Valve Source SDK Ragdoll Model Parsing Stack-Based Buffer Overflow Vulnerability Allowing Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in Valve's Source SDK 2013. The issue arises in the ragdoll model parsing logic, specifically within the `ParseKeyValue` method of the `CRagdollCollisionRulesParse` class. The vulnerability is triggered by the `nexttoken` function, which copies characters from an input string into a fixed-size stack buffer without proper bounds checking. This flaw allows a remote attacker to supply a specially crafted ragdoll model that includes an oversized `collisionpair` rule, exceeding the buffer limit of 256 bytes. As a result, the stack buffer `szToken` overflows, overwriting the function's return address and enabling remote code execution on affected clients or servers.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected system.

Reproduction

The vulnerability can be reproduced by creating a ragdoll model that includes a `collisionpair` rule longer than 256 bytes. This model must then be loaded into a game using the Source SDK 2013, such as Half-Life 2 or Team Fortress 2. When the model is processed, the `ParseKeyValue` method will be called, leading to the buffer overflow and allowing for remote code execution.

Remediation

Valve has released patches for this vulnerability in several of their Source games, including CS:GO, TF2, Half-Life 2: Deathmatch, Portal 2, and Left 4 Dead 2. However, independently-developed games using the Source SDK 2013 must manually apply the patch. Instructions for applying the patch can be found in the One Up Security advisory.