That exploit was fixed long time ago. Someone even made a tempfix: https://forums.alliedmods.net/showthread.php?t=100958
On 3 September 2015 at 21:57, Refeek Yeglek <[email protected]> wrote: > 1. we have permission from valve to use it > > 2. this isn't a problem with our code, this is a problem with the Source > SDK Base 2013 Multiplayer that is being distributed on Steam itself. If > this was TF2C specific I wouldn't be letting server hosts know to take > steps to prevent it happening in shit like Fistful of Frags or Fortress > Forever. > > On Thu, Sep 3, 2015 at 1:53 PM, AnAkkk <[email protected]> wrote: > >> What did you expect, this leaked and illegal version of the Source Engine >> you're talking of has years of unfixed exploits, obviously such thing was >> going to happen one day. >> I'm sure there are lot more exploits that Valve has already fixed. >> Le 3 sept. 2015 22:47, "Refeek Yeglek" <[email protected]> a écrit : >> >>> Our guys who decompiled the copy when they got infected figured out it >>> was a very very bad script kiddie thing designed for doing exactly what is >>> going on right now. Lemme go find the name of it, someone posted the name >>> and feature list in the FP thread when we were trying to figure out what >>> the hell happened, as they're doing hijacks by remote desktopping your >>> computers. >>> >>> On Thu, Sep 3, 2015 at 1:40 PM, Nathaniel Theis <[email protected]> >>> wrote: >>> >>>> If, and that's a big if... hold on >>>> >>>> IF it's the VTF exploit I reported, yes. I'm skeptical that it is, >>>> just because of how difficult it is to exploit in practice. It would >>>> require very advanced Windows exploitation skills, and suggest a >>>> well-motivated, targeted attacker. My hunch is that it's another exploit, >>>> one that only works from malicious servers or custom maps. This one is >>>> incredibly practical and easy to exploit. >>>> >>>> - Nate >>>> >>>> On Thu, Sep 3, 2015 at 1:34 PM, E. Olsen <[email protected]> wrote: >>>> >>>>> So, to confirm - Team Fortress 2 has already had this exploit fixed, >>>>> correct? >>>>> >>>>> On Thu, Sep 3, 2015 at 4:32 PM, Nathaniel Theis <[email protected]> >>>>> wrote: >>>>> >>>>>> Actually, it looks like that only affects very old versions, >>>>>> (pre-2009 / aluigi) which have much worse exploits anyways. Sorry for the >>>>>> confusion. >>>>>> >>>>>> On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> I'll let the guys on my sourcemod's team who are looking into it >>>>>>> know, thanks. >>>>>>> >>>>>>> On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Note that, depending on the engine version you're on (and even SDK >>>>>>>> 2013 may not do this, I haven't checked), setting sv_allowupload 0 may >>>>>>>> do >>>>>>>> literally nothing; on older versions, sv_allowupload just tells the >>>>>>>> client >>>>>>>> not to upload anything to the server. The client can ignore it and do >>>>>>>> it >>>>>>>> anyways. >>>>>>>> >>>>>>>> On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> You'd know if that'd been done as there would be announcements on >>>>>>>>> the various hlds lists about updates for Counter-Strike: Source, Day >>>>>>>>> of >>>>>>>>> Defeat: Source, and Half-Life 2: Deathmatch. >>>>>>>>> >>>>>>>>> However, what he's actually asking is that Valve update the Source >>>>>>>>> SDK 2013 with these fixes so that game developers can pull the >>>>>>>>> changes from >>>>>>>>> Github and merge them into their own games' code. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> He is basically saying that the exploits Nathaniel found and >>>>>>>>>> reported have only been fixed in Valve's main titles. He hasn't >>>>>>>>>> found or >>>>>>>>>> reported a new exploit. >>>>>>>>>> I think it has been mentioned by KyleS on one or multiple of >>>>>>>>>> these mailing lists that these exploit fixes should be ported onto >>>>>>>>>> other >>>>>>>>>> branches. Apparently that has not been done? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 03.09.2015 22:06, N-Gon wrote: >>>>>>>>>> >>>>>>>>>> Someone give this man an unusual Finder's Fee >>>>>>>>>> >>>>>>>>>> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hi, I'm one of the developers for Team Fortress 2 Classic, a >>>>>>>>>>> source mod project. Recently, someone abused a bug present in >>>>>>>>>>> Source SDK >>>>>>>>>>> 2013 MP to distribute viruses to quite a few of our players and >>>>>>>>>>> developers. >>>>>>>>>>> The way they did it was by abusing a spray exploit present in the >>>>>>>>>>> SDK 2013 >>>>>>>>>>> MP edition to upload a file pretending to be a spray to all players >>>>>>>>>>> and >>>>>>>>>>> executing it. The technical info on how it works from one of our >>>>>>>>>>> other >>>>>>>>>>> coders will be posted at the end of this email, but here's what you >>>>>>>>>>> need to >>>>>>>>>>> know as a server owner: >>>>>>>>>>> >>>>>>>>>>> We don't know how many source games are vulnerable. The big name >>>>>>>>>>> VALVe ones aren't, but any sourcemod probably is. This includes >>>>>>>>>>> ones on >>>>>>>>>>> steam like Fortress Forever, or Fistful of Frags. >>>>>>>>>>> >>>>>>>>>>> If you're running a server for a non-VALVe or bigname(Titanfall, >>>>>>>>>>> GMOD, etc.) Source Engine game, then here's what you need to do: >>>>>>>>>>> >>>>>>>>>>> 1. Set sv_upload to 0 on your server. >>>>>>>>>>> >>>>>>>>>>> 2. If you are a TF2C server host, shut your server down and >>>>>>>>>>> start scanning your server for viruses. >>>>>>>>>>> >>>>>>>>>>> 3. Pester valve to fix this ASAP. >>>>>>>>>>> >>>>>>>>>>> TL;DR: >>>>>>>>>>> Sprays can be exploited to run code on people's systems and >>>>>>>>>>> break into accounts, we've had quite a few CS:GO and TF2 items >>>>>>>>>>> lifted from >>>>>>>>>>> accounts and moved to trade alts and disappearing after that. >>>>>>>>>>> Disable >>>>>>>>>>> sprays ASAP if you host a sourcemod multiplayer server. >>>>>>>>>>> >>>>>>>>>>> Here's the technical info for how stuff works: >>>>>>>>>>> >>>>>>>>>>> "The vulnerability is triggered by a missing check to see if a >>>>>>>>>>> memory allocation succeded in the loading of VTFs. When the >>>>>>>>>>> material is >>>>>>>>>>> loaded, there is space allocated for the material. The crucial >>>>>>>>>>> option in >>>>>>>>>>> the using of this exploit is the option to skip Mipmaps from the >>>>>>>>>>> material. >>>>>>>>>>> If, for instance, the first mipmap is skipped, the game will copy >>>>>>>>>>> the >>>>>>>>>>> mipmap data to buffer + size of first mipmap. When the memory >>>>>>>>>>> allocation >>>>>>>>>>> fails, the buffer will be 0, because thats what malloc returns on >>>>>>>>>>> out of >>>>>>>>>>> memory. This means, that the only factor determining where the >>>>>>>>>>> block is put >>>>>>>>>>> is determined by the size of the first mipmap. This way you can put >>>>>>>>>>> the >>>>>>>>>>> data in the second mipmap whereever you want, meaning you can write >>>>>>>>>>> to a >>>>>>>>>>> predictable location in memory. This is additionally encouraged due >>>>>>>>>>> to the >>>>>>>>>>> fact that ASLR is disabled for the module in question. From that >>>>>>>>>>> point on >>>>>>>>>>> ROP is used to mark a controlled memory location executable and >>>>>>>>>>> transfer >>>>>>>>>>> control to it, bypassing DEP. The distribution of the malicious >>>>>>>>>>> material >>>>>>>>>>> file can be easily done through the use of the spray system, which >>>>>>>>>>> uploads >>>>>>>>>>> a custom material to the server and distributes it. This is of >>>>>>>>>>> course not >>>>>>>>>>> the only way to distribute it, but one used in this case. This is >>>>>>>>>>> not >>>>>>>>>>> absolutely accurate and technical details have been left out due to >>>>>>>>>>> them >>>>>>>>>>> not influencing this exploit." >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>>>>> archives, please visit: >>>>>>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>>>> archives, please >>>>>>>>>> visit:https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>>>> archives, please visit: >>>>>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Ross Bemrose >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>>> archives, please visit: >>>>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>> archives, please visit: >>>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>> archives, please visit: >>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>> archives, please visit: >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>> please visit: >>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> To unsubscribe, edit your list preferences, or view the list archives, >>>> please visit: >>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>> >>>> >>> >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>> >>> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >> >> > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds > >
_______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
