COMMAND
Half-Life
SYSTEMS AFFECTED
Half-Life Dedicated Server for Linux 3.1.0.3 & Previous
PROBLEM
Following is based on a Vulnerability Report by Mark Cooper. A
buffer overflow vulnerability was discovered in a Half-Life
dedicated server during a routine security audit. A user shell
was found running on the ingreslock port of the server which lead
to an investigation into how this had been achieved.
From the logs left on the server, it was ascertained that a
predefined exploit script was used and that the perpetrator failed
to further compromise the server due to the Half-Life software
running as a non-priveledged user.
The vulnerability appears to exist in the changelevel rcon command
and does not require a valid rcon password. The overflow appears
to exist after the logging function as the following was found in
the last entries of the daemon's logs:
# tail server.log.crash | strings
L 08/23/2000 - 23:28:59: "[CiC]Foxdie<266>" say "how so?"
Bad Rcon from x.x.x.x:4818:
rcon werd changelevel
bin@
sh!@
Privet ADMcrew\
rcon werd changelevel
The actual raw exploit code is logged, along with what appears to
be the script authors (ADM). If they could shed some light on
this?
Credit for the vulnerability discovery presumably lies with ADM.
The forensic work which discovered this problem was performed by
Mark Cooper.
SOLUTION
There's an announcement of a new Half Life patch which should be
released on week 44 of 2000 and should fix the vulnerability
described above.
For FreeBSD:
1) Upgrade your entire ports collection and rebuild the
halflifeserver port.
2) download a new port skeleton for the halflifeserver port
from:
http://www.freebsd.org/ports/
and use it to rebuild the port. Due to license restrictions
no binary package is provided for the halflifeserver port.