Re: [hlcoders] FW: Half-Life: fun with MODs

Wed, 30 Jul 2003 02:19:49 -0700 

Of course people can do that. It's an issue with all software you
download, regardless of whether it's a mod for a game or a text editor
or something. Software like that can potentially contain malicious code.

It's just the whole "stating the obvious" thing that gets me. But people
(in general) don't always understand that a .DLL file contains
executable file, they think that the .EXE file is the thing that is
executed.

There should be a bit more of a clearer warning, but appart from that,
there's not much else you can do about it.

DAV wrote:

Nevertheless, the report makes sense and in the DLL part it is correct.

We all know that we can place what ever code we want in the DLL files. A
programmer with bad intensions could perfectly create a fake mod (or even a
real one) and place the malicious code there...

Davide (DAV)
Email: [EMAIL PROTECTED]
Azure Sheep: http://www.halflifeitalia.com/azuresheep/
Point of View: http://www.halflifeitalia.com/pov/
DAV Levels: http://www.planetquake.com/davlevels/



----- Original Message -----
From: "Bodek" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, July 30, 2003 9:25 AM
Subject: RE: [hlcoders] FW: Half-Life: fun with MODs




I mean that informing people about fact that  mods could have a malicious
code is stupid (i got this message from bugtraq).

Bodek



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Pat Magnan
Sent: Wednesday, July 30, 2003 12:36 AM
To: [EMAIL PROTECTED]
Subject: Re: [hlcoders] FW: Half-Life: fun with MODs


OMG you mean a mod could contain malicious code? What an arse.

The overrun in liblist.gam is a bit of an issue, however.

At 12:16 AM 7/30/2003 +0200, you wrote:


HI,

Look at this, very interesting (liblist.gam) but not dangerous in my
opinion, and very silly. Maybe commonly known (DLLs with


malicious code hehe


who creates mods with trojans or other dnagerous things ?!?)

Bodek

-----Original Message-----
From: Auriemma Luigi [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 29, 2003 8:33 PM
To: undisclosed-recipients:
Subject: Half-Life: fun with MODs


######################################################################

Applications: Half-Life (http://half-life.sierra.com) MODs.
Versions:     1.1.1.0
Platforms:    Windows
Bugs:         Buffer overflow in liblist.gam and arbitrary code
             execution through customized DLL files
Risk:         High
Author:       Auriemma Luigi
             Senior Security Researcher, PivX Solutions, LLC
             e-mail: [EMAIL PROTECTED]
             web:    http://www.pivx.com/luigi/


######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy


######################################################################

===============
1) Introduction
===============


Valve's Half-Life was released in 1998 but still remains as the worlds
most popular FPS game.

The success of the game is largely due to the overwhelming community
support, which has spawned a range of MODs for the game - including
the popular Counter-Strike MOD and Day Of Defeat.

The cause of these problems are MODs.
One of these problems is an inherent flaw in the basic structure of
Half-Life and cannot be fixed without fundamental changes.



######################################################################

======
2) Bug
======


The 2 bugs are:


---------------------------------
[A] Buffer-overflow in liblist.gam
---------------------------------

Liblist.gam is a text file present in every MOD. The problem is a
buffer overflow caused by long values.

The following liblist.gam demonstrate the problem:

---liblist.gam---

game
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa


aaaaaaaaaa


aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa


aaaaaaaaaa


aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa


aaaaaaaaaa


aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaEIPxaaaaaaaaaaaa"
gamedll "what you want"

-----------------


The buffer-overflow happens when there is a value of 276 bytes and
only when the gamedll parameter is specified.

NOTE: The important and "strange" thing to see is that the stored
return address is overwritten by the 4 bytes at offset 260 of the
value.
We need to add another 12 bytes after it to cause the buffer-overflow
and successfully overwriting the stored EIP.



--------------------------------------
[B] Do you know the DLL files in MODs?
--------------------------------------


A lot of MODs are distributed with custom DLL files that are contained
in the folders "dlls" and "cl_dlls".

The problem is easily explained:

The DLL files used by MODs are real binary libraries that can contain
all the code you want!
Which means that I can create a malicious DLL that I distribute with
a MOD and everyone that use it will run my malicious code.


[Bodek]Really ??? I can't believe ????!!! :)

This problem "CANNOT" be fixed by Valve, so be careful when you use an
unknown MOD or you download a MOD from an non-trusted site.



######################################################################

===========
3) The Code
===========


---------------------------------
[A] Buffer-overflow in liblist.gam
---------------------------------

---liblist.gam---

game
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa


aaaaaaaaaa


aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa


aaaaaaaaaa


aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa


aaaaaaaaaa


aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaEIPxaaaaaaaaaaaa"
gamedll "what you want"

-----------------



--------------------------------------
[B] Do you know the DLL files in MODs?
--------------------------------------


Create a Half-Life DLL or add any malicious code in a existent DLL.



#######################################################################

======
4) Fix
======


Valve was notified of this vulnerability on April 14 2003, and replied
that they were working to patch these bugs.

Since that last point of contact, Valve and it's representatives have
been contacted on multiple occasions for a status update on the patch,
without any replies.



#######################################################################

==========================
5) Researcher's Philosophy
==========================


Be free.
The researchers' community needs your reversing, your programs, and
your research. Never let your passion die and don't stop your work!

Disclosure:
Full and responsible disclosure can lead to a quick fix, and prevent a
problem before it gets into the wrong hands.



#######################################################################

====================
About PivX Solutions
====================


PivX Solutions, is a premier network security consultancy offering a
myriad of network security services to our clients.

For more information go to http://www.PivX.com


#######################################################################

---
Researcher
http://www.pivx.com/luigi/



_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlcoders


_______________________________________________
To unsubscribe, edit your list preferences, or view the list
archives, please visit:
http://list.valvesoftware.com/mailman/listinfo/hlcoders



_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,


please visit:


http://list.valvesoftware.com/mailman/listinfo/hlcoders




_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please visit:
http://list.valvesoftware.com/mailman/listinfo/hlcoders







_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please visit:
http://list.valvesoftware.com/mailman/listinfo/hlcoders

Reply via email to