Author: Stan Bubrouski (firstname.lastname@example.org)
Date: March 9, 2001
Package: Half-Life dedicated server for Windows and Linux and the Windows client as well.
Versions affected: All are believed vulnerable including latest builds for Windows (Build 1572) and Linux (Build 1573)
Severity: Remote users with access level high enough to execute the exec or map commands can exploit two buffer overflows and a string formatting vulnerability to crash the Half-Life server or execute commands to gain access to the host the server is running on.
1) When the 'map' command is sent more than 58 or 59 characters a potentially exploitable buffer overflow occurs.
2) When 235 or more characters are used with the 'exec' command a buffer is overflowed and the server crashes.
3) There is a string formatting vulnerabilitiy in the 'map' command. When it recieves any formatting characters like %s or %d it interprets them as format characters and if crafted right a user could crash the server or execute code as the user the server is running as.
4) There is a buffer overflow in the parsing of config files which could be used to execute code as the user running the server. This is dangerous because someone could place code in the config file of a module and distribute it to unsuspecting users.
Copyright 2001 Stan Bubrouski
Stan Bubrouski email@example.com
316 Huntington Ave. Apt #676, Boston, MA 02115 (617) 377-7222