ID CVE-2019-15943 Type cve Reporter cve@mitre.org Modified 2020-08-24T17:37:00
Description
vphysics.dll in Counter-Strike: Global Offensive before 1.37.1.1 allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a memset call.
{"zdt": [{"lastseen": "2019-12-04T04:03:20", "description": "Exploit for windows platform in category dos / poc", "edition": 1, "published": "2019-09-18T00:00:00", "title": "Counter-Strike Global Offensive 1.37.1.1 - (vphysics.dll) Denial of Service Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-15943"], "modified": "2019-09-18T00:00:00", "id": "1337DAY-ID-33321", "href": "https://0day.today/exploit/description/33321", "sourceData": "# CVE-2019-15943\r\n\r\nCounter-Strike Global Offensive (vphysics.dll) before 1.37.1.1 allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map using memory corruption. \r\n\r\n### Description:\r\n\r\nWe are need modifying class name value in our PoC for triggering this vulnerability, offset for modifying in our PoC is `0x115703`. For example add char `\"=\"` using this offset. PoC is \"mc.bsp\"\r\n\r\n\r\n\r\nFor modeling situation for attack we are need next:\r\nFirst step is copy mc.bsp to `C:\\Program Files (x86)\\Steam\\steamapps\\common\\Counter-Strike Global Offensive\\csgo\\maps`;\r\n\r\nSecond step is start game with our map (mc.bsp), for this we are need turn on game console and insert in console: `map mc`.\r\n\r\n\r\n\r\nAfter this steps we can see next:\r\n\r\n\r\n\r\nI was use msec.dll (!exploitable) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment [Download msec.dll](https://archive.codeplex.com/?p=msecdbg)\r\nAs you can see msec.dll checked this crash and decide that is EXPLOITABLE crash, because SEH chain is corrupted. It is means that attacker can use this vulnerability for remote code execution.\r\n\r\nEDB Note: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/47454.bsp\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33321"}], "exploitdb": [{"lastseen": "2019-10-02T11:29:25", "description": "", "published": "2019-09-18T00:00:00", "type": "exploitdb", "title": "Counter-Strike Global Offensive 1.37.1.1 - 'vphysics.dll' Denial of Service (PoC)", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-15943"], "modified": "2019-09-18T00:00:00", "id": "EDB-ID:47454", "href": "https://www.exploit-db.com/exploits/47454", "sourceData": "# CVE-2019-15943\r\n\r\nCounter-Strike Global Offensive (vphysics.dll) before 1.37.1.1 allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map using memory corruption. \r\n\r\n### Description:\r\n\r\nWe are need modifying class name value in our PoC for triggering this vulnerability, offset for modifying in our PoC is `0x115703`. For example add char `\"=\"` using this offset. PoC is \"mc.bsp\"\r\n\r\n\r\n\r\nFor modeling situation for attack we are need next:\r\nFirst step is copy mc.bsp to `C:\\Program Files (x86)\\Steam\\steamapps\\common\\Counter-Strike Global Offensive\\csgo\\maps`;\r\n\r\nSecond step is start game with our map (mc.bsp), for this we are need turn on game console and insert in console: `map mc`.\r\n\r\n\r\n\r\nAfter this steps we can see next:\r\n\r\n\r\n\r\nI was use msec.dll (!exploitable) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment [Download msec.dll](https://archive.codeplex.com/?p=msecdbg)\r\nAs you can see msec.dll checked this crash and decide that is EXPLOITABLE crash, because SEH chain is corrupted. It is means that attacker can use this vulnerability for remote code execution.\r\n\r\nEDB Note: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/47454.bsp", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/47454"}], "exploitpack": [{"lastseen": "2020-04-01T20:39:51", "description": "\nCounter-Strike Global Offensive 1.37.1.1 - vphysics.dll Denial of Service (PoC)", "edition": 1, "published": "2019-09-18T00:00:00", "title": "Counter-Strike Global Offensive 1.37.1.1 - vphysics.dll Denial of Service (PoC)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-15943"], "modified": "2019-09-18T00:00:00", "id": "EXPLOITPACK:D0ACF055D6E342F939CDE4400E2F6B42", "href": "", "sourceData": "# CVE-2019-15943\n\nCounter-Strike Global Offensive (vphysics.dll) before 1.37.1.1 allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map using memory corruption. \n\n### Description:\n\nWe are need modifying class name value in our PoC for triggering this vulnerability, offset for modifying in our PoC is `0x115703`. For example add char `\"=\"` using this offset. PoC is \"mc.bsp\"\n\n\n\nFor modeling situation for attack we are need next:\nFirst step is copy mc.bsp to `C:\\Program Files (x86)\\Steam\\steamapps\\common\\Counter-Strike Global Offensive\\csgo\\maps`;\n\nSecond step is start game with our map (mc.bsp), for this we are need turn on game console and insert in console: `map mc`.\n\n\n\nAfter this steps we can see next:\n\n\n\nI was use msec.dll (!exploitable) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment [Download msec.dll](https://archive.codeplex.com/?p=msecdbg)\nAs you can see msec.dll checked this crash and decide that is EXPLOITABLE crash, because SEH chain is corrupted. It is means that attacker can use this vulnerability for remote code execution.\n\nEDB Note: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/47454.bsp", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
