Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-35855 patch for build 8684 Win #1

Closed
anzz1 opened this issue Jan 1, 2024 · 2 comments
Closed

CVE-2023-35855 patch for build 8684 Win #1

anzz1 opened this issue Jan 1, 2024 · 2 comments

Comments

@anzz1
Copy link

anzz1 commented Jan 1, 2024
edited

Patch for CVE-2023-35855, Windows build 8684 (pre-HL25 Anniversary, aka "steam_legacy" branch) for all mods.
By the way, this exploit is not only for Counter-Strike but works for other Half-Life mods too.

Original 8684 hw.dll

  File: hw.dll
CRC-32: f7dcffd9
   MD4: 3db85c7df94b2e5bddbbbeb0d741999b
   MD5: a74c64de593e2533c04200c5417bd9e9
 SHA-1: f0f7372692f285154c76be35fc50b89ed0ea2d18

Patched 8684 hw.dll

  File: hw.dll
CRC-32: eca35f3d
   MD4: 1be4615a18dd7051f68ce2d98ba46e50
   MD5: a121c926bc1dd90d0a8632766d228c4d
 SHA-1: 51c2ecb1ab8241b6afeae535a6a66dbd73a00a65

Prepatched
hw_dll_8684_patched.zip

Manual patch
https://gist.github.com/anzz1/71689275ed722492da7ec7c02a41b867

Info

Instead of patching the underlying overflow, which is the use of unbounded sprintf instead of snprintf in the mod dlls (mp.dll/hl.dll/opfor.dll/etc.), and having to do it for each mod separately, the better way is to block server from sending the lservercfgfile to a client at all. It's clearly an oversight, since it's not a cvar that server should be able to set on a client.

After patching:

Server tried to send invalid command:"lservercfgfile "MikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikAAAA";map de_nuke
"

No more crash 😃
@MikeIsAStar
Copy link
Owner

I can confirm that your proposed patch mitigates the vulnerability. I would much rather allow a server to execute the kill console command on my client instead of the lservercfgfile console command. ;)

I will pin this issue for others to see.

Excellent work !

@MikeIsAStar MikeIsAStar pinned this issue Jan 4, 2024
@anzz1
Copy link
Author

anzz1 commented Jan 4, 2024

Yeah exactly. To clarify, the patch replaces the kill command in the list of disallowed commands with lservercfgfile.

My reasoning for replacing it this way instead of adding the new command to the list:
a) Makes the patch simpler, as no code cave is needed
b) kill command simply suicides the player (if enabled, some mods disable it, then it does nothing), and as the server already has full power to kill any player at any point, there is little sense to have this command in the disallowed list anyway

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anzz1 @MikeIsAStar