Exploring Counter-Strike: Global Offensive Attack Surface

We discussed this vulnerability during Episode 236 on 15 January 2024

The key vulnerability discovered is a relative heap out-of-bounds write in the parsing of MDL files within CS:GO.

This occurs in datacache/mdlcache.cpp where studiohdr_t->studiohdr2index is directly read from the MDL file and used to write a value without bounds checking. The issue arises from the SetVirtualModel function, where an unchecked studiohdr2index from the file is used to write data, potentially leading to access to unmapped memory. For exploitation, an attacker can set studiohdr2index to a large offset, causing a crash during the SetVirtualModel call.

To exploit the vulnerability remotely, the attacker-controlled server can enforce bounds checks for a custom MDL through the sv_consistency configuration. The client, upon connecting, downloads and loads the custom MDL to perform server-enforced size checks, triggering the vulnerability and corrupting the client’s memory. This does depend on the user having the sv_allowupload configuration option turned on which is not the default option, but is frequently required by community servers so it is not an uncommon situation.