Alien Swarm It started as a free game , About 2010 year 7 Monthly issue . It's with most Source Engine The game is different , It is a top-down shooting game , Although its game elements are similar to 《 Left 4 Dead》 There is no difference . Fell down , A small and dedicated community uses Alien Swarm：Reactive Drop Expanded the game . The game averages about... Per day during peak periods 800 Users , And is still actively updating .

More than 10 years ago ,Source and GoldSrc There are multiple logical errors in the title , This allows arbitrary code execution from the client to the server , vice versa , Thus, the plug-in is stolen or arbitrary data is written from the client to the server , vice versa . We will be in Alien Swarm：Reactive Drop Explore a modern example .

client <-> Server file upload

Any heterogeneous cluster client can upload files to the game server （ And vice versa ）CNetChan->SendFile Of API, But there are still some questionable constraints ： The client checks to block some extensions in the game , For example, the server that uploads the file .dll,.cfg：

if ( (!(*(unsigned __int8 (__thiscall **)(int, char *, _DWORD))(*(_DWORD *)(dword_104153C8 + 4) + 40))(
         dword_104153C8 + 4,
         filename,
         0)
   || should_redownload_file((int)filename))
  && !strstr(filename, "//")
  && !strstr(filename, "\\\\")
  && !strstr(filename, ":")
  && !strstr(filename, "lua/")
  && !strstr(filename, "gamemodes/")
  && !strstr(filename, "addons/")
  && !strstr(filename, "..")
  && CNetChan::IsValidFileForTransfer(filename) ) // fails if filename ends with ".dll" and more
{ /* accept file */ }

bool CNetChan::IsValidFileForTransfer( const char *input_path )
{
    char fixed_slashes[260];

    if (!input_path || !input_path[0])
        return false;

    int l = strlen(input_path);
    if (l >= sizeof(fixed_slashes))
        return false;

    strncpy(fixed_slashes, input_path, sizeof(fixed_slashes));
    FixSlashes(fixed_slashes, '/');
    if (fixed_slashes[l-1] == '/')
        return false;

    if (
        stristr(input_path, "lua/")
        || stristr(input_path, "gamemodes/")
        || stristr(input_path, "scripts/")
        || stristr(input_path, "addons/")
        || stristr(input_path, "cfg/")
        || stristr(input_path, "~/")
        || stristr(input_path, "gamemodes.txt")
        )
        return false;

    const char *ext = strrchr(input_path, '.');
    if (!ext)
        return false;

    int ext_len = strlen(ext);
    if (ext_len > 4 || ext_len < 3)
        return false;

    const char *check = ext;
    while (*check)
    {
        if (isspace(*check))
            return false;

        ++check;
    }

    if (!stricmp(ext, ".cfg") ||
        !stricmp(ext, ".lst") ||
        !stricmp(ext, ".lmp") ||
        !stricmp(ext, ".exe") ||
        !stricmp(ext, ".vbs") ||
        !stricmp(ext, ".com") ||
        !stricmp(ext, ".bat") ||
        !stricmp(ext, ".dll") ||
        !stricmp(ext, ".ini") ||
        !stricmp(ext, ".log") ||
        !stricmp(ext, ".lua") ||
        !stricmp(ext, ".nut") ||
        !stricmp(ext, ".vdf") ||
        !stricmp(ext, ".smx") ||
        !stricmp(ext, ".gcf") ||
        !stricmp(ext, ".sys"))
        return false;

    return true;
}

bypass "//" and ".." It can be done "/\\", Because there is FixSlashes A phone call , Let the appropriate slash after Integrity check of , And in ".." The "/\\" Set the path of to the root of the drive , So we can write anywhere on the system , If we know the path ."lua/", "gamemodes/" and "addons/" You can bypass by using capital letters , for example ,"ADDONS/" because Windows The file path on is not case sensitive .

Bypassing the file extension check is more cumbersome , So let's look at the structure by sending SendFile be known as dataFragments_t：

typedef struct dataFragments_s
{
    FileHandle_t    file;                 // open file handle
    char            filename[260];        // filename
    char*           buffer;               // if NULL it's a file
    unsigned int    bytes;                // size in bytes
    unsigned int    bits;                 // size in bits
    unsigned int    transferID;           // only for files
    bool            isCompressed;         // true if data is bzip compressed
    unsigned int    nUncompressedSize;    // full size in bytes
    bool            isReplayDemo;         // if it's a file, is it a replay .dem file?
    int             numFragments;         // number of total fragments
    int             ackedFragments;       // number of fragments send & acknowledged
    int             pendingFragments;     // number of fragments send, but not acknowledged yet
} dataFragments_t;

Among them 260 Byte name buffer dataFragments_t For file name checking and filters , But then copy , After all the checks are done, it is truncated to 256 Bytes , This removes our fake extension and activates the malicious extension ：

Q_strncpy( rc->gamePath, gamePath, BufferSize /* BufferSize = 256 */ );

After checking whether the file extension is valid , At the receiving end, such as ./././(...)/file.dll.txt（ Fill to maximum length with ./） Such file names will be truncated to ./././(...)/file.dll. There is also a side effect , We can check before the file extension is truncated Does the file exist , To overwrite the file .

Execute code remotely

Use the remote file mentioned earlier to include , We can upload files that may execute arbitrary code Source Engine The configuration file . Use Procmon, I found that the game engines were platform/cfg And both swarm/cfg：

We can simply upload malicious plug-ins and configuration files to platform/cfg Server and hijack it . This is because Source Engine The server configuration has the following plugin_load Command to load plug-ins ：

plugin_load addons/alien_swarm_exploit.dll

This will load our dynamic library into the game server application , This allows arbitrary code execution . The only limitation is newmapsettings.cfg The profile is reloaded only when the map changes , So you have to wait until the game is over .

Bad demonstration

Because these two kinds of exploits are applicable to both the server and the client , So we can infect the server , This can infect all players , When playing other servers , These players may continue to be infected with viruses . This makes the exploit chain completely worm - able , Only when the game server is completely shut down can the vulnerability exploitation chain be fixed .