Re: [Csgo_servers] SteamCMD Security Flaw
I’m surprised no one has mentioned this, but you should be using login anonymous for steamCMD for CSGO servers which avoids this issue. But, if you do have another type of game server you can create a separate steam acct solely for the dedicated servers. https://developer.valvesoftware.com/wiki/SteamCMD#Anonymous From: csgo_servers-boun...@list.valvesoftware.com [mailto:csgo_servers-boun...@list.valvesoftware.com] On Behalf Of evourr Sent: December 2, 2014 1:33 AM To: csgo_servers@list.valvesoftware.com Subject: Re: [Csgo_servers] SteamCMD Security Flaw Those are not given to the client, the characters you see blocking them in the output are actually there when the client updates. They do not have any access to the script directory that tcadmin runs steamcmd from, so yes this is my biggest concern. - Original Message - From: Alexander Cornmailto:mc...@doctormckay.com To: csgo_servers@list.valvesoftware.commailto:csgo_servers@list.valvesoftware.com Sent: Tuesday, December 02, 2014 12:36 AM Subject: Re: [Csgo_servers] SteamCMD Security Flaw Who doesn’t have access to the script directory? The GSP? They absolutely have access to everything that goes on in their servers. Alexander Corn “Dr. McKay” http://www.doctormckay.com From: csgo_servers-boun...@list.valvesoftware.commailto:csgo_servers-boun...@list.valvesoftware.com [mailto:csgo_servers-boun...@list.valvesoftware.com] On Behalf Of evourr Sent: Monday, December 1, 2014 10:57 PM To: csgo_servers@list.valvesoftware.commailto:csgo_servers@list.valvesoftware.com Subject: Re: [Csgo_servers] SteamCMD Security Flaw Those are not given to the client, the characters you see blocking them in the output are actually there when the client updates. They do not have any access to the script directory that tcadmin runs steamcmd from, so yes this is my biggest concern. - Original Message - From: Alexander Cornmailto:mc...@doctormckay.com To: csgo_servers@list.valvesoftware.commailto:csgo_servers@list.valvesoftware.com Sent: Monday, December 01, 2014 10:43 PM Subject: Re: [Csgo_servers] SteamCMD Security Flaw So wait, your biggest concern about SteamCMD is the fact that it echoes chat messages and not that you have to specify your Steam account username/password in plaintext either in your command line or a script file? And that it contains a Steam Guard authentication too? Alexander Corn “Dr. McKay” http://www.doctormckay.com From: csgo_servers-boun...@list.valvesoftware.commailto:csgo_servers-boun...@list.valvesoftware.com [mailto:csgo_servers-boun...@list.valvesoftware.com] On Behalf Of Bruno Garcia Sent: Monday, December 1, 2014 10:22 PM To: csgo_servers@list.valvesoftware.commailto:csgo_servers@list.valvesoftware.com Subject: Re: [Csgo_servers] SteamCMD Security Flaw Valve hardly cares for third party software, but there's a special email for security flaws where this will be noticed much sooner. security (at) valvesoftware.comhttp://valvesoftware.com Also, haven't you noticed how csgo srcds is very difficult to understand? I remember css srcds being so simple... On Mon, Dec 1, 2014 at 11:48 PM, evourr evo...@gmail.commailto:evo...@gmail.com wrote: Hello, I didn't really know where to put this post, the csgo servers mailing list appears to be more active so perhaps this will get noticed. Steamcmd when using user-authentication broadcasts steam messages from the user account, for example on games like Arma3 where you need a valid user and pass with the game on the account to retrieve the server files. http://pastebin.com/EVepJPT5 Providers using TCAdmin can notice this behavior when a client updates a game if you view the task, the log will contain any steam messages sent during the update/installation. (For larger games or repositories hosted in low tier locations an install can take some time, this allows clients to view any messages you send.) From the pastebin above here's an example of what I'm talking about: Update state (0x61) downloading, progress: 0.79 (18599896 / 2361548982) [U:1:6842983] says: it starts anyway This is a rather stupid way of updating/installing servers via a user/pass combo if everything you send is being logged to the client doing the updating. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.commailto:Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.commailto:Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.commailto:Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
Re: [Csgo_servers] SteamCMD Security Flaw
In my original post I state that user authentication is for specific games like Arma 3, you cannot obtain updates or server files without logging into a user which owns the game. SteamCMD works alongside a user being logged in, there's no logical reason (other than this security flaw) I should be purchasing the same games I already have on my account just to be a dedicated steamcmd account. I posted this to the csgo_servers mailing list hoping for a quicker response since this is by far the larger of the mailing lists. (However I have since reported it to the security email, so this thread is pretty much over assuming that email has someone monitoring it.) Steamcmd shouldn't broadcast the messages from your account while updating. - Original Message - From: Andrew Irvine To: csgo_servers@list.valvesoftware.com Sent: Tuesday, December 02, 2014 9:38 AM Subject: Re: [Csgo_servers] SteamCMD Security Flaw I’m surprised no one has mentioned this, but you should be using login anonymous for steamCMD for CSGO servers which avoids this issue. But, if you do have another type of game server you can create a separate steam acct solely for the dedicated servers. https://developer.valvesoftware.com/wiki/SteamCMD#Anonymous From: csgo_servers-boun...@list.valvesoftware.com [mailto:csgo_servers-boun...@list.valvesoftware.com] On Behalf Of evourr Sent: December 2, 2014 1:33 AM To: csgo_servers@list.valvesoftware.com Subject: Re: [Csgo_servers] SteamCMD Security Flaw Those are not given to the client, the characters you see blocking them in the output are actually there when the client updates. They do not have any access to the script directory that tcadmin runs steamcmd from, so yes this is my biggest concern. - Original Message - From: Alexander Corn To: csgo_servers@list.valvesoftware.com Sent: Tuesday, December 02, 2014 12:36 AM Subject: Re: [Csgo_servers] SteamCMD Security Flaw Who doesn’t have access to the script directory? The GSP? They absolutely have access to everything that goes on in their servers. Alexander Corn “Dr. McKay” http://www.doctormckay.com From: csgo_servers-boun...@list.valvesoftware.com [mailto:csgo_servers-boun...@list.valvesoftware.com] On Behalf Of evourr Sent: Monday, December 1, 2014 10:57 PM To: csgo_servers@list.valvesoftware.com Subject: Re: [Csgo_servers] SteamCMD Security Flaw Those are not given to the client, the characters you see blocking them in the output are actually there when the client updates. They do not have any access to the script directory that tcadmin runs steamcmd from, so yes this is my biggest concern. - Original Message - From: Alexander Corn To: csgo_servers@list.valvesoftware.com Sent: Monday, December 01, 2014 10:43 PM Subject: Re: [Csgo_servers] SteamCMD Security Flaw So wait, your biggest concern about SteamCMD is the fact that it echoes chat messages and not that you have to specify your Steam account username/password in plaintext either in your command line or a script file? And that it contains a Steam Guard authentication too? Alexander Corn “Dr. McKay” http://www.doctormckay.com From: csgo_servers-boun...@list.valvesoftware.com [mailto:csgo_servers-boun...@list.valvesoftware.com] On Behalf Of Bruno Garcia Sent: Monday, December 1, 2014 10:22 PM To: csgo_servers@list.valvesoftware.com Subject: Re: [Csgo_servers] SteamCMD Security Flaw Valve hardly cares for third party software, but there's a special email for security flaws where this will be noticed much sooner. security (at) valvesoftware.com Also, haven't you noticed how csgo srcds is very difficult to understand? I remember css srcds being so simple... On Mon, Dec 1, 2014 at 11:48 PM, evourr evo...@gmail.com wrote: Hello, I didn't really know where to put this post, the csgo servers mailing list appears to be more active so perhaps this will get noticed. Steamcmd when using user-authentication broadcasts steam messages from the user account, for example on games like Arma3 where you need a valid user and pass with the game on the account to retrieve the server files. http://pastebin.com/EVepJPT5 Providers using TCAdmin can notice this behavior when a client updates a game if you view the task, the log will contain any steam messages sent during the update/installation. (For larger games or repositories hosted in low tier locations an install can take some time, this allows clients to view any messages you send.) From the pastebin above here's an example of what I'm talking about: Update state
Re: [Csgo_servers] SteamCMD Security Flaw
just pass the output to grep and hide the say lines... we already do that for the password On Tue, Dec 2, 2014 at 3:48 PM, evourr evo...@gmail.com wrote: In my original post I state that user authentication is for specific games like Arma 3, you cannot obtain updates or server files without logging into a user which owns the game. SteamCMD works alongside a user being logged in, there's no logical reason (other than this security flaw) I should be purchasing the same games I already have on my account just to be a dedicated steamcmd account. I posted this to the csgo_servers mailing list hoping for a quicker response since this is by far the larger of the mailing lists. (However I have since reported it to the security email, so this thread is pretty much over assuming that email has someone monitoring it.) Steamcmd shouldn't broadcast the messages from your account while updating. - Original Message - *From:* Andrew Irvine airv...@clgw.ca *To:* csgo_servers@list.valvesoftware.com *Sent:* Tuesday, December 02, 2014 9:38 AM *Subject:* Re: [Csgo_servers] SteamCMD Security Flaw I’m surprised no one has mentioned this, but you should be using login anonymous for steamCMD for CSGO servers which avoids this issue. But, if you do have another type of game server you can create a separate steam acct solely for the dedicated servers. https://developer.valvesoftware.com/wiki/SteamCMD#Anonymous *From:* csgo_servers-boun...@list.valvesoftware.com [mailto: csgo_servers-boun...@list.valvesoftware.com] *On Behalf Of *evourr *Sent:* December 2, 2014 1:33 AM *To:* csgo_servers@list.valvesoftware.com *Subject:* Re: [Csgo_servers] SteamCMD Security Flaw Those are not given to the *client*, the characters you see blocking them in the output are actually there when the client updates. They do not have any access to the script directory that tcadmin runs steamcmd from, so yes this is my biggest concern. - Original Message - *From:* Alexander Corn mc...@doctormckay.com *To:* csgo_servers@list.valvesoftware.com *Sent:* Tuesday, December 02, 2014 12:36 AM *Subject:* Re: [Csgo_servers] SteamCMD Security Flaw Who doesn’t have access to the script directory? The GSP? They absolutely have access to everything that goes on in their servers. *Alexander Corn* “Dr. McKay” http://www.doctormckay.com *From:* csgo_servers-boun...@list.valvesoftware.com [ mailto:csgo_servers-boun...@list.valvesoftware.com csgo_servers-boun...@list.valvesoftware.com] *On Behalf Of *evourr *Sent:* Monday, December 1, 2014 10:57 PM *To:* csgo_servers@list.valvesoftware.com *Subject:* Re: [Csgo_servers] SteamCMD Security Flaw Those are not given to the client, the characters you see blocking them in the output are actually there when the client updates. They do not have any access to the script directory that tcadmin runs steamcmd from, so yes this is my biggest concern. - Original Message - *From:* Alexander Corn mc...@doctormckay.com *To:* csgo_servers@list.valvesoftware.com *Sent:* Monday, December 01, 2014 10:43 PM *Subject:* Re: [Csgo_servers] SteamCMD Security Flaw So wait, your biggest concern about SteamCMD is the fact that it echoes chat messages and not that you have to specify your Steam account username/password in plaintext either in your command line or a script file? And that it contains a Steam Guard authentication too? *Alexander Corn* “Dr. McKay” http://www.doctormckay.com *From:* csgo_servers-boun...@list.valvesoftware.com [ mailto:csgo_servers-boun...@list.valvesoftware.com csgo_servers-boun...@list.valvesoftware.com] *On Behalf Of *Bruno Garcia *Sent:* Monday, December 1, 2014 10:22 PM *To:* csgo_servers@list.valvesoftware.com *Subject:* Re: [Csgo_servers] SteamCMD Security Flaw Valve hardly cares for third party software, but there's a special email for security flaws where this will be noticed much sooner. security (at) valvesoftware.com Also, haven't you noticed how csgo srcds is *very* difficult to understand? I remember css srcds being so simple... On Mon, Dec 1, 2014 at 11:48 PM, evourr evo...@gmail.com wrote: Hello, I didn't really know where to put this post, the csgo servers mailing list appears to be more active so perhaps this will get noticed. Steamcmd when using user-authentication broadcasts steam messages from the user account, for example on games like Arma3 where you need a valid user and pass with the game on the account to retrieve the server files. http://pastebin.com/EVepJPT5 Providers using TCAdmin can notice this behavior when a client updates a game if you view the task, the log will contain any steam messages sent during the update/installation. (For larger games or repositories hosted in low tier locations an install can take some time, this allows clients to view any messages you send.) From the pastebin above
Re: [Csgo_servers] SteamCMD Security Flaw
Quoting your original message and making a word bold isn’t a sufficient response. What client? Alexander Corn “Dr. McKay” http://www.doctormckay.com http://www.doctormckay.com From: csgo_servers-boun...@list.valvesoftware.com [mailto:csgo_servers-boun...@list.valvesoftware.com] On Behalf Of evourr Sent: Tuesday, December 2, 2014 1:33 AM To: csgo_servers@list.valvesoftware.com Subject: Re: [Csgo_servers] SteamCMD Security Flaw Those are not given to the client, the characters you see blocking them in the output are actually there when the client updates. They do not have any access to the script directory that tcadmin runs steamcmd from, so yes this is my biggest concern. - Original Message - From: Alexander Corn mailto:mc...@doctormckay.com To: csgo_servers@list.valvesoftware.com Sent: Tuesday, December 02, 2014 12:36 AM Subject: Re: [Csgo_servers] SteamCMD Security Flaw Who doesn’t have access to the script directory? The GSP? They absolutely have access to everything that goes on in their servers. Alexander Corn “Dr. McKay” http://www.doctormckay.com http://www.doctormckay.com From: csgo_servers-boun...@list.valvesoftware.com [mailto:csgo_servers-boun...@list.valvesoftware.com] On Behalf Of evourr Sent: Monday, December 1, 2014 10:57 PM To: csgo_servers@list.valvesoftware.com Subject: Re: [Csgo_servers] SteamCMD Security Flaw Those are not given to the client, the characters you see blocking them in the output are actually there when the client updates. They do not have any access to the script directory that tcadmin runs steamcmd from, so yes this is my biggest concern. - Original Message - From: Alexander Corn mailto:mc...@doctormckay.com To: csgo_servers@list.valvesoftware.com Sent: Monday, December 01, 2014 10:43 PM Subject: Re: [Csgo_servers] SteamCMD Security Flaw So wait, your biggest concern about SteamCMD is the fact that it echoes chat messages and not that you have to specify your Steam account username/password in plaintext either in your command line or a script file? And that it contains a Steam Guard authentication too? Alexander Corn “Dr. McKay” http://www.doctormckay.com http://www.doctormckay.com From: csgo_servers-boun...@list.valvesoftware.com [mailto:csgo_servers-boun...@list.valvesoftware.com] On Behalf Of Bruno Garcia Sent: Monday, December 1, 2014 10:22 PM To: csgo_servers@list.valvesoftware.com Subject: Re: [Csgo_servers] SteamCMD Security Flaw Valve hardly cares for third party software, but there's a special email for security flaws where this will be noticed much sooner. security (at) valvesoftware.com Also, haven't you noticed how csgo srcds is very difficult to understand? I remember css srcds being so simple... On Mon, Dec 1, 2014 at 11:48 PM, evourr evo...@gmail.com wrote: Hello, I didn't really know where to put this post, the csgo servers mailing list appears to be more active so perhaps this will get noticed. Steamcmd when using user-authentication broadcasts steam messages from the user account, for example on games like Arma3 where you need a valid user and pass with the game on the account to retrieve the server files. http://pastebin.com/EVepJPT5 Providers using TCAdmin can notice this behavior when a client updates a game if you view the task, the log will contain any steam messages sent during the update/installation. (For larger games or repositories hosted in low tier locations an install can take some time, this allows clients to view any messages you send.) From the pastebin above here's an example of what I'm talking about: Update state (0x61) downloading, progress: 0.79 (18599896 / 2361548982) [U:1:6842983] says: it starts anyway This is a rather stupid way of updating/installing servers via a user/pass combo if everything you send is being logged to the client doing the updating. ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers _ ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers _ ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers ___ Csgo_servers mailing list Csgo_servers@list.valvesoftware.com https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
