Source game remote code execution vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201788106
Type myhack58
Reporter 佚名
Modified 2017-07-24T00:00:00


Valve's Source SDK contains a buffer overflow vulnerability, which results in the client and server can execute arbitrary code. This vulnerability in the shot and the player when triggered, which can lead to load a specific ragdoll model(ragdoll model). A plurality of Source game in 2017 6 November update fixes this vulnerability. Including CS:GO, TF2, Hl2:DM, Portal 2, L4D2 of. We thank Valve very responsible and expeditious handling of the vulnerability. Valve a day to fix and release the update. 0x01 missing boundary check A function nexttoken is used for tokenization of a string. We can note that, as long as can not find NULL characters or delimiters sep, it will cause the str to this buffer is copied to the token for this buffer. There is simply no boundary check. const char nexttoken(char token, const char str, char sep) { ... while ((str != sep) && (str != '\0')) { token++ = str++; } ... } The source of the link: 0x02 vulnerability point When processing a ragdoll model data, such as when a player is shot, the class CRagdollCollisionRulesPars method ParseKeyValue will be called. This method calls the nexttoken to a token of those to be further processing of the rules. By constructing one of more than 256 characters collisionpair rules, the buffer zone szToken it will overflow. Due to szToken stored on the stack, so ParseKeyValue the return address will be overwritten. class CRagdollCollisionRulesParse : public IVPhysicsKeyHandler { virtual void ParseKeyValue( void pData, const char pKey, const char pValue ) { ... else if ( ! strcmpi( pKey, "collisionpair" ) ) ... char szToken[256]; const char *pStr = nexttoken(szToken, pValue, ','); ... } } The source of the link: 0x03 bypass mitigation measures ASLR(Address Space Layout Randomization, address space layout configuration of the random load is for the memory of the broken ring of the vulnerability of strong mitigation measures, which will be the executable file is loaded into memory address randomization. This feature is optional, and an in-process all the loading into memory the executable file must be turned on this feature to make its entry into force. Dynamic library steamclient. dll is not turned on ASLR. This means that steamclient. dll is loaded into memory in the address is predictable. This makes it possible to easily locate and use the executable file in memory instructions. 0x04 collect the ROP gadget ROP(Return Oriented Programming)is a method that allows by reusing the program that already exists in the command to create the shellcode techniques. In short, you can find a series of retn instruction at the end of the instruction. You put the ROP chain of the first instruction address into the stack, when the function return address is pop into the instruction register, the instruction is executed. Because x86 and x64 instructions do not require memory alignment, any address can be used as a command, so we can make the instruction pointer point to the middle of an instruction, so that you can use more instruction. Immunity Debugger plug-in Mona offers to find the gadget of the tool. But this plugin can't find all the useful gadget, such as rep movs on. 0x05 启动cmd.exe Because payload handling reasons, the NULL character can not be used, and uppercase characters need to be converted to lowercase characters. This means that our ROP gadget address limited resources, our payload in other data too. In order to bypass this, you can use a gadget chain to guide the shellcode used to locate the memory, not modify the original buffer. And then will not modify the payload by rep movs gadget copied back to the stack. Steamclient. dll import LoadLibraryA and GetProcAddressA it. This allows us to load any DLL into memory, and get the other exported functions. We import shell32. dll to get the ShellExecuteA function that can start other programs. For the third time to update game, PoC will in 30 days release. Source developers can use the following patch. 0x06 provide payload ! The Source engine allows custom content Packed into the map file, usually the case, this can be used to map to add some additional content, such as sound or text. So we can be a ragdoll model file is packaged into a map file, and use the original ragdoll model file to the same path, but using our version. 0x07 repair recommendations In order to prevent a buffer overflow occurs, do not stored in the buffer it contained not too much data. the nexttoken function should have a token length, to as a parameter, this parameter is used for bounds checking. Source game developers can use the following patch. In order to ease the memory of the broken ring vulnerability, it is necessary for all modules turned on ASLR. During the build process automatically checks to ensure that all of the modules on the ASLR. You can use the chromium team developed checkbins. py tool to complete. In addition, the Source games should be sandboxed to restrict access to resources, and to prevent the new process to start. For example, when the use of a web browser's memory broken ring exploits often use kernel use, because the user layer of the browser process is limited, this can serve as a good sandboxed example. More information with reference to chromium's sandbox implementation. Download patch:

0x08 summary The video game is very easy to become the exploitability of the vulnerability of the target, not only technically, logically speaking. Because the video game usually occurs in the employee's home or work environment, exploits can be through this scene, go to the company or home private network. In addition, in the popular video game, found a remote code execution vulnerability can be used to create botnets or spread ransomware. As for mitigation measures well, the game actually shouldn't have installed for the device to work. Game should be moved to the untrusted network, and the operating device should not be connected to the untrusted network. For those Source player, need to disable the third-party content download to reduce the attack surface. Through the command cl_allowdownload 0 cl_downloadfilter all you can achieve disabling third-party content download. In addition, because in the Source SDK, found a loophole, we can speculate, in other third-party module it may also be a vulnerability. But if we have all modules enabled ASLR, so you need to have a memory leak vulnerability that can be exploited, thereby increasing the exploitability of the vulnerability difficulty.