Re: [hlds_linux] [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.
No, just TF has these Remote Code Execution patches. CS:S and friends are still completely vulnerable for the public issues. Don't kid yourself, there's definitely other vulnerable code paths. Personally, I'm disgusted as this has been public knowledge for a year now, the exploits being back from Quake... Sync the games that are still being sold for money. Valve doesn't care about your workstation, your server, anything that runs their completely vulnerable code. Don't play on servers that aren't yours; use SourceMod to secure your servers. Kyle. On 3 Sep 2015 2:39 pm, "Refeek Yeglek" wrote: > Yeah. The big games have it fixed, sourcemods are at risk here. > > On Thu, Sep 3, 2015 at 1:34 PM, E. Olsen wrote: > >> So, to confirm - Team Fortress 2 has already had this exploit fixed, >> correct? >> >> On Thu, Sep 3, 2015 at 4:32 PM, Nathaniel Theis >> wrote: >> >>> Actually, it looks like that only affects very old versions, (pre-2009 / >>> aluigi) which have much worse exploits anyways. Sorry for the confusion. >>> >>> On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek >>> wrote: >>> I'll let the guys on my sourcemod's team who are looking into it know, thanks. On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis wrote: > Note that, depending on the engine version you're on (and even SDK > 2013 may not do this, I haven't checked), setting sv_allowupload 0 may do > literally nothing; on older versions, sv_allowupload just tells the client > not to upload anything to the server. The client can ignore it and do it > anyways. > > On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose > wrote: > >> You'd know if that'd been done as there would be announcements on the >> various hlds lists about updates for Counter-Strike: Source, Day of >> Defeat: >> Source, and Half-Life 2: Deathmatch. >> >> However, what he's actually asking is that Valve update the Source >> SDK 2013 with these fixes so that game developers can pull the changes >> from >> Github and merge them into their own games' code. >> >> >> >> On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek < >> proph...@sticed.org> wrote: >> >>> He is basically saying that the exploits Nathaniel found and >>> reported have only been fixed in Valve's main titles. He hasn't found or >>> reported a new exploit. >>> I think it has been mentioned by KyleS on one or multiple of these >>> mailing lists that these exploit fixes should be ported onto other >>> branches. Apparently that has not been done? >>> >>> >>> On 03.09.2015 22:06, N-Gon wrote: >>> >>> Someone give this man an unusual Finder's Fee >>> >>> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek >> > wrote: >>> Hi, I'm one of the developers for Team Fortress 2 Classic, a source mod project. Recently, someone abused a bug present in Source SDK 2013 MP to distribute viruses to quite a few of our players and developers. The way they did it was by abusing a spray exploit present in the SDK 2013 MP edition to upload a file pretending to be a spray to all players and executing it. The technical info on how it works from one of our other coders will be posted at the end of this email, but here's what you need to know as a server owner: We don't know how many source games are vulnerable. The big name VALVe ones aren't, but any sourcemod probably is. This includes ones on steam like Fortress Forever, or Fistful of Frags. If you're running a server for a non-VALVe or bigname(Titanfall, GMOD, etc.) Source Engine game, then here's what you need to do: 1. Set sv_upload to 0 on your server. 2. If you are a TF2C server host, shut your server down and start scanning your server for viruses. 3. Pester valve to fix this ASAP. TL;DR: Sprays can be exploited to run code on people's systems and break into accounts, we've had quite a few CS:GO and TF2 items lifted from accounts and moved to trade alts and disappearing after that. Disable sprays ASAP if you host a sourcemod multiplayer server. Here's the technical info for how stuff works: "The vulnerability is triggered by a missing check to see if a memory allocation succeded in the loading of VTFs. When the material is loaded, there is space allocated for the material. The crucial option in the using of this exploit is the option to skip Mipmaps from the material. If, for instance, the first mipmap is skipped, the game will copy the mipmap data to buffer + size of first mipmap. When the memory allocation f
Re: [hlds_linux] [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.
I wonder how long it is until some script-kiddie figures-out how to exploit the built-in Streaming (ala https://github.com/ValveSoftware/steam-for-linux/issues/3990). Valve's response when I mentioned it was, effectively "expected behavior"). On Thu, Sep 3, 2015 at 1:45 PM, Refeek Yeglek wrote: > Our guys who decompiled the copy when they got infected figured out it was > a very very bad script kiddie thing designed for doing exactly what is > going on right now. Lemme go find the name of it, someone posted the name > and feature list in the FP thread when we were trying to figure out what > the hell happened, as they're doing hijacks by remote desktopping your > computers. > > On Thu, Sep 3, 2015 at 1:40 PM, Nathaniel Theis wrote: > >> If, and that's a big if... hold on >> >> IF it's the VTF exploit I reported, yes. I'm skeptical that it is, just >> because of how difficult it is to exploit in practice. It would require >> very advanced Windows exploitation skills, and suggest a well-motivated, >> targeted attacker. My hunch is that it's another exploit, one that only >> works from malicious servers or custom maps. This one is incredibly >> practical and easy to exploit. >> >> - Nate >> >> On Thu, Sep 3, 2015 at 1:34 PM, E. Olsen wrote: >> >>> So, to confirm - Team Fortress 2 has already had this exploit fixed, >>> correct? >>> >>> On Thu, Sep 3, 2015 at 4:32 PM, Nathaniel Theis >>> wrote: >>> Actually, it looks like that only affects very old versions, (pre-2009 / aluigi) which have much worse exploits anyways. Sorry for the confusion. On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek wrote: > I'll let the guys on my sourcemod's team who are looking into it know, > thanks. > > On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis > wrote: > >> Note that, depending on the engine version you're on (and even SDK >> 2013 may not do this, I haven't checked), setting sv_allowupload 0 may do >> literally nothing; on older versions, sv_allowupload just tells the >> client >> not to upload anything to the server. The client can ignore it and do it >> anyways. >> >> On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose >> wrote: >> >>> You'd know if that'd been done as there would be announcements on >>> the various hlds lists about updates for Counter-Strike: Source, Day of >>> Defeat: Source, and Half-Life 2: Deathmatch. >>> >>> However, what he's actually asking is that Valve update the Source >>> SDK 2013 with these fixes so that game developers can pull the changes >>> from >>> Github and merge them into their own games' code. >>> >>> >>> >>> On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek < >>> proph...@sticed.org> wrote: >>> He is basically saying that the exploits Nathaniel found and reported have only been fixed in Valve's main titles. He hasn't found or reported a new exploit. I think it has been mentioned by KyleS on one or multiple of these mailing lists that these exploit fixes should be ported onto other branches. Apparently that has not been done? On 03.09.2015 22:06, N-Gon wrote: Someone give this man an unusual Finder's Fee On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek < iamgoofb...@gmail.com> wrote: > Hi, I'm one of the developers for Team Fortress 2 Classic, a > source mod project. Recently, someone abused a bug present in Source > SDK > 2013 MP to distribute viruses to quite a few of our players and > developers. > The way they did it was by abusing a spray exploit present in the SDK > 2013 > MP edition to upload a file pretending to be a spray to all players > and > executing it. The technical info on how it works from one of our other > coders will be posted at the end of this email, but here's what you > need to > know as a server owner: > > We don't know how many source games are vulnerable. The big name > VALVe ones aren't, but any sourcemod probably is. This includes ones > on > steam like Fortress Forever, or Fistful of Frags. > > If you're running a server for a non-VALVe or bigname(Titanfall, > GMOD, etc.) Source Engine game, then here's what you need to do: > > 1. Set sv_upload to 0 on your server. > > 2. If you are a TF2C server host, shut your server down and start > scanning your server for viruses. > > 3. Pester valve to fix this ASAP. > > TL;DR: > Sprays can be exploited to run code on people's systems and break > into accounts, we've had quite a few CS:GO and TF2 items lifted from > accounts and moved to trade alts
