#######################################################################

                             Luigi Auriemma

Application:  Source Engine
              http://source.valvesoftware.com
Games:        Half-Life 2
                http://www.half-life2.com
              Counter-Strike: Source
                http://store.steampowered.com/app/240/
              OrangeBox / Team Fortress 2
                http://store.steampowered.com/app/440/
              Left 4 Dead
                http://www.l4d.com
              other games and mods
Versions:     <= build 3933, bug B affects also build 3964
              bug A affects also build 3939 (\folder\file.txt)
Platforms:    Windows and Linux
Bugs:         A] arbitray file uploading
              B] arbitray file deletion
              C] disk space consumption with file uploading
Exploitation: remote, versus server (in-game)
Date:         19 Aug 2009
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Source engine is the latest version and rewrite of the original
Half-Life engine (GoldSrc) developed by Valve
(http://www.valvesoftware.com).
It's the engine used for games like Half-Life 2, Counter Strike Source,
Team Fortress 2, Left 4 Dead and various others which are also the most
played internet multiplayer games in absolute with over 10000 online
servers.


#######################################################################

=======
2) Bugs
=======


--------------------------
A] arbitray file uploading
--------------------------

By default the Source engine allows to download and upload files.
While the download operation is denied if there is a slash or a ".."
or an unsupported extension in the requested file (to avoid directory
traversal bugs although \file is allowed) in the upload operation there
are just no checks.

The result is that an attacker can upload files in arbitrary locations
in the hard disks of the server like
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\bad.exe"
or "\file.txt" or "../file.txt" and so on.

The existent files cannot be replaced (will be showed the console
message "Download file 'FILENAME' already exists!") but is possible to
put place malicious programs in the Startup folder for being executed
at the next logon/reboot of the system.

Note that these "file uploading" vulnerabilities can be exploited even
with uploads and downloads disabled, indeed using "sv_allowupload 0"
does NOT solve the situation.


-------------------------
B] arbitray file deletion
-------------------------

As said previously, the Source engine doesn't allow to overwrite the
existent files for security reasons but exists an interesting bug which
allows to delete any file on the system and at the same time make it
impossible to recreate/update it.

If the name of the file to upload contains a slash or backslash at its
end (like "c:\file.txt/" or  "c:\file.txt\") will be created a folder
with the same name of the file and the original file will no longer
exist.

UPDATE 17 Sep 2009:
Although it was obvious for me I want to explain that this bug exists
because the engine creates all the full path specified in the string
so if the client sends "mydir1\mydir2\mydir3\myfile.txt" will be
created all the 3 subdirectories in the main path of the game.
What I said about appending the slash/backslash at the end of the
filename was only a quick example and I thought it was enough to
understand the real cause of the bug.

So if the attacker specifies the file "c:\autoexec.bat/" the original
file "c:\autoexec.bat" will be removed and will be created the folder
"c:\autoexec.bat" at its place.

This bug can be exploited for two malicious purposes:
- game related: is possible to delete any file which allows the game to
  work or to maintain its configuration and security, that means
  deleting logs, configuration files ("cfg\server.cfg/", "motd.txt/",
  "cfg\banned_ip.cfg/", "../ClientRegistry.blob\" and so on), maps,
  resources, mods and everything else used by the game server
- system related: is possible to delete any file in any disk
  arbitrariarly like Windows files, programs files, files located in
  the user folder ("Documents and Settings") and so on

The fact that are created folders with the same name of the original
files make also impossible to update or regenerate the deleted files
automatically because the operating system doesn't allow it so the
admin must manually remove these folders to restore (partially) the
situation.

UPDATE 17 Sep 2009:
The patch that Valve released does NOT really fix this bug.
indeed it only filters the files with a slash/backslash at the end
(like my quick example) and so it fixes NOTHING.
that's why "cfg\server.cfg\hello.txt" will delete the file
"cfg\server.cfg".


---------------------------------------------
C] disk space consumption with file uploading
---------------------------------------------

Due to the particular "bugged" handling of the uploaded files and the
packets in which they are transmitted is possible to generate zeroed
files with a size of max 64 megabytes using only a packet of some
bytes.
This can lead to the complete consuming of the disk space (of any disk
because the locations are arbitrary) of the server, useful for example
to fill the current disk avoiding the creation of the logs and other
game files (I guess that the server quits if no disk space is
available for its writes) and then there is ever a high lag effect
caused by the creation of the files in real-time which temporary
freezes the server.


#######################################################################

===========
3) The Code
===========


The following is the stand alone proof-of-concept for confirming the
vulnerabilities with the LAN server quickly and easily:

  http://aluigi.org/poc/sourceupfilelan.zip

For the testing of the server in an internet/Steam environment I have
released the following plugin for proxocket/sudppipe which MUST be
recompiled or hex edited for substituiting the XXXXXXXXXXX...XXX string
in it with the desired filename to test (bug A and B) without modifying
the length of the dll file (so the result will be
"c:\myfile.txt.XXXXXXXX...XXXX" with a 0x00 byte after the name of the
file as delimiter):

  http://aluigi.org/poc/sourceupfile.zip

note that for bug A these proof-of-concepts will NOT upload a real file
on the test server but will only created an empty one at the provided
location.

quick usage for proxocket (NOTE that some users report that this method
could give problems with VAC):
- download proxocket: http://aluigi.org/mytoolz.htm#proxocket
- copy ws2_32.dll and the myproxocket.dll of the PoC in the same folder
  where is located the game executable of the client
- start the client and join the server to test

quick usage for sudppipe:
- download sudppipe: http://aluigi.org/mytoolz.htm#sudppipe
- copy myproxocket.dll in the same folder of sudppipe and start it:
  sudppipe -l myproxocket.dll SERVER PORT 1234
- start the client and join the server on 127.0.0.1:1234


UPDATE 17 Sep 2009:
note that this proof-of-concept can't be used to test the file deletion
bug in versions >= 3939 because it uses a particular work-around to
reach the upload function (the protocol has been not figured at 100%
yet).


#######################################################################

======
4) Fix
======


No fix.


#######################################################################