Affected versions: Latest (<= build 5433873), at the time of writing
Vendor page: www.valvesoftware.com
CVE Reference: CVE-2023-30382
CVSS 3.1 Score: 8.2 AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector: Local
Credit: Ryan Saridar
An attacker can leverage a stack-based buffer overflow via Half-Life’s command line arguments to compromise the account of any local user who launches the game.
hl.exe does not adequately perform bounds checking on the command line used to launch it, allowing an attacker with control of the launch parameters to gain code execution as the user running it. By default, all users can access the C:\Program Files (x86)\Steam\userdata\<steamID3>\config\localconfig.vdf file, which can be modified to enforce a Steam application to launch with any provided command line parameters. Combining these, a low-privileged attacker can set specially crafted launch parameters using this file, and therefore gain privilege escalation when a higher privileged user runs the application.
The cause of the buffer overflow is found in the CCommandLine::CreateCmdLine and CCommandLine::LoadParametersFromFile functions. CreateCmdLine allocates a 4096 byte buffer which LoadParametersFromFile copies the command line to. Given that the command line is not restricted to 4096 bytes, this can lead to an overflow. This appears to have been fixed in games such as HL2 and TF2, however the fix was not applied to the original HL.
Valve has not responded to previous submissions of this issue, meaning the game is not patched. The simplest and most effective method of mitigation at this time is the uninstallation of Half-Life.
That said, there is another way of mitigating this route of attack if this isn’t an option, though it does not address the underlying buffer overflow vulnerability and thus will not cover possible alternate routes of exploitation. Your Steam installation contains globally writable configuration files that store each Steam user’s saved command line arguments (C:\Program Files (x86)\Steam\userdata\<steamID3>\config\localconfig.vdf). If a Steam user account is predominantly used by a specific local user, you can restrict writability of this file to that user account, preventing another user from being able to overwrite your command line arguments. You could also check the command line parameters via the Steam GUI before launching the game to ensure it is as expected.
09/01/2021: Buffer overflow submitted for bug bounty, though rejected due to social engineering requirement
11/01/2021: Attempt to disclose via Valve’s public security email, with no response received
09/02/2021: Subsequent attempt to disclose, again with no response
28/08/2022: Revisited the vulnerability and discovered the local privilege escalation route via the configuration file
29/08/2022: Subsequent bug bounty submission, which was rejected due to claims that a remote code execution exploit of this vulnerability had been discovered and disclosed since
04/04/2023: CVE requested and plan to publish due to lack of remediation, despite awareness of the issue
26/04/2023: CVE assigned by MITRE
23/05/2023: Publication by JUMPSEC