Posters Name: Kagato
Posters Email: firstname.lastname@example.org
Subject: Half-Life 22.214.171.124 Security Leak
A post on Planet Half-Life has been started concerning a new security alert on SecurityFocus in reguards to a hole in the new Half-Life release that could allow a server to exploit the client (reverse of what you normally see). The report says: "Valve Software was contacted on September 18, 2001 and informed me it will be fixed in the next patch (presumably v126.96.36.199). They did not believe it to be a serious threat." Here's a snip of the issue:
By running the command with around 128 characters it is possible to overflow the buffer and execute arbitrary code. While this problem is on the client side it is still a serious issue, since servers have a function named "g_engfuncs.pfnClientCommand" which allows the server to force clients to execute whatever console command they want. This means that this overflow can be exploited remotely by means of this function. A server administrator could easily easily take advantage of this and exploit clients automatically as they connected to the server.Do you trust your server admin?