You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Patch for CVE-2023-35855, Windows build 8684 (pre-HL25 Anniversary, aka "steam_legacy" branch) for all mods.
By the way, this exploit is not only for Counter-Strike but works for other Half-Life mods too.
Instead of patching the underlying overflow, which is the use of unbounded sprintf instead of snprintf in the mod dlls (mp.dll/hl.dll/opfor.dll/etc.), and having to do it for each mod separately, the better way is to block server from sending the lservercfgfile to a client at all. It's clearly an oversight, since it's not a cvar that server should be able to set on a client.
After patching:
Server tried to send invalid command:"lservercfgfile "MikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikeStarMikAAAA";map de_nuke
"
No more crash 😃
The text was updated successfully, but these errors were encountered:
I can confirm that your proposed patch mitigates the vulnerability. I would much rather allow a server to execute the kill console command on my client instead of the lservercfgfile console command. ;)
Yeah exactly. To clarify, the patch replaces the kill command in the list of disallowed commands with lservercfgfile.
My reasoning for replacing it this way instead of adding the new command to the list:
a) Makes the patch simpler, as no code cave is needed
b) kill command simply suicides the player (if enabled, some mods disable it, then it does nothing), and as the server already has full power to kill any player at any point, there is little sense to have this command in the disallowed list anyway
Patch for CVE-2023-35855, Windows build 8684 (pre-HL25 Anniversary, aka "steam_legacy" branch) for all mods.
By the way, this exploit is not only for Counter-Strike but works for other Half-Life mods too.
Original 8684 hw.dll
Patched 8684 hw.dll
Prepatched
hw_dll_8684_patched.zip
Manual patch
https://gist.github.com/anzz1/71689275ed722492da7ec7c02a41b867
Info
Instead of patching the underlying overflow, which is the use of unbounded
sprintf
instead ofsnprintf
in the mod dlls (mp.dll/hl.dll/opfor.dll/etc.), and having to do it for each mod separately, the better way is to block server from sending thelservercfgfile
to a client at all. It's clearly an oversight, since it's not a cvar that server should be able to set on a client.After patching:
No more crash 😃
The text was updated successfully, but these errors were encountered: