Half-Life Dedicated Server Vulnerability

Type securityvulns
Reporter Securityvulns
Modified 2000-10-17T00:00:00



                    Vulnerability Report by Mark Cooper

Date Published: 16th October 2000

Advisory ID: N/A

Bugtraq ID: 1799



Title: Half-Life Dedicated Server Vulnerability

Class: Buffer Overflow

Remotely Exploitable: Yes

Locally Exploitable: Yes


This vulnerability is actively being exploited in the wild.

Vulnerable Packages/Systems:

Half-Life Dedicated Server for Linux & Previous

Vulnerability Description:

A buffer overflow vulnerability was discovered in a Half-Life dedicated server during a routine security audit. A user shell was found running on the ingreslock port of the server which lead to an investigation into how this had been achieved. - From the logs left on the server, it was ascertained that a predefined exploit script was used and that the perpetrator failed to further compromise the server due to the Half-Life software running as a non-priveledged user.

The vulnerability appears to exist in the changelevel rcon command and does not require a valid rcon password. The overflow appears to exist after the logging function as the following was found in the last entries of the daemon's logs:-

 # tail server.log.crash | strings
 L 08/23/2000 - 23:28:59: "[CiC]Foxdie<266>" say "how so?"
 Bad Rcon from x.x.x.x:4818:
 rcon werd changelevel
 Privet ADMcrew\
 rcon werd changelevel

The actual raw exploit code is logged, along with what appears to be the script authors, ADM ( http://adm.freelsd.net/ADM/ ). If they could shed some light on this?

Solution/Vendor Information/Workaround:

Valve Software promised a patch which has yet to appear. Interim measures would include:-

A) Consider not running the HalfLife software at all! B) Remove the world execute bit from inetd to 'break' the exploit code - this would only stop the script kiddies C) Ensure sane ipfwadm/ipchains filters are inplace

Vendor notified on: 14th September 2000


Credit for the vulnerability discovery presumably lies with ADM. :) The forensic work which discovered this problem was performed by Mark Cooper.

This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail vulnhelp@securityfocus.com.

Exploit/Concept Code:

Try http://adm.freelsd.net/ADM/ ?

Referance: http://www.valvesoftware.com

DISCLAIMER: No responsibility whatsoever is taken for any correct/incorrect use of this information. This is for informational purposes only.

-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQEVAwUBOes6XV15pZzZvm7VAQEJdQf+JH07d2Of2fyZj5GAwH4Hyw43kBHysnqn 9K6faf1tON7RqkJXxvbTRbokEHv4lE4um1mUnYcWsDSv58xfgCJ8Fctq9aK1iTUA qd3Hm/jcDe+uQrPhjTM+jKg1c2xa7XXltXO2bcYBO29EjXJmp6bF2kr6M/c8z0vr /s9CpbUZ4cmG71hi/eM+VvhBPndeqE1iqfHaD6esrvnKWuXEvGO1XIn8SMwZXs4p HKTExgAd88M1OoMwtKCk0J7xFSU7W5r/f/QvkDb2gmn9vpOuOIZlBltTTpxriXQG xh3jIL/Ku6SIBVWx34WrgsoZe1Rj8BrPWFdBWz5taRDggKAmScrtrw== =aUch -----END PGP SIGNATURE-----