@iNilo You're welcome. Far as vALVE, security knows about this. I contacted Eric, Alfred, Gabe, and security a little over 3 weeks ago now. They are aware of the issue. Probably forwarded it to the csgo developers. But a fix will probably take some time to create. As this effects every custom map, skin/model, sound file, etc.
This was just a heads up to server owners/admins in the meanwhile. Thanks for the reply. @others Far as replicating, and videos. They aren't needed. Those who know what I am speaking about know how to replicate this themselves. No PoC is needed. How to replicate was mentioned. If you're not able to do this on your own I will not hold your hand providing information that is wasted on people who don't comprehend what potential this exploit has. To be honest there are many ways to exploit os vulnerabilities, network vulnerabilities, electronics vulnerabilities, even game vulnerabilities. Some of which I've touched on here (packet injection, SQL injection, binary injections below jtag/hardware protection layer, etc.). But for this specific exploit I posted to the list so owners/admins who know what I am referring to can secure their servers until vALVE can add a fix to a future update. Please refrain from replying further. The message was heard. There is no need for further replies. -StealthMode On Oct 10, 2017 13:02, "iNilo" <inilo.in...@gmail.com> wrote: > I frankly don't care what / where / how you work, or what you have studied. > > The only thing I know is that this is clearly the wrong channel to do > argue/disclose/chat about. > > http://www.valvesoftware.com/security/ > > Hopefully you get thanked in a patch note, if not I'm sure the entire > community will be grateful that you disclosed a major security issue to the > people that *actually *get paid to take care of this. > > Thanks. > > > > 2017-10-10 18:54 GMT+02:00 Saint K. <sai...@specialattack.net>: > >> Christopher, >> >> >> >> I work in “the field” as you like to call it. It’s customary to explain >> the exploit in detail and provide proof the concept (hence the request for >> a PoC) in any form or way. >> >> >> >> Please demonstrate the issue, it be by posting the offending code, you >> recording a video showing a working exploit, or anything along these lines. >> >> >> >> You should know this, if you work in “the field”. >> >> >> >> Regards, >> >> >> >> Saint K. >> >> >> >> *From:* Csgo_servers [mailto:csgo_servers-boun...@list.valvesoftware.com] >> *On Behalf Of *Stealth Mode >> *Sent:* 10 October 2017 18:34 >> *To:* csgo_servers@list.valvesoftware.com >> *Subject:* Re: [Csgo_servers] Custom files exploit >> >> >> >> @Ryan, etc. >> >> >> >> I studied radio electronics before IT was a thing. NetSec and ITSec go >> hand in hand. My credentials aren't CS, because CS was radio electronics. >> The industry hasn't changed, just a little more vulnerable. Not like I am >> specifically stating how to inject code, or what code to inject on a public >> mailing list. Don't need to. Professionals here know what I am referring >> to. I guess the rest do not have the knowledge to understand what the >> exploit can actually do. You are aware. That is all that matters. Don't >> secure your servers, that is on you. When they get exploited, that is on >> you. >> >> >> >> Have a nice day! End of discussion. No further communications. >> >> >> >> Sincerely, >> >> Christopher "StealthMode" Stephen Larkins >> >> Independent IT Field Engineer >> >> fieldnation.com >> >> workmarket.com >> >> onforce.com >> >> clearancejobs.com >> >> >> >> >> >> On Tue, Oct 10, 2017 at 12:09 PM, Ryan Bentley <rdp...@gmail.com> wrote: >> >> My sides at this thread. At first I just rolled my eyes but now I >> actually believe that Stealth Mode is either a troll or delusional. Please >> stop saying "ITSec". Any first year CS student knows what PoC is but you >> don't? Please. >> >> You are embarrassing yourself. Which institution did you get your degree? >> It must be a very old BSc indeed. You talk complete nonsense and have a >> fundamental misunderstanding of basic computer science tenets. >> >> >> >> On Tue, Oct 10, 2017 at 4:34 PM, Nomaan Ahmad <n0man....@gmail.com> >> wrote: >> >> Nice hat there. Stealth might get this one though: https://i.imgur.com/32 >> 9jfXt.gif >> >> >> >> On 10 Oct 2017 4:29 pm, "PistonMiner" <pistonmi...@gmail.com> wrote: >> >> The person in question should never have written a message about an open >> vulnerability into a public mailing list in the first place. Just because >> they did doesn't mean that you should ask for PoCs in public mailing lists, >> there's a multitude of issues with that. >> To make it perfectly clear, I'm not defending this person, I seriously >> doubt the seriousness of their statements and a lot of what they're saying >> makes no sense at all and looks like trying to maintain an image of >> competence while knowing little, but responsible disclosure still applies. >> If this person has a vulnerability to report, they should do so with the >> information listed at http://www.valvesoftware.com/security/. >> And I think I know what I'm talking about seeing as I have two Finder's >> Fees. See https://wiki.teamfortress.com/wiki/Finder%27s_Fee and >> https://wiki.teamfortress.com/wiki/List_of_Finder%27s_Fee_owners >> >> On 10.10.2017 17:08, Vaya wrote: >> >> I think someone needs to ‘stealth mode’ out of this email chain. This is >> just noise without a repeatable Test >> >> Sent from my iPhone >> >> >> On 10 Oct 2017, at 16:01, PistonMiner <pistonmi...@gmail.com> wrote: >> >> If you have a vulnerability to report, don't do it in a public mailing >> list. Report it directly to Valve, and no place else. This conversation has >> so many problems, but asking for a PoC in a *public* mailing list is one >> of them. Look up responsible disclosure. (I should note though, at this >> point I am not convinced a vulnerability even exists.) >> >> -- >> >> PistonMiner (Linus S.) >> >> _______________________________________________ >> Csgo_servers mailing list >> Csgo_servers@list.valvesoftware.com >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >> >> >> >> _______________________________________________ >> >> Csgo_servers mailing list >> >> Csgo_servers@list.valvesoftware.com >> >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >> >> >> >> -- >> >> PistonMiner (Linus S.) >> >> >> _______________________________________________ >> Csgo_servers mailing list >> Csgo_servers@list.valvesoftware.com >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >> >> >> _______________________________________________ >> Csgo_servers mailing list >> Csgo_servers@list.valvesoftware.com >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >> >> >> >> >> _______________________________________________ >> Csgo_servers mailing list >> Csgo_servers@list.valvesoftware.com >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >> >> >> >> _______________________________________________ >> Csgo_servers mailing list >> Csgo_servers@list.valvesoftware.com >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >> > > > _______________________________________________ > Csgo_servers mailing list > Csgo_servers@list.valvesoftware.com > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >
_______________________________________________ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
