[Half-Life 1] Malformed map name leads to memory corruption and code execution

A stack overflow takes place when map names with malformed names are listed which can be used to execute arbitrary code. I made a Proof of Concept that executes gnome-calculator on Linux. This was tested on `Half Life` 2018-08-29 on Linux, Ubuntu 18.04. To reproduce: - Extract the attached zip-file in the /valve/maps directory. - Start `Half-Life`. - Open the console and type `maps *`. This lists the installed maps. - `gnome-calculator` should now execute. You may also use the python script to generate a malformed mapname with the exploit. Please see the enclosed video for a demonstration. # Details about the bug The callstack when the stack is overwritten is the following: ``` #4 0xf7c982d8 in sprintf () from /usr/lib32/libc.so.6 #5 0xf6454504 in COM_ListMaps (pszSubString=0x0) at ../engine/common.c:2857 #6 0xf6466f3a in Host_Maps_f () at ../engine/host_cmd.c:1511 #7 Host_Maps_f () at ../engine/host_cmd.c:1493 #8 0xf644e20d in Cmd_ExecuteString ( text=0x41414141 <error: Cannot access memory at address 0x41414141>, src=<optimized out>) at ../engine/cmd.c:1149 #9 Cbuf_Execute () at ../engine/cmd.c:242 #10 0xf6464ed3 in _Host_Frame (time=0.0570053197) at ../engine/host.c:1384 #11 0xf6465382 in Host_Frame (time=0.0570053197, iState=1, stateInfo=0xffffcb6c) at ../engine/host.c:1522 #12 0xf64918c4 in CEngine::Frame (this=0xf66a88c0 <g_Engine>) at ../engine/sys_engine.cpp:245 #13 0xf648f3a3 in RunListenServer (instance=0x0, basedir=0x804b220 <szBaseDir> "/home/konrad/.local/share/Steam/steamapps/common/Half-Life", cmdline=0x80534d0 "/home/konrad/.local/share/Steam/steamapps/common/Half-Life/hl_linux", postRestartCmdLineArgs=0x804d360 <main::szNewCommandParams> "", launcherFactory= 0x8049350 <CreateInterfaceLocal(char const*, int*)>, filesystemFactory= 0xf76ccad0 <CreateInterface(char const*, int*)>) at ../engine/sys_dll2.cpp:946 #14 0x08048d67 in main (argc=1, argv=0xffffcda4) at ../launcher/launcher.cpp:439 ``` ## Impact If a user installs the crafted map file and runs `maps *` in the console, then custom code can get executed that is not written by Valve, e.g. malware.