Valve: [Half-Life 1] Malformed map name leads to memory corruption and code execution

ID H1:402566
Type hackerone
Reporter kbeckmann
Modified 2020-09-22T17:28:14


A stack overflow takes place when map names with malformed names are listed which can be used to execute arbitrary code.

I made a Proof of Concept that executes gnome-calculator on Linux.

This was tested on Half Life 2018-08-29 on Linux, Ubuntu 18.04.

To reproduce: - Extract the attached zip-file in the /valve/maps directory. - Start Half-Life. - Open the console and type maps *. This lists the installed maps. - gnome-calculator should now execute.

You may also use the python script to generate a malformed mapname with the exploit.

Please see the enclosed video for a demonstration.

Details about the bug

The callstack when the stack is overwritten is the following:


4 0xf7c982d8 in sprintf () from /usr/lib32/

5 0xf6454504 in COM_ListMaps (pszSubString=0x0) at ../engine/common.c:2857

6 0xf6466f3a in Host_Maps_f () at ../engine/host_cmd.c:1511

7 Host_Maps_f () at ../engine/host_cmd.c:1493

8 0xf644e20d in Cmd_ExecuteString (

text=0x41414141 <error: Cannot access memory at address 0x41414141>, src=<optimized out>)
at ../engine/cmd.c:1149

9 Cbuf_Execute () at ../engine/cmd.c:242

10 0xf6464ed3 in _Host_Frame (time=0.0570053197) at ../engine/host.c:1384

11 0xf6465382 in Host_Frame (time=0.0570053197, iState=1, stateInfo=0xffffcb6c)

at ../engine/host.c:1522

12 0xf64918c4 in CEngine::Frame (this=0xf66a88c0 <g_Engine>) at ../engine/sys_engine.cpp:245

13 0xf648f3a3 in RunListenServer (instance=0x0,

basedir=0x804b220 &lt;szBaseDir&gt; "/home/konrad/.local/share/Steam/steamapps/common/Half-Life", cmdline=0x80534d0 "/home/konrad/.local/share/Steam/steamapps/common/Half-Life/hl_linux", 
postRestartCmdLineArgs=0x804d360 &lt;main::szNewCommandParams&gt; "", launcherFactory=
0x8049350 &lt;CreateInterfaceLocal(char const*, int*)&gt;, filesystemFactory=
0xf76ccad0 &lt;CreateInterface(char const*, int*)&gt;) at ../engine/sys_dll2.cpp:946

14 0x08048d67 in main (argc=1, argv=0xffffcda4) at ../launcher/launcher.cpp:439



If a user installs the crafted map file and runs maps * in the console, then custom code can get executed that is not written by Valve, e.g. malware.