Reporter Mark Cooper
`-----BEGIN PGP SIGNED MESSAGE-----
Vulnerability Report by Mark Cooper
Date Published: 16th October 2000
Advisory ID: N/A
Bugtraq ID: 1799
CVE CAN: N/A
Title: Half-Life Dedicated Server Vulnerability
Class: Buffer Overflow
Remotely Exploitable: Yes
Locally Exploitable: Yes
Release Mode: FORCED RELEASE
This vulnerability is actively being exploited in the wild.
Half-Life Dedicated Server for Linux 188.8.131.52 & Previous
A buffer overflow vulnerability was discovered in a Half-Life
during a routine security audit. A user shell was found running on
port of the server which lead to an investigation into how this had
- From the logs left on the server, it was ascertained that a
script was used and that the perpetrator failed to further compromise
due to the Half-Life software running as a non-priveledged user.
The vulnerability appears to exist in the changelevel rcon command
and does not
require a valid rcon password. The overflow appears to exist after
function as the following was found in the last entries of the
# tail server.log.crash | strings
L 08/23/2000 - 23:28:59: "[CiC]Foxdie<266>" say "how so?"
Bad Rcon from x.x.x.x:4818:
rcon werd changelevel
rcon werd changelevel
The actual raw exploit code is logged, along with what appears to be
authors, ADM ( http://adm.freelsd.net/ADM/ ). If they could shed some
Valve Software promised a patch which has yet to appear. Interim
A) Consider not running the HalfLife software at all!
B) Remove the world execute bit from inetd to 'break' the exploit
code - this
would only stop the script kiddies
C) Ensure sane ipfwadm/ipchains filters are inplace
Vendor notified on: 14th September 2000
Credit for the vulnerability discovery presumably lies with ADM. :)
work which discovered this problem was performed by Mark Cooper.
This advisory was drafted with the help of the SecurityFocus.com
Help Team. For more information or assistance drafting advisories
Try http://adm.freelsd.net/ADM/ ?
No responsibility whatsoever is taken for any correct/incorrect use
information. This is for informational purposes only.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
-----END PGP SIGNATURE-----