1. we have permission from valve to use it 2. this isn't a problem with our code, this is a problem with the Source SDK Base 2013 Multiplayer that is being distributed on Steam itself. If this was TF2C specific I wouldn't be letting server hosts know to take steps to prevent it happening in shit like Fistful of Frags or Fortress Forever.
On Thu, Sep 3, 2015 at 1:53 PM, AnAkkk <[email protected]> wrote: > What did you expect, this leaked and illegal version of the Source Engine > you're talking of has years of unfixed exploits, obviously such thing was > going to happen one day. > I'm sure there are lot more exploits that Valve has already fixed. > Le 3 sept. 2015 22:47, "Refeek Yeglek" <[email protected]> a écrit : > >> Our guys who decompiled the copy when they got infected figured out it >> was a very very bad script kiddie thing designed for doing exactly what is >> going on right now. Lemme go find the name of it, someone posted the name >> and feature list in the FP thread when we were trying to figure out what >> the hell happened, as they're doing hijacks by remote desktopping your >> computers. >> >> On Thu, Sep 3, 2015 at 1:40 PM, Nathaniel Theis <[email protected]> >> wrote: >> >>> If, and that's a big if... hold on >>> >>> IF it's the VTF exploit I reported, yes. I'm skeptical that it is, just >>> because of how difficult it is to exploit in practice. It would require >>> very advanced Windows exploitation skills, and suggest a well-motivated, >>> targeted attacker. My hunch is that it's another exploit, one that only >>> works from malicious servers or custom maps. This one is incredibly >>> practical and easy to exploit. >>> >>> - Nate >>> >>> On Thu, Sep 3, 2015 at 1:34 PM, E. Olsen <[email protected]> wrote: >>> >>>> So, to confirm - Team Fortress 2 has already had this exploit fixed, >>>> correct? >>>> >>>> On Thu, Sep 3, 2015 at 4:32 PM, Nathaniel Theis <[email protected]> >>>> wrote: >>>> >>>>> Actually, it looks like that only affects very old versions, (pre-2009 >>>>> / aluigi) which have much worse exploits anyways. Sorry for the confusion. >>>>> >>>>> On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek <[email protected]> >>>>> wrote: >>>>> >>>>>> I'll let the guys on my sourcemod's team who are looking into it >>>>>> know, thanks. >>>>>> >>>>>> On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Note that, depending on the engine version you're on (and even SDK >>>>>>> 2013 may not do this, I haven't checked), setting sv_allowupload 0 may >>>>>>> do >>>>>>> literally nothing; on older versions, sv_allowupload just tells the >>>>>>> client >>>>>>> not to upload anything to the server. The client can ignore it and do it >>>>>>> anyways. >>>>>>> >>>>>>> On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> You'd know if that'd been done as there would be announcements on >>>>>>>> the various hlds lists about updates for Counter-Strike: Source, Day of >>>>>>>> Defeat: Source, and Half-Life 2: Deathmatch. >>>>>>>> >>>>>>>> However, what he's actually asking is that Valve update the Source >>>>>>>> SDK 2013 with these fixes so that game developers can pull the changes >>>>>>>> from >>>>>>>> Github and merge them into their own games' code. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> He is basically saying that the exploits Nathaniel found and >>>>>>>>> reported have only been fixed in Valve's main titles. He hasn't found >>>>>>>>> or >>>>>>>>> reported a new exploit. >>>>>>>>> I think it has been mentioned by KyleS on one or multiple of these >>>>>>>>> mailing lists that these exploit fixes should be ported onto other >>>>>>>>> branches. Apparently that has not been done? >>>>>>>>> >>>>>>>>> >>>>>>>>> On 03.09.2015 22:06, N-Gon wrote: >>>>>>>>> >>>>>>>>> Someone give this man an unusual Finder's Fee >>>>>>>>> >>>>>>>>> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi, I'm one of the developers for Team Fortress 2 Classic, a >>>>>>>>>> source mod project. Recently, someone abused a bug present in Source >>>>>>>>>> SDK >>>>>>>>>> 2013 MP to distribute viruses to quite a few of our players and >>>>>>>>>> developers. >>>>>>>>>> The way they did it was by abusing a spray exploit present in the >>>>>>>>>> SDK 2013 >>>>>>>>>> MP edition to upload a file pretending to be a spray to all players >>>>>>>>>> and >>>>>>>>>> executing it. The technical info on how it works from one of our >>>>>>>>>> other >>>>>>>>>> coders will be posted at the end of this email, but here's what you >>>>>>>>>> need to >>>>>>>>>> know as a server owner: >>>>>>>>>> >>>>>>>>>> We don't know how many source games are vulnerable. The big name >>>>>>>>>> VALVe ones aren't, but any sourcemod probably is. This includes ones >>>>>>>>>> on >>>>>>>>>> steam like Fortress Forever, or Fistful of Frags. >>>>>>>>>> >>>>>>>>>> If you're running a server for a non-VALVe or bigname(Titanfall, >>>>>>>>>> GMOD, etc.) Source Engine game, then here's what you need to do: >>>>>>>>>> >>>>>>>>>> 1. Set sv_upload to 0 on your server. >>>>>>>>>> >>>>>>>>>> 2. If you are a TF2C server host, shut your server down and start >>>>>>>>>> scanning your server for viruses. >>>>>>>>>> >>>>>>>>>> 3. Pester valve to fix this ASAP. >>>>>>>>>> >>>>>>>>>> TL;DR: >>>>>>>>>> Sprays can be exploited to run code on people's systems and break >>>>>>>>>> into accounts, we've had quite a few CS:GO and TF2 items lifted from >>>>>>>>>> accounts and moved to trade alts and disappearing after that. Disable >>>>>>>>>> sprays ASAP if you host a sourcemod multiplayer server. >>>>>>>>>> >>>>>>>>>> Here's the technical info for how stuff works: >>>>>>>>>> >>>>>>>>>> "The vulnerability is triggered by a missing check to see if a >>>>>>>>>> memory allocation succeded in the loading of VTFs. When the material >>>>>>>>>> is >>>>>>>>>> loaded, there is space allocated for the material. The crucial >>>>>>>>>> option in >>>>>>>>>> the using of this exploit is the option to skip Mipmaps from the >>>>>>>>>> material. >>>>>>>>>> If, for instance, the first mipmap is skipped, the game will copy the >>>>>>>>>> mipmap data to buffer + size of first mipmap. When the memory >>>>>>>>>> allocation >>>>>>>>>> fails, the buffer will be 0, because thats what malloc returns on >>>>>>>>>> out of >>>>>>>>>> memory. This means, that the only factor determining where the block >>>>>>>>>> is put >>>>>>>>>> is determined by the size of the first mipmap. This way you can put >>>>>>>>>> the >>>>>>>>>> data in the second mipmap whereever you want, meaning you can write >>>>>>>>>> to a >>>>>>>>>> predictable location in memory. This is additionally encouraged due >>>>>>>>>> to the >>>>>>>>>> fact that ASLR is disabled for the module in question. From that >>>>>>>>>> point on >>>>>>>>>> ROP is used to mark a controlled memory location executable and >>>>>>>>>> transfer >>>>>>>>>> control to it, bypassing DEP. The distribution of the malicious >>>>>>>>>> material >>>>>>>>>> file can be easily done through the use of the spray system, which >>>>>>>>>> uploads >>>>>>>>>> a custom material to the server and distributes it. This is of >>>>>>>>>> course not >>>>>>>>>> the only way to distribute it, but one used in this case. This is not >>>>>>>>>> absolutely accurate and technical details have been left out due to >>>>>>>>>> them >>>>>>>>>> not influencing this exploit." >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>>>> archives, please visit: >>>>>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>>> archives, please >>>>>>>>> visit:https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>>> archives, please visit: >>>>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Ross Bemrose >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>> archives, please visit: >>>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>> archives, please visit: >>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>> archives, please visit: >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>> please visit: >>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> To unsubscribe, edit your list preferences, or view the list archives, >>>> please visit: >>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>> >>>> >>> >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>> >>> >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >> >> > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds > >
_______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
