CVE-2020-6019
Information
File: steamnetworkingsockets\clientlib\steamnetworkingsockets_udp.cpp
Function: CConnectionTransportUDPBase::Received_Data()
The connection protocol supports the transmission of statistics as part of the header of the incoming message.
When preparing to parse the protobuf-encoded statistics blob, there is a 32-bit overflow in the bounds check:
pIn = DeserializeVarInt( pIn, pPktEnd, cbStatsMsgIn );
if ( pIn == NULL )
{
ReportBadUDPPacketFromConnectionPeer( "DataPacket", "Failed to varint decode size of stats blob" );
return;
}
// EI-DBG: Classic 32-bit overflow, and it turns out that CS:GO is 32bits (client & server).
// EI-DBG: Will lead to an error and raised exception in the ParseFromArray() method
if ( pIn + cbStatsMsgIn > pPktEnd )
{
ReportBadUDPPacketFromConnectionPeer( "DataPacket", "stats message size doesn't make sense. Stats message size %d, packet size %d", cbStatsMsgIn, cbPkt );
return;
}
if ( !msgStats.ParseFromArray( pIn, cbStatsMsgIn ) )
{
ReportBadUDPPacketFromConnectionPeer( "DataPacket", "protobuf failed to parse inline stats message" );
return;
}
This Out-of-Bounds read will enable an attacker to raise an exception inside protobuf when handling a length-delimited wire format using a negative size.
Crash Trace:
terminate called after throwing an instance of 'std::length_error'
what(): basic_string::append
Attachments:
CVE_2020_6019_PoC_32_bits.py
steamnetworkingsockets_messages_certs_pb2.py
steamnetworkingsockets_messages_pb2.py
steamnetworkingsockets_messages_udp_pb2.py
steam_networking_sockets.py
References:
https://research.checkpoint.com/2020/game-on-finding-vulnerabilities-in-valves-steam-sockets
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6019
https://github.com/ValveSoftware/GameNetworkingSockets/commit/d944a10808891d202bb1d5e1998de6e0423af678