Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The term wormable is over used in the age of the modern internet. This vulnerability is TRULY wormable.

The bug exists in a video game called Alien Swarm that is open source and build in 2010.

The vulnerability exists on BOTH the client side and the server side: a malicious file upload. There are multiple protections in place that had to be bypassed for this to work.

First, the file upload attempts to ensure that NO files with specific file extensions are used. The SENDFILE API is 260 bytes but later copied into a buffer of 256 bytes, after the validation. So, the last 4 bytes can have a valid extension but WON'T be used!

What else can we bypass? There are two validations for the paths of the file. First, there is a validation that directory traversal is taking place and that specific directories are not being used.

The directory traversal check can be bypassed by writing to the '/' directory. This is done because the validation happens THEN a call to FixSlashes is made. So, by using a directory starting with '/\\', the fix slashes will give us the root directory.

The second validation can be bypassed by using all capital letters. In Windows, paths are case insensitive. So, using ADDONS instead of addons allows for this validation to be bypassed.

On the server side, the API can be used in order to add a malicious plugin. Then, the server can use the SAME vulnerability to affect other players. To me, this is the definition of wormable!