Advisory CVE-2023-30382 – Half-Life Local Privilege Escalation

by | May 23, 2023 | Jumpsec, Vulnerability

Software: Half-Life

Affected versions: Latest (<= build 5433873), at the time of writing

Vendor page: www.valvesoftware.com

CVE Reference: CVE-2023-30382

Published: 23/05/2023

CVSS 3.1 Score: 8.2 AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector: Local

Credit: Ryan Saridar

Summary

An attacker can leverage a stack-based buffer overflow via Half-Life’s command line arguments to compromise the account of any local user who launches the game.

Technical details

hl.exe does not adequately perform bounds checking on the command line used to launch it, allowing an attacker with control of the launch parameters to gain code execution as the user running it. By default, all users can access the C:\Program Files (x86)\Steam\userdata\<steamID3>\config\localconfig.vdf file, which can be modified to enforce a Steam application to launch with any provided command line parameters. Combining these, a low-privileged attacker can set specially crafted launch parameters using this file, and therefore gain privilege escalation when a higher privileged user runs the application.

The cause of the buffer overflow is found in the CCommandLine::CreateCmdLine and CCommandLine::LoadParametersFromFile functions. CreateCmdLine allocates a 4096 byte buffer which LoadParametersFromFile copies the command line to. Given that the command line is not restricted to 4096 bytes, this can lead to an overflow. This appears to have been fixed in games such as HL2 and TF2, however the fix was not applied to the original HL.

Mitigation

Valve has not responded to previous submissions of this issue, meaning the game is not patched. The simplest and most effective method of mitigation at this time is the uninstallation of Half-Life.

That said, there is another way of mitigating this route of attack if this isn’t an option, though it does not address the underlying buffer overflow vulnerability and thus will not cover possible alternate routes of exploitation. Your Steam installation contains globally writable configuration files that store each Steam user’s saved command line arguments (C:\Program Files (x86)\Steam\userdata\<steamID3>\config\localconfig.vdf). If a Steam user account is predominantly used by a specific local user, you can restrict writability of this file to that user account, preventing another user from being able to overwrite your command line arguments. You could also check the command line parameters via the Steam GUI before launching the game to ensure it is as expected.

Timeline

09/01/2021: Buffer overflow submitted for bug bounty, though rejected due to social engineering requirement

11/01/2021: Attempt to disclose via Valve’s public security email, with no response received

09/02/2021: Subsequent attempt to disclose, again with no response

28/08/2022: Revisited the vulnerability and discovered the local privilege escalation route via the configuration file

29/08/2022: Subsequent bug bounty submission, which was rejected due to claims that a remote code execution exploit of this vulnerability had been discovered and disclosed since

04/04/2023: CVE requested and plan to publish due to lack of remediation, despite awareness of the issue

26/04/2023: CVE assigned by MITRE

23/05/2023: Publication by JUMPSEC

 

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

GitHub Activity

@JumpsecLabs JumpsecLabs made JumpsecLabs/TokenSmith public · December 20, 2024 02:22

TokenSmith generates Entra ID access & refresh tokens on offensive engagements. It is suitable for both covert adversary simulations and penetratio…

Go Updated Dec 20

 

Follow JUMPSECLabs

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

You may also like…

Share This