[Portal 2] Remote Code Execution via voice packets

#Description RCE can be achieved on other players via voice packets due to the lack of length validation when reading into a stack based buffer. #POC 1. As the victim, invite the attacker into a game. 2. Wait until both players have loaded into the game. 3. Inject the following DLL into the attackers portal 2 process: {F630586} (source code: {F630587}) 4. View that calc has been opened on the victims computer. If these steps are followed correctly the outcome should look like so {F630585} #Vulnerable Code ```cpp bool CGameClient::ProcessVoiceData( CLC_VoiceData *msg ) { char voiceDataBuffer[4096]; msg->m_DataIn.ReadBits( voiceDataBuffer, msg->m_nLength ); SV_BroadcastVoiceData( this, Bits2Bytes(msg->m_nLength), voiceDataBuffer, msg->m_xuid ); // length is in bits return true; } ``` ## Impact RCE allows arbitrary code execution on the attacker's victim.