Nevertheless, the report makes sense and in the DLL part it is correct. We all know that we can place what ever code we want in the DLL files. A programmer with bad intensions could perfectly create a fake mod (or even a real one) and place the malicious code there...
Davide (DAV) Email: [EMAIL PROTECTED] Azure Sheep: http://www.halflifeitalia.com/azuresheep/ Point of View: http://www.halflifeitalia.com/pov/ DAV Levels: http://www.planetquake.com/davlevels/ ----- Original Message ----- From: "Bodek" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 30, 2003 9:25 AM Subject: RE: [hlcoders] FW: Half-Life: fun with MODs > I mean that informing people about fact that mods could have a malicious > code is stupid (i got this message from bugtraq). > > Bodek > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Pat Magnan > > Sent: Wednesday, July 30, 2003 12:36 AM > > To: [EMAIL PROTECTED] > > Subject: Re: [hlcoders] FW: Half-Life: fun with MODs > > > > > > OMG you mean a mod could contain malicious code? What an arse. > > > > The overrun in liblist.gam is a bit of an issue, however. > > > > At 12:16 AM 7/30/2003 +0200, you wrote: > > >HI, > > > > > >Look at this, very interesting (liblist.gam) but not dangerous in my > > >opinion, and very silly. Maybe commonly known (DLLs with > > malicious code hehe > > >who creates mods with trojans or other dnagerous things ?!?) > > > > > >Bodek > > > > > >-----Original Message----- > > >From: Auriemma Luigi [mailto:[EMAIL PROTECTED] > > >Sent: Tuesday, July 29, 2003 8:33 PM > > >To: undisclosed-recipients: > > >Subject: Half-Life: fun with MODs > > > > > > > > >###################################################################### > > > > > >Applications: Half-Life (http://half-life.sierra.com) MODs. > > >Versions: 1.1.1.0 > > >Platforms: Windows > > >Bugs: Buffer overflow in liblist.gam and arbitrary code > > > execution through customized DLL files > > >Risk: High > > >Author: Auriemma Luigi > > > Senior Security Researcher, PivX Solutions, LLC > > > e-mail: [EMAIL PROTECTED] > > > web: http://www.pivx.com/luigi/ > > > > > > > > >###################################################################### > > > > > > > > >1) Introduction > > >2) Bug > > >3) The Code > > >4) Fix > > >5) Philosophy > > > > > > > > >###################################################################### > > > > > >=============== > > >1) Introduction > > >=============== > > > > > > > > >Valve's Half-Life was released in 1998 but still remains as the worlds > > >most popular FPS game. > > > > > >The success of the game is largely due to the overwhelming community > > >support, which has spawned a range of MODs for the game - including > > >the popular Counter-Strike MOD and Day Of Defeat. > > > > > >The cause of these problems are MODs. > > >One of these problems is an inherent flaw in the basic structure of > > >Half-Life and cannot be fixed without fundamental changes. > > > > > > > > > > > >###################################################################### > > > > > >====== > > >2) Bug > > >====== > > > > > > > > >The 2 bugs are: > > > > > > > > >--------------------------------- > > >[A] Buffer-overflow in liblist.gam > > >--------------------------------- > > > > > >Liblist.gam is a text file present in every MOD. The problem is a > > >buffer overflow caused by long values. > > > > > >The following liblist.gam demonstrate the problem: > > > > > >---liblist.gam--- > > > > > >game > > >"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > > aaaaaaaaaa > > >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > > aaaaaaaaaa > > >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > > aaaaaaaaaa > > >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaEIPxaaaaaaaaaaaa" > > >gamedll "what you want" > > > > > >----------------- > > > > > > > > >The buffer-overflow happens when there is a value of 276 bytes and > > >only when the gamedll parameter is specified. > > > > > >NOTE: The important and "strange" thing to see is that the stored > > >return address is overwritten by the 4 bytes at offset 260 of the > > >value. > > >We need to add another 12 bytes after it to cause the buffer-overflow > > >and successfully overwriting the stored EIP. > > > > > > > > > > > >-------------------------------------- > > >[B] Do you know the DLL files in MODs? > > >-------------------------------------- > > > > > > > > >A lot of MODs are distributed with custom DLL files that are contained > > >in the folders "dlls" and "cl_dlls". > > > > > >The problem is easily explained: > > > > > >The DLL files used by MODs are real binary libraries that can contain > > >all the code you want! > > >Which means that I can create a malicious DLL that I distribute with > > >a MOD and everyone that use it will run my malicious code. > > > > > > > > >[Bodek]Really ??? I can't believe ????!!! :) > > > > > >This problem "CANNOT" be fixed by Valve, so be careful when you use an > > >unknown MOD or you download a MOD from an non-trusted site. > > > > > > > > > > > >###################################################################### > > > > > >=========== > > >3) The Code > > >=========== > > > > > > > > >--------------------------------- > > >[A] Buffer-overflow in liblist.gam > > >--------------------------------- > > > > > >---liblist.gam--- > > > > > >game > > >"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > > aaaaaaaaaa > > >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > > aaaaaaaaaa > > >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa > > aaaaaaaaaa > > >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaEIPxaaaaaaaaaaaa" > > >gamedll "what you want" > > > > > >----------------- > > > > > > > > > > > >-------------------------------------- > > >[B] Do you know the DLL files in MODs? > > >-------------------------------------- > > > > > > > > >Create a Half-Life DLL or add any malicious code in a existent DLL. > > > > > > > > > > > >####################################################################### > > > > > >====== > > >4) Fix > > >====== > > > > > > > > >Valve was notified of this vulnerability on April 14 2003, and replied > > >that they were working to patch these bugs. > > > > > >Since that last point of contact, Valve and it's representatives have > > >been contacted on multiple occasions for a status update on the patch, > > >without any replies. > > > > > > > > > > > >####################################################################### > > > > > >========================== > > >5) Researcher's Philosophy > > >========================== > > > > > > > > >Be free. > > >The researchers' community needs your reversing, your programs, and > > >your research. Never let your passion die and don't stop your work! > > > > > >Disclosure: > > >Full and responsible disclosure can lead to a quick fix, and prevent a > > >problem before it gets into the wrong hands. > > > > > > > > > > > >####################################################################### > > > > > >==================== > > >About PivX Solutions > > >==================== > > > > > > > > >PivX Solutions, is a premier network security consultancy offering a > > >myriad of network security services to our clients. > > > > > >For more information go to http://www.PivX.com > > > > > > > > >####################################################################### > > > > > >--- > > >Researcher > > >http://www.pivx.com/luigi/ > > > > > > > > > > > >_______________________________________________ > > >To unsubscribe, edit your list preferences, or view the list archives, > > >please visit: > > >http://list.valvesoftware.com/mailman/listinfo/hlcoders > > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list > > archives, please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlcoders > > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlcoders > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlcoders
