[Source Engine] Material path truncation leads to Remote Code Execution

Title: [Source Engine] Material path truncation leads to Remote Code Execution Scope: *.exe Weakness: Improper Input Validation Severity: High (7.1) Link: https://hackerone.com/reports/544096 Date: 2019-04-20 12:18:09 +0000 By: @nyancat0131 Details: ## Summary The handler of `mat_crosshair_edit` command supplies a buffer of size `256` for material path. That function will call `vgui2::system()->ShellExecute("open", path);` to open the `.vmt` file in associated editor if available. But in windows, `MAX_PATH` is `260`. So path truncation can be abused to trick the command to execute file of another extension. I choose `.js` extension since it is associated with Windows Script Host by default, and it is not blocked by Source Engine download filter. ## Affects CS:Source, CS:GO, and maybe all Valve's Source Engine games. ## Environment for reproduction - Windows 10 x64 10.0.17763.437 - CS:Source installed at default location: `C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Source\` NOTE: CS:Source must be installed at that path for this PoC to work. ## Steps to reproduce - Download F472693, extract it to `C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Source\cstrike\download\` - Start CS:Source - Type in the console `map aim_path` and wait for the map to load - Type in the console `sv_cheats 1` - Type in the console `mat_crosshair_edit` and `calc.exe` will be executed ## Impact Since the engine has filter for `ClientCommand` function on the server, attacking without user interaction is almost impossible. The only way to pass the filter is to brute force cmd marker random number, which is 1 in 2^19. Once the victim has triggered the bug, attacker can run arbitrary commands on victim's computer.