Half-Life 1.1.0.8 Security Leak [Sep 23, 2001, 09:30 am ET] – Share – Viewing Comments
A post on Planet Half-Life
points the way to a security alert
on SecurityFocus with word on a hole in
the new Half-Life release that, in a reverse of the norm, could allow a server
to exploit the client. The report says: "Valve Software was contacted on
September 18, 2001 and informed me it will be fixed in the next patch
(presumably v1.1.0.9). They did not believe it to be a serious threat."
Here is a bit on the nature of the problem:
By running the command with around 128 characters it is possible to overflow the buffer and execute arbitrary code. While this problem is on the client side it is still a serious issue, since servers have a function named "g_engfuncs.pfnClientCommand" which allows the server to force clients to execute whatever console command they want. This means that this overflow can be exploited remotely by means of this function. A server administrator could easily easily take advantage of this and exploit clients automatically as they connected to the server.
"Valve Software ... did not believe it to be a serious threat."
Of course they're going to say that. They have the biggest multiplayer game in history, they wouldn't say anything that might jeopardize that status, no matter how the exploit can be used.
Of course they're going to say that. They have the biggest multiplayer game in history, they wouldn't say anything that might jeopardize that status, no matter how the exploit can be used.
Date
Subject
Author
Copyright © 1996-2021 Stephen Heaslip. All rights reserved.
All trademarks are properties of their respective owners.
Privacy Policy. Manage Cookie Settings.
News CGI copyright © 1999-2021 James "furn" Furness & Blue's News. All rights reserved.
Chatbear v1.5.0/blue++: Page generated 25 February 2021, 05:40.