The new engine crashes when it parses a connect packet sent by some NOSTEAM
clients for protocol version 48. The packets look like this one:
\xFF\xFF\xFF\xFFconnect 48 821425444
"\\prot\\3\\unique\\-1\\raw\\steam\\cdkey\\57f64e351b16ccfa1a08ef655b6abdf0"
"\\_cl_autowepswitch\\0\\bottomcolor\\6\\cl_dlmax\\128\\cl_lc\\1\\cl_lw\\1\\cl_updaterate\\100\\model\\gordon\\name\\GnG\\topcolor\\30\\rate\\50000"\x0A{\xC6/\xC2\x93\xB6\xFD\xC2\x90\x00\x95\xDC\xE2kq,\x83\x17\x06\xE9\x1F\x0E\x01\x97w\x1C\xD0~\x07\xE1dZ\xE6$5T\xEFj\x871\x1E\xC7\xEC\xCA<\xF5\x0B\xBC\xBF\xA3\x9F`\xEC\x0F\xC3\xFE>\xD7l=\x0B\x0D7\xDEe\x89e\xAA?\x83#\xA9\xD0a\x0F\x95=\xCD\xF9\x8E\xFF\xFF\xFF\xFF:9\xD3A\x0E\xB8\xD8\xCF\xD9\x1B\xA2\xD9\xBE\x9E\xC5\xAD\xCA(Z\x92ps\x06'[EMAIL
PROTECTED];U\xB5\xB9\xB6X\x95\xA5\x8C<\xF0\xBD\x0D\xA8#\xF8\x1C~\xDE[z\x0A\x82\xCCG\x80\xCE&[EMAIL
PROTECTED]'\xD1>\xE7\x8A}\x06t{\x1F\xF9H0\xAD\x8B">\xF3\xA7F\xA5\x85\xDE\x17\x0D\xF8\xC4\xE8OQ\x97\x107\xBE"<[EMAIL
PROTECTED]@\xD6\x97\xB9P\x09\x0FX\x9C\xE1\x8F\x00nS\xC6\xF5\x05m\x1CM0\x96\xE8T\x1B\x16\xE3.h\xD9\xDD\xBE\x81o\xAE\xC7-XpQb\x7F\xEBO[\x04Q~\xE9>,\x90\x0E\x01\x94\x8A\xC8\x1C\xA5k+&0\x0E\xB2{\xB1Q\xD7\x81\x81w\xE10M\xCB\xFE\xD1\xC7\x86\x91\x05\x9B\xF3\xCD\x0A\xA5\xD1\x83:a\xF98\xD4\xA3A{\xFF\x88\x9Fv\x0C\xAC\x92\xC2\xFC\x9D\xBD\x80B\x90\xD5\xA5\xCAS\xBE\x959\x83\xF1\xF4w\xFF!\xB8k\x9C\x1E\x83\x05\x1B\xF91\x82Xi\xAC\xEB\xC3m\x08\xDF\x143\xCC\x93;9\x8D\x17\x96\xB2\xC2\xDBg+\xD3q\x85ns\x94R\xA70j\xEC\xC5H\x06\xA8#\xBF1\xBCh\xAEj;\xAC\xDE+G\xDC\x95n\x82_\xB0p\xC5\xF9\xF2\xB5\x15\xF0\x9CL\xD2n>T2'\xCC\xBF\xEE;\xF4V;^\xAF\xFD\xFC6\x1796\x04x\xEF\xC4\x87\xA9oL\x1E\x9D\xB0q,5\xDDJ\xC0X\x11\x13vF`#\x98)[EMAIL
PROTECTED]:K:<5\xFFp\xDF\xBFK\x12\xAB\x84\xB9\xCC\xAA<\xB4\xB2\xB3.\xF8\xE0\x84\xF2F]\x11|\\F\x1BV$(\x03-,\xAD\xE1\x8FV{\xD1\xF3\xD1Y\x8D\xFAG\x93A\xF4X\xA0\x9A\xA6H\x03
K\xF4o\xC7\xD8\x0B.\xC0\x84z\xC4\x95\x88(\xCFu#\xE41\xCD\xE2\x9Cq\x18\x1E\xCF_\xF7\xC6D\xF7\x84_\xFD\x88\xE3Hg\x16\x1BC\xD3\xFC$1)\xD5B\x1D\xDB\x9D\x91|\x19\x14\xE0\xB3Dc\xC2\xDA\xA4\x02\xE3\xC0]\xD9\x99/\x9F\xA6\xBBq\x1E\x9E\xB6\x12\xC2W\xDD\xE8\x9F\xE5\x01Q'DB\xBC\x9E\xF6$k\xCF\xEC\xE6w\xFE\xAA\x0F\x14\x1D\xA7I\x16C\xF2r\xB4Y
I think that the bug is in CGameServer::SendUserConnectAndAuthenticate
function, when it parses that binary data. The code looks like this (?!):
CGameServer::SendUserConnectAndAuthenticate(unsigned int,
void const* arg_buffer, unsigned int arg_buffer_len, CSteamID*) {
int var_size, var_pos;
var_utlbuffer = new CUtlBuffer(arg_buffer, arg_bufferlen, 8);
var_steamid = new CSteamID();
var_utlbuffer->Get(&var_size, 4);
var_pos = var_utlbuffer->PeekGet(0);
var_utlbuffer->SeekGet(1, var_size);
if (var_utlbuffer->GetBytesRemaining() > 3) {
...
}
...
}
It seems that the engine reads a size from received binary data (first four
bytes) and then it skips that number of bytes. SeekGet function allows this
even if packet's real size is ~400 bytes and the size read from buffer is a
huge value. Because of this, GetBytesRemaining() returns a large value which is
greater than 3, then the engine tries to read more and a Segmentation Fault
error occurs (?!).
Hope that helps.
-------- Original-Nachricht --------
> Datum: Fri, 14 Nov 2008 10:44:09 -0800
> Von: Alfred Reynolds <[EMAIL PROTECTED]>
> An: Half-Life dedicated Linux server mailing list
> <[email protected]>
> Betreff: Re: [hlds_linux] HLDS Underflow vulnerability (Everyone who want can
> crash any HLDS server!)
> If anyone has actual details on an exploit or a way to reproduce the
> problem please send them directly to me, I was unable to find any actionable
> details from this post sorry.
>
> - Alfred
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:hlds_linux-
> > [EMAIL PROTECTED] On Behalf Of the-
> > [EMAIL PROTECTED]
> > Sent: Thursday, November 06, 2008 12:48 AM
> > To: Half-Life dedicated Linux server mailing list
> > Subject: [hlds_linux] HLDS Underflow vulnerability (Everyone who want
> > can crash any HLDS server!)
> >
> > Since your weird forum moderators don´t listen we´ll try it here:
> >
> > There´s obviously a vulnerability while auth process wich makes
> > basically everyone able to crash any server.
> >
> > I post no links, since you (VALVE emloyees) know "RIN", you should give
> > them a visit yourself, cause there it´s better explained than i can &
> > want here!
> >
> > If you don´t care you don´t care about security!
> >
> > Have a nice day!
> >
> > --
> > "Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ...
> > Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail
> >
> > _______________________________________________
> > To unsubscribe, edit your list preferences, or view the list archives,
> > please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
--
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux
