ValveSoftware / halflife

Half-Life 1 engine based games
Other
3.74k stars 631 forks source link

[GoldSource] SV_BeginFileDownload_f + IsSafeFileToDownload vulnerable to exploit #2136

Open SkillartzHD opened 5 years ago

SkillartzHD commented 5 years ago

This method could be used through 2 techniques

1 : https://github.com/ValveSoftware/halflife/issues/2135 2 : https://github.com/ValveSoftware/halflife/issues/2129 (without kill , only cmd dlfile & "dlfile" )

there is a list of type "blacklist " in IsSafeFileToDownload for the files, this is not enough asdasdasdasdasd larger files exist(wad/bsp), and if you do not exceed 1MB, you can amplify with a large number of commands sent ex: de_airstrip.wad 4.20 MB cs_havana.wad : 7.83 MB you can find them yourself cacat2

I made a fix in the amxx file here : https://github.com/SkillartzHD/HLDS-Shield-1.0.7-/blob/master/HLDS-Shield%20Proffesional/addons/sourcecode/HLDS-Shield%20beta.sma#L1379 to block this spam for SV_BeginFileDownload_f + some files added in the blacklist

yes, it is not a solution to put a restriction of the size of some files, so you will block developers of maps to fall within a certain limit

2010kohtep commented 5 years ago

It also works for customizations: player can upload his spray to the server, then get its hash and organize flood attack with 'dlfile !MD5[hash]' commands, which will give the same effect. Probably need to add a check for already requested files.

afwn90cj93201nixr2e1re commented 5 years ago

@mikela-valve What about this one?