11 matches found
Valve: [GoldSrc] RCE via 'spk' Console Command
Details: Description RCE can be achieved on clients via the 'spk' console command due to missing length checks before copying into a stack based buffer. POC 1. Place the attached cfg file in the root directory of the game: F676967 2. Launch the game and bring up the console with 3. Type in exec...
Valve: [GoldSrc] RCE via malformed BSP file
Description RCE can be achieved via a malformed BSP file due to the lack of length validation when copying data from the BSP file into a stack based buffer. POC 1. Place the attached BSP F666628 in the maps directory of the chosen GoldSrc game czero/maps, cstrike/maps, tfc/maps, etc.. 2. Launch t...
Valve: [GoldSrc] Remote Code Execution using malicious WAD list in BSP file
Summary TEXInitFromWad function calls COMFileBase to get file name from a path into a buffer on the stack. Since COMFileBase does not have boundary checks and the buffer is small, long WAD file name can trigger a Stack Buffer Overflow, leading to arbitrary code execution. Steps to reproduce...
Valve: [CS 1.6] Map cycle abuse allows arbitrary file read/write
The CS 1.6 server has a feature of map cycle - i.e. automatic map change after specified period of time. This feature relies on data of the file specified in mapcyclefile cvar. Any user with RCON access to the server can set this variable to arbitrary value - no input sanitization applies. In ord...
Valve: Malformed map detailed texture files in GoldSrc games lead to Remote Code Execution
A crafted map detailed texture file maps/detail.txt can be used to exploit a stack overflow vulnerability in hw.dll that can lead to remote code execution. Reproduction I used Counter-Strike for PoCs. Using a listen server - Place attached csassaultdetail.txt in cstrike/maps folder - Start the ga...
Valve: Malformed playlist.txt in GoldSrc games leads to Access Violation & arbitrary code execution
A crafted playlist.txt can be used to exploit a stack overflow vulnerability in GameUI.dll that can lead to arbitrary code execution. Reproduction Place attached playlist.txt in game directory valve, cstrike, etc.. The game will crash when it tries to play Splash track. Exploitability The file ca...
Valve: Malformed .MDL triggers an Access Violation on GoldSRC (hl.exe)
A malformed player .MDL triggers an exploitable Access Violation on GoldSRC engine games Half-Life upon invocation, which could lead to remote code execution on a client. Crash Information FAILUREIDHASHSTRING: um:invalidpointerwriteexploitablec0000005hw.dll!createinterface Event Type: Exception...
Valve: Malformed .WAV triggers an Access Violation on GoldSRC (hl.exe)
A malformed .WAV triggers an Access Violation on GoldSRC engine games Half-Life upon invocation, which could lead to remote code execution on a client. Crash Information ------------------ Event Type: Exception Exception Faulting Address: 0x2469a000 First Chance Exception Type:...
Valve: Malformed BSP in GoldSrc Engine may cause shellcode injection
Introduction Hello. There's a vulnerability in GoldSrc Engine that allows to run arbitrary assembly code using incorrect BSP format processing. Description The vulnerability is found in the UTILStringToIntArray function. This function belongs to the game mod library mp.dll/cs.so and has the...
Valve: Malformed save files (.sav) allow to write files with arbitrary extensions and content in GoldSrc-based games.
The structure of the save file implies unpacking of temporary files with extensions .HL1, .HL2 and .HL3. In the code of command 'load', there is a check for invalid substrings, such as .., so unpacking the files into the top directories will not work. Also, it seems, there is a code for checking...
Valve: Malformed Skybox .TGA in Half-Life (GoldSRC) leads to Access Violation
A malformed .TGA when loaded as a Skybox on a map in a GoldSRC engine game Half-Life can lead to arbitrary code execution on a remote client. Reproduction Steps Load the attached map + resources on a local Half-Life listen server. The game will crash with an Access Violation as soon as the map wi...