Exploring Counter-Strike: Global Offensive Attack Surface
The key vulnerability discovered is a relative heap out-of-bounds write in the parsing of MDL files within CS:GO.
This occurs in datacache/mdlcache.cpp
where studiohdr_t->studiohdr2index
is directly read from the MDL file and used to write a value without bounds checking. The issue arises from the SetVirtualModel
function, where an unchecked studiohdr2index
from the file is used to write data, potentially leading to access to unmapped memory. For exploitation, an attacker can set studiohdr2index
to a large offset, causing a crash during the SetVirtualModel
call.
To exploit the vulnerability remotely, the attacker-controlled server can enforce bounds checks for a custom MDL through the sv_consistency
configuration. The client, upon connecting, downloads and loads the custom MDL to perform server-enforced size checks, triggering the vulnerability and corrupting the client’s memory. This does depend on the user having the sv_allowupload
configuration option turned on which is not the default option, but is frequently required by community servers so it is not an uncommon situation.