A stack overflow takes place when map names with malformed names are listed which can be used to execute arbitrary code.
I made a Proof of Concept that executes gnome-calculator on Linux.
This was tested on
Half Life 2018-08-29 on Linux, Ubuntu 18.04.
- Extract the attached zip-file in the /valve/maps directory.
- Open the console and type
maps *. This lists the installed maps.
gnome-calculator should now execute.
You may also use the python script to generate a malformed mapname with the exploit.
Please see the enclosed video for a demonstration.
The callstack when the stack is overwritten is the following:
text=0x41414141 <error: Cannot access memory at address 0x41414141>, src=<optimized out>) at ../engine/cmd.c:1149
basedir=0x804b220 <szBaseDir> "/home/konrad/.local/share/Steam/steamapps/common/Half-Life", cmdline=0x80534d0 "/home/konrad/.local/share/Steam/steamapps/common/Half-Life/hl_linux", postRestartCmdLineArgs=0x804d360 <main::szNewCommandParams> "", launcherFactory= 0x8049350 <CreateInterfaceLocal(char const*, int*)>, filesystemFactory= 0xf76ccad0 <CreateInterface(char const*, int*)>) at ../engine/sys_dll2.cpp:946
If a user installs the crafted map file and runs
maps * in the console, then custom code can get executed that is not written by Valve, e.g. malware.