I mean that informing people about fact that mods could have a malicious code is stupid (i got this message from bugtraq).
Bodek > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Pat Magnan > Sent: Wednesday, July 30, 2003 12:36 AM > To: [EMAIL PROTECTED] > Subject: Re: [hlcoders] FW: Half-Life: fun with MODs > > > OMG you mean a mod could contain malicious code? What an arse. > > The overrun in liblist.gam is a bit of an issue, however. > > At 12:16 AM 7/30/2003 +0200, you wrote: > >HI, > > > >Look at this, very interesting (liblist.gam) but not dangerous in my > >opinion, and very silly. Maybe commonly known (DLLs with > malicious code hehe > >who creates mods with trojans or other dnagerous things ?!?) > > > >Bodek > > > >-----Original Message----- > >From: Auriemma Luigi [mailto:[EMAIL PROTECTED] > >Sent: Tuesday, July 29, 2003 8:33 PM > >To: undisclosed-recipients: > >Subject: Half-Life: fun with MODs > > > > > >###################################################################### > > > >Applications: Half-Life (http://half-life.sierra.com) MODs. > >Versions: 1.1.1.0 > >Platforms: Windows > >Bugs: Buffer overflow in liblist.gam and arbitrary code > > execution through customized DLL files > >Risk: High > >Author: Auriemma Luigi > > Senior Security Researcher, PivX Solutions, LLC > > e-mail: [EMAIL PROTECTED] > > web: http://www.pivx.com/luigi/ > > > > > >###################################################################### > > > > > >1) Introduction > >2) Bug > >3) The Code > >4) Fix > >5) Philosophy > > > > > >###################################################################### > > > >=============== > >1) Introduction > >=============== > > > > > >Valve's Half-Life was released in 1998 but still remains as the worlds > >most popular FPS game. > > > >The success of the game is largely due to the overwhelming community > >support, which has spawned a range of MODs for the game - including > >the popular Counter-Strike MOD and Day Of Defeat. > > > >The cause of these problems are MODs. > >One of these problems is an inherent flaw in the basic structure of > >Half-Life and cannot be fixed without fundamental changes. > > > > > > > >###################################################################### > > > >====== > >2) Bug > >====== > > > > > >The 2 bugs are: > > > > > >--------------------------------- > >[A] Buffer-overflow in liblist.gam > >--------------------------------- > > > >Liblist.gam is a text file present in every MOD. The problem is a > >buffer overflow caused by long values. > > > >The following liblist.gam demonstrate the problem: > > > >---liblist.gam--- > > > >game > >"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > aaaaaaaaaa > >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > aaaaaaaaaa > >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > aaaaaaaaaa > >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaEIPxaaaaaaaaaaaa" > >gamedll "what you want" > > > >----------------- > > > > > >The buffer-overflow happens when there is a value of 276 bytes and > >only when the gamedll parameter is specified. > > > >NOTE: The important and "strange" thing to see is that the stored > >return address is overwritten by the 4 bytes at offset 260 of the > >value. > >We need to add another 12 bytes after it to cause the buffer-overflow > >and successfully overwriting the stored EIP. > > > > > > > >-------------------------------------- > >[B] Do you know the DLL files in MODs? > >-------------------------------------- > > > > > >A lot of MODs are distributed with custom DLL files that are contained > >in the folders "dlls" and "cl_dlls". > > > >The problem is easily explained: > > > >The DLL files used by MODs are real binary libraries that can contain > >all the code you want! > >Which means that I can create a malicious DLL that I distribute with > >a MOD and everyone that use it will run my malicious code. > > > > > >[Bodek]Really ??? I can't believe ????!!! :) > > > >This problem "CANNOT" be fixed by Valve, so be careful when you use an > >unknown MOD or you download a MOD from an non-trusted site. > > > > > > > >###################################################################### > > > >=========== > >3) The Code > >=========== > > > > > >--------------------------------- > >[A] Buffer-overflow in liblist.gam > >--------------------------------- > > > >---liblist.gam--- > > > >game > >"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > aaaaaaaaaa > >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > aaaaaaaaaa > >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > aaaaaaaaaa > >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaEIPxaaaaaaaaaaaa" > >gamedll "what you want" > > > >----------------- > > > > > > > >-------------------------------------- > >[B] Do you know the DLL files in MODs? > >-------------------------------------- > > > > > >Create a Half-Life DLL or add any malicious code in a existent DLL. > > > > > > > >####################################################################### > > > >====== > >4) Fix > >====== > > > > > >Valve was notified of this vulnerability on April 14 2003, and replied > >that they were working to patch these bugs. > > > >Since that last point of contact, Valve and it's representatives have > >been contacted on multiple occasions for a status update on the patch, > >without any replies. > > > > > > > >####################################################################### > > > >========================== > >5) Researcher's Philosophy > >========================== > > > > > >Be free. > >The researchers' community needs your reversing, your programs, and > >your research. Never let your passion die and don't stop your work! > > > >Disclosure: > >Full and responsible disclosure can lead to a quick fix, and prevent a > >problem before it gets into the wrong hands. > > > > > > > >####################################################################### > > > >==================== > >About PivX Solutions > >==================== > > > > > >PivX Solutions, is a premier network security consultancy offering a > >myriad of network security services to our clients. > > > >For more information go to http://www.PivX.com > > > > > >####################################################################### > > > >--- > >Researcher > >http://www.pivx.com/luigi/ > > > > > > > >_______________________________________________ > >To unsubscribe, edit your list preferences, or view the list archives, > >please visit: > >http://list.valvesoftware.com/mailman/listinfo/hlcoders > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list > archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlcoders > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlcoders
