Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

CS:GO is a popular online game from 2012 with many public servers. Mods, textures, 3D models and more all create a great attack surface. The source engine has it's own TCP-like network stack over UDP.

Reversing this game is interesting. Debug symbols were accidentally put into the MacOS version in 2017, making it easier to learn about. Additionally, there are many public exploits, cheating communities and more which offer good resources. They found a custom CS:GO server written in Python, which was useful for attacking.

The server takes in commands. There are some commands that only work locally and/or with a single user playing. Whether this is the case is controlled by the user controllable value m_nMaxClients. Using this, an attacker can execute privileged commands on the server, such as quit.

Source engine servers (what this game was built on) can send additional game files to the client via HTTP. When asking for a file, there is validation done on the end of the file on the type. However, when this is copied into a buffer, it's done by snprintf, which will truncate the string. So, we can bypass the filter!

One of the privileged commands con_logfile writes to an arbitrary *.log file. This suffered from the same snprintf truncation issue, but on a write. This gave them an arbitrary file write vulnerability.

The service validates DLLs. However, it falls back to an insecure mode so that it can boot if there's an issue. Additionally, this can be replicated with the -insecure flag. Using this flag, DLLs from outside the bin/ directory too.

There are several logic vulnerabilities here. How can we take this to code execution?

1. Use the arbitrary file download to download a malicious DLL to be used later.
2. Corrupt one of the DLLs. This will trigger the fallback mode to search for DLLs in a different location.
3. Replace the gameinfo.txt so that the malicious DLL is loaded on start up. All Source Engine games are just add ons to Half Life so this is common.
4. Use the privileged command bypass to reboot the server.
5. On start up, the malicious DLL will be loaded because of the fallback mechanism.

Valve requires a real PoC in order to prove impact for RCE. Although they found these bugs individually and quite quickly, it took them a while to chain everything together. Each bug gave them 7.5K, which is quite a bit. Overall, good report on interesting logic bugs.