IMO Valve sucks - hence my lack of involvement
-----Original Message-----
From: Kyle Sanderson
Sent: Friday, September 04, 2015 7:43 PM
To: Half-Life dedicated Win32 server mailing list
Cc: Half-Life dedicated Linux server mailing list
Subject: Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found,
can be used to hijack steam accounts.
Which games still have this exploit?
All of them, including Team Fortress. The emphasis from Valve being to
try to fix TF first and leave the others playing catch-up. This is why
in the past I was very adamant about getting at-least the OrangeBox
games (240 especially) sync'd, if not for the crash fixes (which can
be exploited themselves) but for the RCE footprint. For instance, when
CS:GO shipped, a bunch of previous OrangeBox exploits worked out of
the box. This is the code that's given to a licensee, code that's used
internally. If the Portal 2 Cabal at Valve can't figure it out, a game
such as Titan Fall wouldn't stand a chance. Left 4 Dead (2) still to
this day has almost every single exploit from TF in it. Source is a
collection of templates, it's not an engine.
While no one has done it yet, the Garrysmod worm that made players
cough can easily apply here. This specific issue related to using the
Netchannel to move files to clients impacts not only Team Fortress,
but Dota 2 (I believe they pulled the function about a year ago?) and
other games where Valve has MM. I've given up security in this regard,
but leaving it completely open is not wise.
Well you don't have to run valves code.
http://www.valvesoftware.com/SOURCE_InfoSheet.pdf You do realize this
is actually sold as a product, right? For a time when you became a
partner you were given access to mainline TF; obviously this is no
longer a thing.
Kyle.
On Thu, Sep 3, 2015 at 7:54 PM, Weasels Lair <[email protected]> wrote:
So, ok wait. Now I am more confused than when the thread started.
Which games still have this exploit?
- TF2? = No/fixed?
- DoS:S = ?
- CS:S = ?
- HL2MP: = ?
- Mods like FoF, etc. = ?
Is that old "exploit fix" SourceMod plug-in a fix or not? (it seems old
from
2009).
On Thu, Sep 3, 2015 at 6:55 PM, Nicholas Hastings
<[email protected]> wrote:
It's not just Valve games.
They've also not disclosed any of these issues nor fixes to at least some
developers of third-party Source games, leaving those completely
vulnerable
as well.
--
Nicholas Hastings
Developer
GameConnect
http://www.gameconnect.net/
Refeek Yeglek
Thursday, September 3, 2015 9:43 PM
I shouldn't have to install 3rd party software to secure my servers from
problems with valve's code.
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
Kyle Sanderson
Thursday, September 3, 2015 7:32 PM
No, just TF has these Remote Code Execution patches. CS:S and friends are
still completely vulnerable for the public issues. Don't kid yourself,
there's definitely other vulnerable code paths. Personally, I'm disgusted
as this has been public knowledge for a year now, the exploits being back
from Quake... Sync the games that are still being sold for money.
Valve doesn't care about your workstation, your server, anything that
runs
their completely vulnerable code. Don't play on servers that aren't
yours;
use SourceMod to secure your servers.
Kyle.
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
Refeek Yeglek
Thursday, September 3, 2015 4:37 PM
Yeah. The big games have it fixed, sourcemods are at risk here.
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
E. Olsen
Thursday, September 3, 2015 4:34 PM
So, to confirm - Team Fortress 2 has already had this exploit fixed,
correct?
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
Nathaniel Theis
Thursday, September 3, 2015 4:32 PM
Actually, it looks like that only affects very old versions, (pre-2009 /
aluigi) which have much worse exploits anyways. Sorry for the confusion.
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
