> Which games still have this exploit? All of them, including Team Fortress. The emphasis from Valve being to try to fix TF first and leave the others playing catch-up. This is why in the past I was very adamant about getting at-least the OrangeBox games (240 especially) sync'd, if not for the crash fixes (which can be exploited themselves) but for the RCE footprint. For instance, when CS:GO shipped, a bunch of previous OrangeBox exploits worked out of the box. This is the code that's given to a licensee, code that's used internally. If the Portal 2 Cabal at Valve can't figure it out, a game such as Titan Fall wouldn't stand a chance. Left 4 Dead (2) still to this day has almost every single exploit from TF in it. Source is a collection of templates, it's not an engine.
While no one has done it yet, the Garrysmod worm that made players cough can easily apply here. This specific issue related to using the Netchannel to move files to clients impacts not only Team Fortress, but Dota 2 (I believe they pulled the function about a year ago?) and other games where Valve has MM. I've given up security in this regard, but leaving it completely open is not wise. > Well you don't have to run valves code. http://www.valvesoftware.com/SOURCE_InfoSheet.pdf You do realize this is actually sold as a product, right? For a time when you became a partner you were given access to mainline TF; obviously this is no longer a thing. Kyle. On Thu, Sep 3, 2015 at 7:54 PM, Weasels Lair <wea...@weaselslair.com> wrote: > So, ok wait. Now I am more confused than when the thread started. > Which games still have this exploit? > - TF2? = No/fixed? > - DoS:S = ? > - CS:S = ? > - HL2MP: = ? > - Mods like FoF, etc. = ? > > Is that old "exploit fix" SourceMod plug-in a fix or not? (it seems old from > 2009). > > > On Thu, Sep 3, 2015 at 6:55 PM, Nicholas Hastings > <psycho...@gameconnect.net> wrote: >> >> It's not just Valve games. >> >> They've also not disclosed any of these issues nor fixes to at least some >> developers of third-party Source games, leaving those completely vulnerable >> as well. >> >> -- >> Nicholas Hastings >> Developer >> >> GameConnect >> http://www.gameconnect.net/ >> >> Refeek Yeglek >> Thursday, September 3, 2015 9:43 PM >> I shouldn't have to install 3rd party software to secure my servers from >> problems with valve's code. >> >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >> Kyle Sanderson >> Thursday, September 3, 2015 7:32 PM >> No, just TF has these Remote Code Execution patches. CS:S and friends are >> still completely vulnerable for the public issues. Don't kid yourself, >> there's definitely other vulnerable code paths. Personally, I'm disgusted >> as this has been public knowledge for a year now, the exploits being back >> from Quake... Sync the games that are still being sold for money. >> >> Valve doesn't care about your workstation, your server, anything that runs >> their completely vulnerable code. Don't play on servers that aren't yours; >> use SourceMod to secure your servers. >> >> Kyle. >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux >> Refeek Yeglek >> Thursday, September 3, 2015 4:37 PM >> Yeah. The big games have it fixed, sourcemods are at risk here. >> >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >> E. Olsen >> Thursday, September 3, 2015 4:34 PM >> So, to confirm - Team Fortress 2 has already had this exploit fixed, >> correct? >> >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >> Nathaniel Theis >> Thursday, September 3, 2015 4:32 PM >> Actually, it looks like that only affects very old versions, (pre-2009 / >> aluigi) which have much worse exploits anyways. Sorry for the confusion. >> >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >> >> >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >> > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
