

BYEZ

Luigi Auriemma
http://aluigi.altervista.org

JSON