New Hlds Exploit
Eternal_Bliss
Join Date: 2002-11-07 Member: 7633Members, NS1 Playtester, Contributor
Join Date: 2002-11-07 Member: 7633Members, NS1 Playtester, Contributor
<div class="IPBDescription">For win32 and Linux</div> <a href='http://www.securityfocus.com/archive/1/330880/2003-07-26/2003-08-01/0' target='_blank'>http://www.securityfocus.com/archive/1/330...26/2003-08-01/0</a>
I will quote some of the major points:
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Versions: 1.1.1.0 and previous versions (including all MODs
based on the game, such as Counter-Strike and DoD)
3.1.1.1c1 and 4.1.1.1a of the free dedicated server
Platforms: Windows and Linux
Bugs: Remote buffer overflow and Denial of Service
Risk High
<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->The only limitation in this buffer-overflow is that some bytes can not
be used in the shellcode because they are delimiters or otherwise
reserved for use by the Half-Life protocol. This puts some minor
constraints on the execution of the remote code, but is far from
limiting.
Further, there is a Denial of Service vulnerability that completely
freezes the server, entering it into an infinite loop.
<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->The proof-of-concept exploit is very simple, and acts partly as a DoS
and a code execution exploit.
The return address is overwritten with the offset of a function in
SWDLL.DLL that displays a message in the console of the dedicated
server, after which it crashes.
This approach was chosen to demonstrate actual code execution without
endangering the administrator, enabling the admin to easily verify
whether the server is vulnerable.
The POC exploit can be used against both the dedicated and the game
servers, overwriting the stored address with 0x063c27f5.
<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Valve was notified of this vulnerability on April 14 2003, and replied
that they were working to patch these bugs.
<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
<b><!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Half-Life 1.1.1.0 dedicated server (retail game):
<a href='http://www.pivx.com/luigi/patches/hlbof-server-1110-fix.zip' target='_blank'>http://www.pivx.com/luigi/patches/hlbof-se...er-1110-fix.zip</a>
Half-Life 4.1.1.1a dedicated server for Windows:
<a href='http://www.pivx.com/luigi/patches/hlbof-server-4111a-fix.zip' target='_blank'>http://www.pivx.com/luigi/patches/hlbof-se...r-4111a-fix.zip</a><!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd--></b>
<b>Note: The above fix is not an official fix!</b>
Protect your servers people.
I will quote some of the major points:
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Versions: 1.1.1.0 and previous versions (including all MODs
based on the game, such as Counter-Strike and DoD)
3.1.1.1c1 and 4.1.1.1a of the free dedicated server
Platforms: Windows and Linux
Bugs: Remote buffer overflow and Denial of Service
Risk High
<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->The only limitation in this buffer-overflow is that some bytes can not
be used in the shellcode because they are delimiters or otherwise
reserved for use by the Half-Life protocol. This puts some minor
constraints on the execution of the remote code, but is far from
limiting.
Further, there is a Denial of Service vulnerability that completely
freezes the server, entering it into an infinite loop.
<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->The proof-of-concept exploit is very simple, and acts partly as a DoS
and a code execution exploit.
The return address is overwritten with the offset of a function in
SWDLL.DLL that displays a message in the console of the dedicated
server, after which it crashes.
This approach was chosen to demonstrate actual code execution without
endangering the administrator, enabling the admin to easily verify
whether the server is vulnerable.
The POC exploit can be used against both the dedicated and the game
servers, overwriting the stored address with 0x063c27f5.
<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Valve was notified of this vulnerability on April 14 2003, and replied
that they were working to patch these bugs.
<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
<b><!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Half-Life 1.1.1.0 dedicated server (retail game):
<a href='http://www.pivx.com/luigi/patches/hlbof-server-1110-fix.zip' target='_blank'>http://www.pivx.com/luigi/patches/hlbof-se...er-1110-fix.zip</a>
Half-Life 4.1.1.1a dedicated server for Windows:
<a href='http://www.pivx.com/luigi/patches/hlbof-server-4111a-fix.zip' target='_blank'>http://www.pivx.com/luigi/patches/hlbof-se...r-4111a-fix.zip</a><!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd--></b>
<b>Note: The above fix is not an official fix!</b>
Protect your servers people.
Comments
BUT, it says "Your executable is out of date" when trying to auth with WON or whatever.
<!--emo&:(--><img src='http://www.unknownworlds.com/forums/html/emoticons/sad.gif' border='0' style='vertical-align:middle' alt='sad.gif'><!--endemo-->
The workaround for the exploit is to set the server's password, but then no Free For All obviously... <!--emo&???--><img src='http://www.unknownworlds.com/forums/html/emoticons/confused.gif' border='0' style='vertical-align:middle' alt='confused.gif'><!--endemo-->
BUT, it says "Your executable is out of date" when trying to auth with WON or whatever.
<!--emo&:(--><img src='http://www.unknownworlds.com/forums/html/emoticons/sad.gif' border='0' style='vertical-align:middle' alt='sad.gif'><!--endemo--> <!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
says the same thing when I tried it out. but at least it protects your server from this particular exploit.
<a href='http://www.pivx.com/luigi/patches/hlbof-server-4111c1-fix.zip' target='_blank'>http://www.pivx.com/luigi/patches/hlbof-se...-4111c1-fix.zip</a>
for the first time since the first week of November, 2002, i have had to kill our NS server until an acceptable resolution can be found. (this is even more unfortunate as i was really looking forward to installing NS2.0 today... )
thanks,
-f!
Come on valve..
Wendigo
I am gonna take a wild guess that now the number of attacks that are seen using this is gonna go up.
Seeing from the mailing list, valve is working on releasing a patch today.
<a href='http://forums.unitedadmins.com/index.php?act=ST&f=55&t=29934' target='_blank'>http://forums.unitedadmins.com/index.php?a...ST&f=55&t=29934</a>
Enjoy