half-life.txt

2000-10-19T00:00:00
ID PACKETSTORM:23376
Type packetstorm
Reporter Mark Cooper
Modified 2000-10-19T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
  
Vulnerability Report by Mark Cooper  
  
  
Date Published: 16th October 2000  
  
Advisory ID: N/A  
  
Bugtraq ID: 1799  
  
http://www.securityfocus.com/bid/1799  
  
CVE CAN: N/A  
  
Title: Half-Life Dedicated Server Vulnerability  
  
Class: Buffer Overflow  
  
Remotely Exploitable: Yes  
  
Locally Exploitable: Yes  
  
Release Mode: FORCED RELEASE  
  
This vulnerability is actively being exploited in the wild.  
  
Vulnerable Packages/Systems:  
  
Half-Life Dedicated Server for Linux 3.1.0.3 & Previous  
  
Vulnerability Description:  
  
A buffer overflow vulnerability was discovered in a Half-Life  
dedicated server  
during a routine security audit. A user shell was found running on  
the ingreslock  
port of the server which lead to an investigation into how this had  
been achieved.  
- From the logs left on the server, it was ascertained that a  
predefined exploit  
script was used and that the perpetrator failed to further compromise  
the server  
due to the Half-Life software running as a non-priveledged user.  
  
The vulnerability appears to exist in the changelevel rcon command  
and does not  
require a valid rcon password. The overflow appears to exist after  
the logging  
function as the following was found in the last entries of the  
daemon's logs:-  
  
# tail server.log.crash | strings  
L 08/23/2000 - 23:28:59: "[CiC]Foxdie<266>" say "how so?"  
Bad Rcon from x.x.x.x:4818:  
rcon werd changelevel  
bin@  
sh!@  
Privet ADMcrew\  
rcon werd changelevel  
  
The actual raw exploit code is logged, along with what appears to be  
the script  
authors, ADM ( http://adm.freelsd.net/ADM/ ). If they could shed some  
light on  
this?  
  
Solution/Vendor Information/Workaround:  
  
Valve Software promised a patch which has yet to appear. Interim  
measures would  
include:-  
  
A) Consider not running the HalfLife software at all!  
B) Remove the world execute bit from inetd to 'break' the exploit  
code - this  
would only stop the script kiddies  
C) Ensure sane ipfwadm/ipchains filters are inplace  
  
  
Vendor notified on: 14th September 2000  
  
Credits:  
  
  
Credit for the vulnerability discovery presumably lies with ADM. :)  
The forensic  
work which discovered this problem was performed by Mark Cooper.  
  
This advisory was drafted with the help of the SecurityFocus.com  
Vulnerability  
Help Team. For more information or assistance drafting advisories  
please mail  
vulnhelp@securityfocus.com.  
  
Exploit/Concept Code:  
  
Try http://adm.freelsd.net/ADM/ ?  
  
Referance:  
http://www.valvesoftware.com  
  
DISCLAIMER:  
No responsibility whatsoever is taken for any correct/incorrect use  
of this  
information. This is for informational purposes only.  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>  
  
iQEVAwUBOes6XV15pZzZvm7VAQEJdQf+JH07d2Of2fyZj5GAwH4Hyw43kBHysnqn  
9K6faf1tON7RqkJXxvbTRbokEHv4lE4um1mUnYcWsDSv58xfgCJ8Fctq9aK1iTUA  
qd3Hm/jcDe+uQrPhjTM+jKg1c2xa7XXltXO2bcYBO29EjXJmp6bF2kr6M/c8z0vr  
/s9CpbUZ4cmG71hi/eM+VvhBPndeqE1iqfHaD6esrvnKWuXEvGO1XIn8SMwZXs4p  
HKTExgAd88M1OoMwtKCk0J7xFSU7W5r/f/QvkDb2gmn9vpOuOIZlBltTTpxriXQG  
xh3jIL/Ku6SIBVWx34WrgsoZe1Rj8BrPWFdBWz5taRDggKAmScrtrw==  
=aUch  
-----END PGP SIGNATURE-----  
`