Valve: [GoldSrc] RCE via malformed BSP file

Description RCE can be achieved via a malformed BSP file due to the lack of length validation when copying data from the BSP file into a stack based buffer. POC 1. Place the attached BSP F666628 in the maps directory of the chosen GoldSrc game czero/maps, cstrike/maps, tfc/maps, etc.. 2. Launch t...

Valve: Malformed .BSP Access Violation in CS:GO can lead to Remote Code Execution

A malformed .BSP can trigger an Access Violation on CS:GO that can lead to arbitrary code execution on a remote computer. I have attached a copy of the malformed .BSP which reliably triggers an Access Violation on CS:GO. Impact An attacker hosting a malicious server could compromise a remote clie...