If, and that's a big if... hold on IF it's the VTF exploit I reported, yes. I'm skeptical that it is, just because of how difficult it is to exploit in practice. It would require very advanced Windows exploitation skills, and suggest a well-motivated, targeted attacker. My hunch is that it's another exploit, one that only works from malicious servers or custom maps. This one is incredibly practical and easy to exploit.
- Nate On Thu, Sep 3, 2015 at 1:34 PM, E. Olsen <[email protected]> wrote: > So, to confirm - Team Fortress 2 has already had this exploit fixed, > correct? > > On Thu, Sep 3, 2015 at 4:32 PM, Nathaniel Theis <[email protected]> wrote: > >> Actually, it looks like that only affects very old versions, (pre-2009 / >> aluigi) which have much worse exploits anyways. Sorry for the confusion. >> >> On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek <[email protected]> >> wrote: >> >>> I'll let the guys on my sourcemod's team who are looking into it know, >>> thanks. >>> >>> On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis <[email protected]> >>> wrote: >>> >>>> Note that, depending on the engine version you're on (and even SDK 2013 >>>> may not do this, I haven't checked), setting sv_allowupload 0 may do >>>> literally nothing; on older versions, sv_allowupload just tells the client >>>> not to upload anything to the server. The client can ignore it and do it >>>> anyways. >>>> >>>> On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose <[email protected]> >>>> wrote: >>>> >>>>> You'd know if that'd been done as there would be announcements on the >>>>> various hlds lists about updates for Counter-Strike: Source, Day of >>>>> Defeat: >>>>> Source, and Half-Life 2: Deathmatch. >>>>> >>>>> However, what he's actually asking is that Valve update the Source SDK >>>>> 2013 with these fixes so that game developers can pull the changes from >>>>> Github and merge them into their own games' code. >>>>> >>>>> >>>>> >>>>> On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek < >>>>> [email protected]> wrote: >>>>> >>>>>> He is basically saying that the exploits Nathaniel found and reported >>>>>> have only been fixed in Valve's main titles. He hasn't found or reported >>>>>> a >>>>>> new exploit. >>>>>> I think it has been mentioned by KyleS on one or multiple of these >>>>>> mailing lists that these exploit fixes should be ported onto other >>>>>> branches. Apparently that has not been done? >>>>>> >>>>>> >>>>>> On 03.09.2015 22:06, N-Gon wrote: >>>>>> >>>>>> Someone give this man an unusual Finder's Fee >>>>>> >>>>>> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi, I'm one of the developers for Team Fortress 2 Classic, a source >>>>>>> mod project. Recently, someone abused a bug present in Source SDK 2013 >>>>>>> MP >>>>>>> to distribute viruses to quite a few of our players and developers. The >>>>>>> way >>>>>>> they did it was by abusing a spray exploit present in the SDK 2013 MP >>>>>>> edition to upload a file pretending to be a spray to all players and >>>>>>> executing it. The technical info on how it works from one of our other >>>>>>> coders will be posted at the end of this email, but here's what you >>>>>>> need to >>>>>>> know as a server owner: >>>>>>> >>>>>>> We don't know how many source games are vulnerable. The big name >>>>>>> VALVe ones aren't, but any sourcemod probably is. This includes ones on >>>>>>> steam like Fortress Forever, or Fistful of Frags. >>>>>>> >>>>>>> If you're running a server for a non-VALVe or bigname(Titanfall, >>>>>>> GMOD, etc.) Source Engine game, then here's what you need to do: >>>>>>> >>>>>>> 1. Set sv_upload to 0 on your server. >>>>>>> >>>>>>> 2. If you are a TF2C server host, shut your server down and start >>>>>>> scanning your server for viruses. >>>>>>> >>>>>>> 3. Pester valve to fix this ASAP. >>>>>>> >>>>>>> TL;DR: >>>>>>> Sprays can be exploited to run code on people's systems and break >>>>>>> into accounts, we've had quite a few CS:GO and TF2 items lifted from >>>>>>> accounts and moved to trade alts and disappearing after that. Disable >>>>>>> sprays ASAP if you host a sourcemod multiplayer server. >>>>>>> >>>>>>> Here's the technical info for how stuff works: >>>>>>> >>>>>>> "The vulnerability is triggered by a missing check to see if a >>>>>>> memory allocation succeded in the loading of VTFs. When the material is >>>>>>> loaded, there is space allocated for the material. The crucial option in >>>>>>> the using of this exploit is the option to skip Mipmaps from the >>>>>>> material. >>>>>>> If, for instance, the first mipmap is skipped, the game will copy the >>>>>>> mipmap data to buffer + size of first mipmap. When the memory allocation >>>>>>> fails, the buffer will be 0, because thats what malloc returns on out of >>>>>>> memory. This means, that the only factor determining where the block is >>>>>>> put >>>>>>> is determined by the size of the first mipmap. This way you can put the >>>>>>> data in the second mipmap whereever you want, meaning you can write to a >>>>>>> predictable location in memory. This is additionally encouraged due to >>>>>>> the >>>>>>> fact that ASLR is disabled for the module in question. From that point >>>>>>> on >>>>>>> ROP is used to mark a controlled memory location executable and transfer >>>>>>> control to it, bypassing DEP. The distribution of the malicious material >>>>>>> file can be easily done through the use of the spray system, which >>>>>>> uploads >>>>>>> a custom material to the server and distributes it. This is of course >>>>>>> not >>>>>>> the only way to distribute it, but one used in this case. This is not >>>>>>> absolutely accurate and technical details have been left out due to them >>>>>>> not influencing this exploit." >>>>>>> >>>>>>> _______________________________________________ >>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>> archives, please visit: >>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>>> please visit:https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>> archives, please visit: >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Ross Bemrose >>>>> >>>>> _______________________________________________ >>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>> please visit: >>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> To unsubscribe, edit your list preferences, or view the list archives, >>>> please visit: >>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>> >>>> >>> >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>> >>> >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >> >> > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds > >
_______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
