Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Will @ Bigpond]

IMO Valve sucks - hence my lack of involvement


-Original Message- 
From: Kyle Sanderson

Sent: Friday, September 04, 2015 7:43 PM
To: Half-Life dedicated Win32 server mailing list
Cc: Half-Life dedicated Linux server mailing list
Subject: Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, 
can be used to hijack steam accounts.



Which games still have this exploit?


All of them, including Team Fortress. The emphasis from Valve being to
try to fix TF first and leave the others playing catch-up. This is why
in the past I was very adamant about getting at-least the OrangeBox
games (240 especially) sync'd, if not for the crash fixes (which can
be exploited themselves) but for the RCE footprint. For instance, when
CS:GO shipped, a bunch of previous OrangeBox exploits worked out of
the box. This is the code that's given to a licensee, code that's used
internally. If the Portal 2 Cabal at Valve can't figure it out, a game
such as Titan Fall wouldn't stand a chance. Left 4 Dead (2) still to
this day has almost every single exploit from TF in it. Source is a
collection of templates, it's not an engine.

While no one has done it yet, the Garrysmod worm that made players
cough can easily apply here. This specific issue related to using the
Netchannel to move files to clients impacts not only Team Fortress,
but Dota 2 (I believe they pulled the function about a year ago?) and
other games where Valve has MM. I've given up security in this regard,
but leaving it completely open is not wise.


Well you don't have to run valves code.

http://www.valvesoftware.com/SOURCE_InfoSheet.pdf You do realize this
is actually sold as a product, right? For a time when you became a
partner you were given access to mainline TF; obviously this is no
longer a thing.

Kyle.

On Thu, Sep 3, 2015 at 7:54 PM, Weasels Lair <wea...@weaselslair.com> wrote:

So, ok wait. Now I am more confused than when the thread started.
Which games still have this exploit?
- TF2? = No/fixed?
- DoS:S = ?
- CS:S = ?
- HL2MP: = ?
- Mods like FoF, etc. = ?

Is that old "exploit fix" SourceMod plug-in a fix or not? (it seems old 
from

2009).


On Thu, Sep 3, 2015 at 6:55 PM, Nicholas Hastings
<psycho...@gameconnect.net> wrote:


It's not just Valve games.

They've also not disclosed any of these issues nor fixes to at least some
developers of third-party Source games, leaving those completely 
vulnerable

as well.

--
Nicholas Hastings
Developer

GameConnect
http://www.gameconnect.net/

Refeek Yeglek
Thursday, September 3, 2015 9:43 PM
I shouldn't have to install 3rd party software to secure my servers from
problems with valve's code.


___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
Kyle Sanderson
Thursday, September 3, 2015 7:32 PM
No, just TF has these Remote Code Execution patches. CS:S and friends are
still completely vulnerable for the public issues. Don't kid yourself,
there's definitely other vulnerable code paths. Personally, I'm disgusted
as this has been public knowledge for a year now, the exploits being back
from Quake... Sync the games that are still being sold for money.

Valve doesn't care about your workstation, your server, anything that 
runs
their completely vulnerable code. Don't play on servers that aren't 
yours;

use SourceMod to secure your servers.

Kyle.
___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
Refeek Yeglek
Thursday, September 3, 2015 4:37 PM
Yeah. The big games have it fixed, sourcemods are at risk here.


___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
E. Olsen
Thursday, September 3, 2015 4:34 PM
So, to confirm - Team Fortress 2 has already had this exploit fixed,
correct?


___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
Nathaniel Theis
Thursday, September 3, 2015 4:32 PM
Actually, it looks like that only affects very old versions, (pre-2009 /
aluigi) which have much worse exploits anyways. Sorry for the confusion.


___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds



___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds




___
To unsubscribe, edit your list prefere

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Valentin Puscoi]

hopefully valve removes sprays all together, my downloads folder is filled
with hentai

2015-09-03 22:59 GMT+03:00 Refeek Yeglek :

> Hi, I'm one of the developers for Team Fortress 2 Classic, a source mod
> project. Recently, someone abused a bug present in Source SDK 2013 MP to
> distribute viruses to quite a few of our players and developers. The way
> they did it was by abusing a spray exploit present in the SDK 2013 MP
> edition to upload a file pretending to be a spray to all players and
> executing it. The technical info on how it works from one of our other
> coders will be posted at the end of this email, but here's what you need to
> know as a server owner:
>
> We don't know how many source games are vulnerable. The big name VALVe
> ones aren't, but any sourcemod probably is. This includes ones on steam
> like Fortress Forever, or Fistful of Frags.
>
> If you're running a server for a non-VALVe or bigname(Titanfall, GMOD,
> etc.) Source Engine game, then here's what you need to do:
>
> 1. Set sv_upload to 0 on your server.
>
> 2. If you are a TF2C server host, shut your server down and start scanning
> your server for viruses.
>
> 3. Pester valve to fix this ASAP.
>
> TL;DR:
> Sprays can be exploited to run code on people's systems and break into
> accounts, we've had quite a few CS:GO and TF2 items lifted from accounts
> and moved to trade alts and disappearing after that. Disable sprays ASAP if
> you host a sourcemod multiplayer server.
>
> Here's the technical info for how stuff works:
>
> "The vulnerability is triggered by a missing check to see if a memory
> allocation succeded in the loading of VTFs. When the material is loaded,
> there is space allocated for the material. The crucial option in the using
> of this exploit is the option to skip Mipmaps from the material. If, for
> instance, the first mipmap is skipped, the game will copy the mipmap data
> to buffer + size of first mipmap. When the memory allocation fails, the
> buffer will be 0, because thats what malloc returns on out of memory. This
> means, that the only factor determining where the block is put is
> determined by the size of the first mipmap. This way you can put the data
> in the second mipmap whereever you want, meaning you can write to a
> predictable location in memory. This is additionally encouraged due to the
> fact that ASLR is disabled for the module in question. From that point on
> ROP is used to mark a controlled memory location executable and transfer
> control to it, bypassing DEP. The distribution of the malicious material
> file can be easily done through the use of the spray system, which uploads
> a custom material to the server and distributes it. This is of course not
> the only way to distribute it, but one used in this case. This is not
> absolutely accurate and technical details have been left out due to them
> not influencing this exploit."
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Kyle Sanderson]

> Which games still have this exploit?

All of them, including Team Fortress. The emphasis from Valve being to
try to fix TF first and leave the others playing catch-up. This is why
in the past I was very adamant about getting at-least the OrangeBox
games (240 especially) sync'd, if not for the crash fixes (which can
be exploited themselves) but for the RCE footprint. For instance, when
CS:GO shipped, a bunch of previous OrangeBox exploits worked out of
the box. This is the code that's given to a licensee, code that's used
internally. If the Portal 2 Cabal at Valve can't figure it out, a game
such as Titan Fall wouldn't stand a chance. Left 4 Dead (2) still to
this day has almost every single exploit from TF in it. Source is a
collection of templates, it's not an engine.

While no one has done it yet, the Garrysmod worm that made players
cough can easily apply here. This specific issue related to using the
Netchannel to move files to clients impacts not only Team Fortress,
but Dota 2 (I believe they pulled the function about a year ago?) and
other games where Valve has MM. I've given up security in this regard,
but leaving it completely open is not wise.

> Well you don't have to run valves code.
http://www.valvesoftware.com/SOURCE_InfoSheet.pdf You do realize this
is actually sold as a product, right? For a time when you became a
partner you were given access to mainline TF; obviously this is no
longer a thing.

Kyle.

On Thu, Sep 3, 2015 at 7:54 PM, Weasels Lair  wrote:
> So, ok wait. Now I am more confused than when the thread started.
> Which games still have this exploit?
> - TF2? = No/fixed?
> - DoS:S = ?
> - CS:S = ?
> - HL2MP: = ?
> - Mods like FoF, etc. = ?
>
> Is that old "exploit fix" SourceMod plug-in a fix or not? (it seems old from
> 2009).
>
>
> On Thu, Sep 3, 2015 at 6:55 PM, Nicholas Hastings
>  wrote:
>>
>> It's not just Valve games.
>>
>> They've also not disclosed any of these issues nor fixes to at least some
>> developers of third-party Source games, leaving those completely vulnerable
>> as well.
>>
>> --
>> Nicholas Hastings
>> Developer
>>
>> GameConnect
>> http://www.gameconnect.net/
>>
>> Refeek Yeglek
>> Thursday, September 3, 2015 9:43 PM
>> I shouldn't have to install 3rd party software to secure my servers from
>> problems with valve's code.
>>
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>> Kyle Sanderson
>> Thursday, September 3, 2015 7:32 PM
>> No, just TF has these Remote Code Execution patches. CS:S and friends are
>> still completely vulnerable for the public issues. Don't kid yourself,
>> there's definitely other vulnerable code paths. Personally, I'm disgusted
>> as this has been public knowledge for a year now, the exploits being back
>> from Quake... Sync the games that are still being sold for money.
>>
>> Valve doesn't care about your workstation, your server, anything that runs
>> their completely vulnerable code. Don't play on servers that aren't yours;
>> use SourceMod to secure your servers.
>>
>> Kyle.
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
>> Refeek Yeglek
>> Thursday, September 3, 2015 4:37 PM
>> Yeah. The big games have it fixed, sourcemods are at risk here.
>>
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>> E. Olsen
>> Thursday, September 3, 2015 4:34 PM
>> So, to confirm - Team Fortress 2 has already had this exploit fixed,
>> correct?
>>
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>> Nathaniel Theis
>> Thursday, September 3, 2015 4:32 PM
>> Actually, it looks like that only affects very old versions, (pre-2009 /
>> aluigi) which have much worse exploits anyways. Sorry for the confusion.
>>
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>>
>>
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>>
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Milk Milk]

 
Hope it will be fixed today.

Sent: Thursday, September 03, 2015 at 9:59 PM
From: "Refeek Yeglek" <iamgoofb...@gmail.com>
To: hlds@list.valvesoftware.com
Subject: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.


Hi, I'm one of the developers for Team Fortress 2 Classic, a source mod project. Recently, someone abused a bug present in Source SDK 2013 MP to distribute viruses to quite a few of our players and developers. The way they did it was by abusing a spray exploit present in the SDK 2013 MP edition to upload a file pretending to be a spray to all players and executing it. The technical info on how it works from one of our other coders will be posted at the end of this email, but here's what you need to know as a server owner:
 

We don't know how many source games are vulnerable. The big name VALVe ones aren't, but any sourcemod probably is. This includes ones on steam like Fortress Forever, or Fistful of Frags.

 

If you're running a server for a non-VALVe or bigname(Titanfall, GMOD, etc.) Source Engine game, then here's what you need to do:

 

1. Set sv_upload to 0 on your server.

 

2. If you are a TF2C server host, shut your server down and start scanning your server for viruses.

 

3. Pester valve to fix this ASAP.

 

TL;DR:

Sprays can be exploited to run code on people's systems and break into accounts, we've had quite a few CS:GO and TF2 items lifted from accounts and moved to trade alts and disappearing after that. Disable sprays ASAP if you host a sourcemod multiplayer server.

 

Here's the technical info for how stuff works:

 

"The vulnerability is triggered by a missing check to see if a memory allocation succeded in the loading of VTFs. When the material is loaded, there is space allocated for the material. The crucial option in the using of this exploit is the option to skip Mipmaps from the material. If, for instance, the first mipmap is skipped, the game will copy the mipmap data to buffer + size of first mipmap. When the memory allocation fails, the buffer will be 0, because thats what malloc returns on out of memory. This means, that the only factor determining where the block is put is determined by the size of the first mipmap. This way you can put the data in the second mipmap whereever you want, meaning you can write to a predictable location in memory. This is additionally encouraged due to the fact that ASLR is disabled for the module in question. From that point on ROP is used to mark a controlled memory location executable and transfer control to it, bypassing DEP. The distribution of the malicious material file can be easily done through the use of the spray system, which uploads a custom material to the server and distributes it. This is of course not the only way to distribute it, but one used in this case. This is not absolutely accurate and technical details have been left out due to them not influencing this exploit."

___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds




___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[HD]

Then delete them? I just created a cron to flush certain folders on my servers 
and even my client. If you do it manually for a client it takes seconds, big 
deal. Sprays won’t disappear so you may as well get used to the hentai or 
familiar with the process of delete.

 

From: hlds-boun...@list.valvesoftware.com 
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Valentin Puscoi
Sent: Friday, September 04, 2015 7:41 AM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can 
be used to hijack steam accounts.

 

hopefully valve removes sprays all together, my downloads folder is filled with 
hentai

 

2015-09-03 22:59 GMT+03:00 Refeek Yeglek <iamgoofb...@gmail.com>:

Hi, I'm one of the developers for Team Fortress 2 Classic, a source mod 
project. Recently, someone abused a bug present in Source SDK 2013 MP to 
distribute viruses to quite a few of our players and developers. The way they 
did it was by abusing a spray exploit present in the SDK 2013 MP edition to 
upload a file pretending to be a spray to all players and executing it. The 
technical info on how it works from one of our other coders will be posted at 
the end of this email, but here's what you need to know as a server owner:

 

We don't know how many source games are vulnerable. The big name VALVe ones 
aren't, but any sourcemod probably is. This includes ones on steam like 
Fortress Forever, or Fistful of Frags.

 

If you're running a server for a non-VALVe or bigname(Titanfall, GMOD, etc.) 
Source Engine game, then here's what you need to do:

 

1. Set sv_upload to 0 on your server.

 

2. If you are a TF2C server host, shut your server down and start scanning your 
server for viruses.

 

3. Pester valve to fix this ASAP.

 

TL;DR:

Sprays can be exploited to run code on people's systems and break into 
accounts, we've had quite a few CS:GO and TF2 items lifted from accounts and 
moved to trade alts and disappearing after that. Disable sprays ASAP if you 
host a sourcemod multiplayer server.

 

Here's the technical info for how stuff works:

 

"The vulnerability is triggered by a missing check to see if a memory 
allocation succeded in the loading of VTFs. When the material is loaded, there 
is space allocated for the material. The crucial option in the using of this 
exploit is the option to skip Mipmaps from the material. If, for instance, the 
first mipmap is skipped, the game will copy the mipmap data to buffer + size of 
first mipmap. When the memory allocation fails, the buffer will be 0, because 
thats what malloc returns on out of memory. This means, that the only factor 
determining where the block is put is determined by the size of the first 
mipmap. This way you can put the data in the second mipmap whereever you want, 
meaning you can write to a predictable location in memory. This is additionally 
encouraged due to the fact that ASLR is disabled for the module in question. 
From that point on ROP is used to mark a controlled memory location executable 
and transfer control to it, bypassing DEP. The distribution of the malicious 
material file can be easily done through the use of the spray system, which 
uploads a custom material to the server and distributes it. This is of course 
not the only way to distribute it, but one used in this case. This is not 
absolutely accurate and technical details have been left out due to them not 
influencing this exploit."


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds

 

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Weasels Lair]

I don't run add at all on my servers any more, but in defense of MOTGgd, I
must say that when I was using ads, they have me the most options (such as
disabling video ads all together). I never saw any option to hide the ads
in the background. However there were some server-side plugins that could
be used to run other ads hidden in the background. This was not an MOTDgd
thing.  I don't recall the ad network, but the thread may still be on the
SourceMod forums. In the end I decided that (as a player in my own servers)
I really didn't like the advertising, so I dropped all forms of it.

More on topic, will setting sv_allowuploads on mods (like Fistful of Frags
as an example) actually accomplish anything? Or is this some deeper
underlying issue that requires Valve to update their SDK so that mod
authors may then have that option work as expected?

PS: to each his own on liking or not liking the spray feature in various
games. I happen to host a least politically correct community, so it's kind
of ingrained in our "culture" in our case. :-)
On Sep 4, 2015 5:51 AM, "HD" <ad...@gamerscrib.net> wrote:
>
> Then delete them? I just created a cron to flush certain folders on my
servers and even my client. If you do it manually for a client it takes
seconds, big deal. Sprays won’t disappear so you may as well get used to
the hentai or familiar with the process of delete.
>
>
>
> From: hlds-boun...@list.valvesoftware.com [mailto:
hlds-boun...@list.valvesoftware.com] On Behalf Of Valentin Puscoi
> Sent: Friday, September 04, 2015 7:41 AM
>
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit
found, can be used to hijack steam accounts.
>
>
>
> hopefully valve removes sprays all together, my downloads folder is
filled with hentai
>
>
>
> 2015-09-03 22:59 GMT+03:00 Refeek Yeglek <iamgoofb...@gmail.com>:
>
> Hi, I'm one of the developers for Team Fortress 2 Classic, a source mod
project. Recently, someone abused a bug present in Source SDK 2013 MP to
distribute viruses to quite a few of our players and developers. The way
they did it was by abusing a spray exploit present in the SDK 2013 MP
edition to upload a file pretending to be a spray to all players and
executing it. The technical info on how it works from one of our other
coders will be posted at the end of this email, but here's what you need to
know as a server owner:
>
>
>
> We don't know how many source games are vulnerable. The big name VALVe
ones aren't, but any sourcemod probably is. This includes ones on steam
like Fortress Forever, or Fistful of Frags.
>
>
>
> If you're running a server for a non-VALVe or bigname(Titanfall, GMOD,
etc.) Source Engine game, then here's what you need to do:
>
>
>
> 1. Set sv_upload to 0 on your server.
>
>
>
> 2. If you are a TF2C server host, shut your server down and start
scanning your server for viruses.
>
>
>
> 3. Pester valve to fix this ASAP.
>
>
>
> TL;DR:
>
> Sprays can be exploited to run code on people's systems and break into
accounts, we've had quite a few CS:GO and TF2 items lifted from accounts
and moved to trade alts and disappearing after that. Disable sprays ASAP if
you host a sourcemod multiplayer server.
>
>
>
> Here's the technical info for how stuff works:
>
>
>
> "The vulnerability is triggered by a missing check to see if a memory
allocation succeded in the loading of VTFs. When the material is loaded,
there is space allocated for the material. The crucial option in the using
of this exploit is the option to skip Mipmaps from the material. If, for
instance, the first mipmap is skipped, the game will copy the mipmap data
to buffer + size of first mipmap. When the memory allocation fails, the
buffer will be 0, because thats what malloc returns on out of memory. This
means, that the only factor determining where the block is put is
determined by the size of the first mipmap. This way you can put the data
in the second mipmap whereever you want, meaning you can write to a
predictable location in memory. This is additionally encouraged due to the
fact that ASLR is disabled for the module in question. From that point on
ROP is used to mark a controlled memory location executable and transfer
control to it, bypassing DEP. The distribution of the malicious material
file can be easily done through the use of the spray system, which uploads
a custom material to the server and distributes it. This is of course not
the only way to distribute it, but one used in this case. This is not
absolutely accurate and technical details have been left out due to them
not influencing this exploit."
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
please visit:

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Weasels Lair]

Sorry for the cross post
I confused 2 different discussions in different threads while doing this on
my mobile. My apologies.
On Sep 4, 2015 9:49 AM, "Weasels Lair" <wea...@weaselslair.com> wrote:

> I don't run add at all on my servers any more, but in defense of MOTGgd, I
> must say that when I was using ads, they have me the most options (such as
> disabling video ads all together). I never saw any option to hide the ads
> in the background. However there were some server-side plugins that could
> be used to run other ads hidden in the background. This was not an MOTDgd
> thing.  I don't recall the ad network, but the thread may still be on the
> SourceMod forums. In the end I decided that (as a player in my own servers)
> I really didn't like the advertising, so I dropped all forms of it.
>
> More on topic, will setting sv_allowuploads on mods (like Fistful of Frags
> as an example) actually accomplish anything? Or is this some deeper
> underlying issue that requires Valve to update their SDK so that mod
> authors may then have that option work as expected?
>
> PS: to each his own on liking or not liking the spray feature in various
> games. I happen to host a least politically correct community, so it's kind
> of ingrained in our "culture" in our case. :-)
> On Sep 4, 2015 5:51 AM, "HD" <ad...@gamerscrib.net> wrote:
> >
> > Then delete them? I just created a cron to flush certain folders on my
> servers and even my client. If you do it manually for a client it takes
> seconds, big deal. Sprays won’t disappear so you may as well get used to
> the hentai or familiar with the process of delete.
> >
> >
> >
> > From: hlds-boun...@list.valvesoftware.com [mailto:
> hlds-boun...@list.valvesoftware.com] On Behalf Of Valentin Puscoi
> > Sent: Friday, September 04, 2015 7:41 AM
> >
> > To: Half-Life dedicated Win32 server mailing list
> > Subject: Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit
> found, can be used to hijack steam accounts.
> >
> >
> >
> > hopefully valve removes sprays all together, my downloads folder is
> filled with hentai
> >
> >
> >
> > 2015-09-03 22:59 GMT+03:00 Refeek Yeglek <iamgoofb...@gmail.com>:
> >
> > Hi, I'm one of the developers for Team Fortress 2 Classic, a source mod
> project. Recently, someone abused a bug present in Source SDK 2013 MP to
> distribute viruses to quite a few of our players and developers. The way
> they did it was by abusing a spray exploit present in the SDK 2013 MP
> edition to upload a file pretending to be a spray to all players and
> executing it. The technical info on how it works from one of our other
> coders will be posted at the end of this email, but here's what you need to
> know as a server owner:
> >
> >
> >
> > We don't know how many source games are vulnerable. The big name VALVe
> ones aren't, but any sourcemod probably is. This includes ones on steam
> like Fortress Forever, or Fistful of Frags.
> >
> >
> >
> > If you're running a server for a non-VALVe or bigname(Titanfall, GMOD,
> etc.) Source Engine game, then here's what you need to do:
> >
> >
> >
> > 1. Set sv_upload to 0 on your server.
> >
> >
> >
> > 2. If you are a TF2C server host, shut your server down and start
> scanning your server for viruses.
> >
> >
> >
> > 3. Pester valve to fix this ASAP.
> >
> >
> >
> > TL;DR:
> >
> > Sprays can be exploited to run code on people's systems and break into
> accounts, we've had quite a few CS:GO and TF2 items lifted from accounts
> and moved to trade alts and disappearing after that. Disable sprays ASAP if
> you host a sourcemod multiplayer server.
> >
> >
> >
> > Here's the technical info for how stuff works:
> >
> >
> >
> > "The vulnerability is triggered by a missing check to see if a memory
> allocation succeded in the loading of VTFs. When the material is loaded,
> there is space allocated for the material. The crucial option in the using
> of this exploit is the option to skip Mipmaps from the material. If, for
> instance, the first mipmap is skipped, the game will copy the mipmap data
> to buffer + size of first mipmap. When the memory allocation fails, the
> buffer will be 0, because thats what malloc returns on out of memory. This
> means, that the only factor determining where the block is put is
> determined by the size of the first mipmap. This way you can put the data
> in the second mipmap whereever you want, meaning you can write to a
> predictable location in memory. This is additionally encouraged

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Nathaniel Theis]

You can tell if sv_allowupload does anything on your engine by checking
engine.dll for the presence of the string "ignored. File uploads are
disabled!" in engine.dll. If it appears, sv_allowupload is effective.

On Thu, Sep 3, 2015 at 1:32 PM, Nathaniel Theis  wrote:

> Actually, it looks like that only affects very old versions, (pre-2009 /
> aluigi) which have much worse exploits anyways. Sorry for the confusion.
>
> On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek 
> wrote:
>
>> I'll let the guys on my sourcemod's team who are looking into it know,
>> thanks.
>>
>> On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis 
>> wrote:
>>
>>> Note that, depending on the engine version you're on (and even SDK 2013
>>> may not do this, I haven't checked), setting sv_allowupload 0 may do
>>> literally nothing; on older versions, sv_allowupload just tells the client
>>> not to upload anything to the server. The client can ignore it and do it
>>> anyways.
>>>
>>> On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose  wrote:
>>>
 You'd know if that'd been done as there would be announcements on the
 various hlds lists about updates for Counter-Strike: Source, Day of Defeat:
 Source, and Half-Life 2: Deathmatch.

 However, what he's actually asking is that Valve update the Source SDK
 2013 with these fixes so that game developers can pull the changes from
 Github and merge them into their own games' code.



 On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek <
 proph...@sticed.org> wrote:

> He is basically saying that the exploits Nathaniel found and reported
> have only been fixed in Valve's main titles. He hasn't found or reported a
> new exploit.
> I think it has been mentioned by KyleS on one or multiple of these
> mailing lists that these exploit fixes should be ported onto other
> branches. Apparently that has not been done?
>
>
> On 03.09.2015 22:06, N-Gon wrote:
>
> Someone give this man an unusual Finder's Fee
>
> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek 
> wrote:
>
>> Hi, I'm one of the developers for Team Fortress 2 Classic, a source
>> mod project. Recently, someone abused a bug present in Source SDK 2013 MP
>> to distribute viruses to quite a few of our players and developers. The 
>> way
>> they did it was by abusing a spray exploit present in the SDK 2013 MP
>> edition to upload a file pretending to be a spray to all players and
>> executing it. The technical info on how it works from one of our other
>> coders will be posted at the end of this email, but here's what you need 
>> to
>> know as a server owner:
>>
>> We don't know how many source games are vulnerable. The big name
>> VALVe ones aren't, but any sourcemod probably is. This includes ones on
>> steam like Fortress Forever, or Fistful of Frags.
>>
>> If you're running a server for a non-VALVe or bigname(Titanfall,
>> GMOD, etc.) Source Engine game, then here's what you need to do:
>>
>> 1. Set sv_upload to 0 on your server.
>>
>> 2. If you are a TF2C server host, shut your server down and start
>> scanning your server for viruses.
>>
>> 3. Pester valve to fix this ASAP.
>>
>> TL;DR:
>> Sprays can be exploited to run code on people's systems and break
>> into accounts, we've had quite a few CS:GO and TF2 items lifted from
>> accounts and moved to trade alts and disappearing after that. Disable
>> sprays ASAP if you host a sourcemod multiplayer server.
>>
>> Here's the technical info for how stuff works:
>>
>> "The vulnerability is triggered by a missing check to see if a
>> memory allocation succeded in the loading of VTFs. When the material is
>> loaded, there is space allocated for the material. The crucial option in
>> the using of this exploit is the option to skip Mipmaps from the 
>> material.
>> If, for instance, the first mipmap is skipped, the game will copy the
>> mipmap data to buffer + size of first mipmap. When the memory allocation
>> fails, the buffer will be 0, because thats what malloc returns on out of
>> memory. This means, that the only factor determining where the block is 
>> put
>> is determined by the size of the first mipmap. This way you can put the
>> data in the second mipmap whereever you want, meaning you can write to a
>> predictable location in memory. This is additionally encouraged due to 
>> the
>> fact that ASLR is disabled for the module in question. From that point on
>> ROP is used to mark a controlled memory location executable and transfer
>> control to it, bypassing DEP. The distribution of the malicious material
>> file can be easily done through the use of the spray system, which 

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Nathaniel Theis]

Note that, depending on the engine version you're on (and even SDK 2013 may
not do this, I haven't checked), setting sv_allowupload 0 may do literally
nothing; on older versions, sv_allowupload just tells the client not to
upload anything to the server. The client can ignore it and do it anyways.

On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose  wrote:

> You'd know if that'd been done as there would be announcements on the
> various hlds lists about updates for Counter-Strike: Source, Day of Defeat:
> Source, and Half-Life 2: Deathmatch.
>
> However, what he's actually asking is that Valve update the Source SDK
> 2013 with these fixes so that game developers can pull the changes from
> Github and merge them into their own games' code.
>
>
>
> On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek <
> proph...@sticed.org> wrote:
>
>> He is basically saying that the exploits Nathaniel found and reported
>> have only been fixed in Valve's main titles. He hasn't found or reported a
>> new exploit.
>> I think it has been mentioned by KyleS on one or multiple of these
>> mailing lists that these exploit fixes should be ported onto other
>> branches. Apparently that has not been done?
>>
>>
>> On 03.09.2015 22:06, N-Gon wrote:
>>
>> Someone give this man an unusual Finder's Fee
>>
>> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek 
>> wrote:
>>
>>> Hi, I'm one of the developers for Team Fortress 2 Classic, a source mod
>>> project. Recently, someone abused a bug present in Source SDK 2013 MP to
>>> distribute viruses to quite a few of our players and developers. The way
>>> they did it was by abusing a spray exploit present in the SDK 2013 MP
>>> edition to upload a file pretending to be a spray to all players and
>>> executing it. The technical info on how it works from one of our other
>>> coders will be posted at the end of this email, but here's what you need to
>>> know as a server owner:
>>>
>>> We don't know how many source games are vulnerable. The big name VALVe
>>> ones aren't, but any sourcemod probably is. This includes ones on steam
>>> like Fortress Forever, or Fistful of Frags.
>>>
>>> If you're running a server for a non-VALVe or bigname(Titanfall, GMOD,
>>> etc.) Source Engine game, then here's what you need to do:
>>>
>>> 1. Set sv_upload to 0 on your server.
>>>
>>> 2. If you are a TF2C server host, shut your server down and start
>>> scanning your server for viruses.
>>>
>>> 3. Pester valve to fix this ASAP.
>>>
>>> TL;DR:
>>> Sprays can be exploited to run code on people's systems and break into
>>> accounts, we've had quite a few CS:GO and TF2 items lifted from accounts
>>> and moved to trade alts and disappearing after that. Disable sprays ASAP if
>>> you host a sourcemod multiplayer server.
>>>
>>> Here's the technical info for how stuff works:
>>>
>>> "The vulnerability is triggered by a missing check to see if a memory
>>> allocation succeded in the loading of VTFs. When the material is loaded,
>>> there is space allocated for the material. The crucial option in the using
>>> of this exploit is the option to skip Mipmaps from the material. If, for
>>> instance, the first mipmap is skipped, the game will copy the mipmap data
>>> to buffer + size of first mipmap. When the memory allocation fails, the
>>> buffer will be 0, because thats what malloc returns on out of memory. This
>>> means, that the only factor determining where the block is put is
>>> determined by the size of the first mipmap. This way you can put the data
>>> in the second mipmap whereever you want, meaning you can write to a
>>> predictable location in memory. This is additionally encouraged due to the
>>> fact that ASLR is disabled for the module in question. From that point on
>>> ROP is used to mark a controlled memory location executable and transfer
>>> control to it, bypassing DEP. The distribution of the malicious material
>>> file can be easily done through the use of the spray system, which uploads
>>> a custom material to the server and distributes it. This is of course not
>>> the only way to distribute it, but one used in this case. This is not
>>> absolutely accurate and technical details have been left out due to them
>>> not influencing this exploit."
>>>
>>> ___
>>> To unsubscribe, edit your list preferences, or view the list archives,
>>> please visit:
>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>>>
>>>
>>
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives, 
>> please visit:https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>>
>>
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>>
>>
>
>
> --
> Ross Bemrose
>
> 

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Nathaniel Theis]

Actually, it looks like that only affects very old versions, (pre-2009 /
aluigi) which have much worse exploits anyways. Sorry for the confusion.

On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek  wrote:

> I'll let the guys on my sourcemod's team who are looking into it know,
> thanks.
>
> On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis  wrote:
>
>> Note that, depending on the engine version you're on (and even SDK 2013
>> may not do this, I haven't checked), setting sv_allowupload 0 may do
>> literally nothing; on older versions, sv_allowupload just tells the client
>> not to upload anything to the server. The client can ignore it and do it
>> anyways.
>>
>> On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose  wrote:
>>
>>> You'd know if that'd been done as there would be announcements on the
>>> various hlds lists about updates for Counter-Strike: Source, Day of Defeat:
>>> Source, and Half-Life 2: Deathmatch.
>>>
>>> However, what he's actually asking is that Valve update the Source SDK
>>> 2013 with these fixes so that game developers can pull the changes from
>>> Github and merge them into their own games' code.
>>>
>>>
>>>
>>> On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek <
>>> proph...@sticed.org> wrote:
>>>
 He is basically saying that the exploits Nathaniel found and reported
 have only been fixed in Valve's main titles. He hasn't found or reported a
 new exploit.
 I think it has been mentioned by KyleS on one or multiple of these
 mailing lists that these exploit fixes should be ported onto other
 branches. Apparently that has not been done?


 On 03.09.2015 22:06, N-Gon wrote:

 Someone give this man an unusual Finder's Fee

 On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek 
 wrote:

> Hi, I'm one of the developers for Team Fortress 2 Classic, a source
> mod project. Recently, someone abused a bug present in Source SDK 2013 MP
> to distribute viruses to quite a few of our players and developers. The 
> way
> they did it was by abusing a spray exploit present in the SDK 2013 MP
> edition to upload a file pretending to be a spray to all players and
> executing it. The technical info on how it works from one of our other
> coders will be posted at the end of this email, but here's what you need 
> to
> know as a server owner:
>
> We don't know how many source games are vulnerable. The big name VALVe
> ones aren't, but any sourcemod probably is. This includes ones on steam
> like Fortress Forever, or Fistful of Frags.
>
> If you're running a server for a non-VALVe or bigname(Titanfall, GMOD,
> etc.) Source Engine game, then here's what you need to do:
>
> 1. Set sv_upload to 0 on your server.
>
> 2. If you are a TF2C server host, shut your server down and start
> scanning your server for viruses.
>
> 3. Pester valve to fix this ASAP.
>
> TL;DR:
> Sprays can be exploited to run code on people's systems and break into
> accounts, we've had quite a few CS:GO and TF2 items lifted from accounts
> and moved to trade alts and disappearing after that. Disable sprays ASAP 
> if
> you host a sourcemod multiplayer server.
>
> Here's the technical info for how stuff works:
>
> "The vulnerability is triggered by a missing check to see if a memory
> allocation succeded in the loading of VTFs. When the material is loaded,
> there is space allocated for the material. The crucial option in the using
> of this exploit is the option to skip Mipmaps from the material. If, for
> instance, the first mipmap is skipped, the game will copy the mipmap data
> to buffer + size of first mipmap. When the memory allocation fails, the
> buffer will be 0, because thats what malloc returns on out of memory. This
> means, that the only factor determining where the block is put is
> determined by the size of the first mipmap. This way you can put the data
> in the second mipmap whereever you want, meaning you can write to a
> predictable location in memory. This is additionally encouraged due to the
> fact that ASLR is disabled for the module in question. From that point on
> ROP is used to mark a controlled memory location executable and transfer
> control to it, bypassing DEP. The distribution of the malicious material
> file can be easily done through the use of the spray system, which uploads
> a custom material to the server and distributes it. This is of course not
> the only way to distribute it, but one used in this case. This is not
> absolutely accurate and technical details have been left out due to them
> not influencing this exploit."
>
> ___
> To unsubscribe, edit your list preferences, or view the list 

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Refeek Yeglek]

Our guys who decompiled the copy when they got infected figured out it was
a very very bad script kiddie thing designed for doing exactly what is
going on right now. Lemme go find the name of it, someone posted the name
and feature list in the FP thread when we were trying to figure out what
the hell happened, as they're doing hijacks by remote desktopping your
computers.

On Thu, Sep 3, 2015 at 1:40 PM, Nathaniel Theis  wrote:

> If, and that's a big if... hold on
>
> IF it's the VTF exploit I reported, yes. I'm skeptical that it is, just
> because of how difficult it is to exploit in practice. It would require
> very advanced Windows exploitation skills, and suggest a well-motivated,
> targeted attacker. My hunch is that it's another exploit, one that only
> works from malicious servers or custom maps. This one is incredibly
> practical and easy to exploit.
>
> - Nate
>
> On Thu, Sep 3, 2015 at 1:34 PM, E. Olsen  wrote:
>
>> So, to confirm - Team Fortress 2 has already had this exploit fixed,
>> correct?
>>
>> On Thu, Sep 3, 2015 at 4:32 PM, Nathaniel Theis 
>> wrote:
>>
>>> Actually, it looks like that only affects very old versions, (pre-2009 /
>>> aluigi) which have much worse exploits anyways. Sorry for the confusion.
>>>
>>> On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek 
>>> wrote:
>>>
 I'll let the guys on my sourcemod's team who are looking into it know,
 thanks.

 On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis 
 wrote:

> Note that, depending on the engine version you're on (and even SDK
> 2013 may not do this, I haven't checked), setting sv_allowupload 0 may do
> literally nothing; on older versions, sv_allowupload just tells the client
> not to upload anything to the server. The client can ignore it and do it
> anyways.
>
> On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose 
> wrote:
>
>> You'd know if that'd been done as there would be announcements on the
>> various hlds lists about updates for Counter-Strike: Source, Day of 
>> Defeat:
>> Source, and Half-Life 2: Deathmatch.
>>
>> However, what he's actually asking is that Valve update the Source
>> SDK 2013 with these fixes so that game developers can pull the changes 
>> from
>> Github and merge them into their own games' code.
>>
>>
>>
>> On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek <
>> proph...@sticed.org> wrote:
>>
>>> He is basically saying that the exploits Nathaniel found and
>>> reported have only been fixed in Valve's main titles. He hasn't found or
>>> reported a new exploit.
>>> I think it has been mentioned by KyleS on one or multiple of these
>>> mailing lists that these exploit fixes should be ported onto other
>>> branches. Apparently that has not been done?
>>>
>>>
>>> On 03.09.2015 22:06, N-Gon wrote:
>>>
>>> Someone give this man an unusual Finder's Fee
>>>
>>> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek >> > wrote:
>>>
 Hi, I'm one of the developers for Team Fortress 2 Classic, a source
 mod project. Recently, someone abused a bug present in Source SDK 2013 
 MP
 to distribute viruses to quite a few of our players and developers. 
 The way
 they did it was by abusing a spray exploit present in the SDK 2013 MP
 edition to upload a file pretending to be a spray to all players and
 executing it. The technical info on how it works from one of our other
 coders will be posted at the end of this email, but here's what you 
 need to
 know as a server owner:

 We don't know how many source games are vulnerable. The big name
 VALVe ones aren't, but any sourcemod probably is. This includes ones on
 steam like Fortress Forever, or Fistful of Frags.

 If you're running a server for a non-VALVe or bigname(Titanfall,
 GMOD, etc.) Source Engine game, then here's what you need to do:

 1. Set sv_upload to 0 on your server.

 2. If you are a TF2C server host, shut your server down and start
 scanning your server for viruses.

 3. Pester valve to fix this ASAP.

 TL;DR:
 Sprays can be exploited to run code on people's systems and break
 into accounts, we've had quite a few CS:GO and TF2 items lifted from
 accounts and moved to trade alts and disappearing after that. Disable
 sprays ASAP if you host a sourcemod multiplayer server.

 Here's the technical info for how stuff works:

 "The vulnerability is triggered by a missing check to see if a
 memory allocation succeded in the loading of VTFs. When the material is

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Nomaan Ahmad]

That exploit was fixed long time ago.
Someone even made a tempfix:
https://forums.alliedmods.net/showthread.php?t=100958

On 3 September 2015 at 21:57, Refeek Yeglek  wrote:

> 1. we have permission from valve to use it
>
> 2. this isn't a problem with our code, this is a problem with the Source
> SDK Base 2013 Multiplayer that is being distributed on Steam itself. If
> this was TF2C specific I wouldn't be letting server hosts know to take
> steps to prevent it happening in shit like Fistful of Frags or Fortress
> Forever.
>
> On Thu, Sep 3, 2015 at 1:53 PM, AnAkkk  wrote:
>
>> What did you expect, this leaked and illegal version of the Source Engine
>> you're talking of has years of unfixed exploits, obviously such thing was
>> going to happen one day.
>> I'm sure there are lot more exploits that Valve has already fixed.
>> Le 3 sept. 2015 22:47, "Refeek Yeglek"  a écrit :
>>
>>> Our guys who decompiled the copy when they got infected figured out it
>>> was a very very bad script kiddie thing designed for doing exactly what is
>>> going on right now. Lemme go find the name of it, someone posted the name
>>> and feature list in the FP thread when we were trying to figure out what
>>> the hell happened, as they're doing hijacks by remote desktopping your
>>> computers.
>>>
>>> On Thu, Sep 3, 2015 at 1:40 PM, Nathaniel Theis 
>>> wrote:
>>>
 If, and that's a big if... hold on

 IF it's the VTF exploit I reported, yes. I'm skeptical that it is,
 just because of how difficult it is to exploit in practice. It would
 require very advanced Windows exploitation skills, and suggest a
 well-motivated, targeted attacker. My hunch is that it's another exploit,
 one that only works from malicious servers or custom maps. This one is
 incredibly practical and easy to exploit.

 - Nate

 On Thu, Sep 3, 2015 at 1:34 PM, E. Olsen  wrote:

> So, to confirm - Team Fortress 2 has already had this exploit fixed,
> correct?
>
> On Thu, Sep 3, 2015 at 4:32 PM, Nathaniel Theis 
> wrote:
>
>> Actually, it looks like that only affects very old versions,
>> (pre-2009 / aluigi) which have much worse exploits anyways. Sorry for the
>> confusion.
>>
>> On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek 
>> wrote:
>>
>>> I'll let the guys on my sourcemod's team who are looking into it
>>> know, thanks.
>>>
>>> On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis 
>>> wrote:
>>>
 Note that, depending on the engine version you're on (and even SDK
 2013 may not do this, I haven't checked), setting sv_allowupload 0 may 
 do
 literally nothing; on older versions, sv_allowupload just tells the 
 client
 not to upload anything to the server. The client can ignore it and do 
 it
 anyways.

 On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose 
 wrote:

> You'd know if that'd been done as there would be announcements on
> the various hlds lists about updates for Counter-Strike: Source, Day 
> of
> Defeat: Source, and Half-Life 2: Deathmatch.
>
> However, what he's actually asking is that Valve update the Source
> SDK 2013 with these fixes so that game developers can pull the 
> changes from
> Github and merge them into their own games' code.
>
>
>
> On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek <
> proph...@sticed.org> wrote:
>
>> He is basically saying that the exploits Nathaniel found and
>> reported have only been fixed in Valve's main titles. He hasn't 
>> found or
>> reported a new exploit.
>> I think it has been mentioned by KyleS on one or multiple of
>> these mailing lists that these exploit fixes should be ported onto 
>> other
>> branches. Apparently that has not been done?
>>
>>
>> On 03.09.2015 22:06, N-Gon wrote:
>>
>> Someone give this man an unusual Finder's Fee
>>
>> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek <
>> iamgoofb...@gmail.com> wrote:
>>
>>> Hi, I'm one of the developers for Team Fortress 2 Classic, a
>>> source mod project. Recently, someone abused a bug present in 
>>> Source SDK
>>> 2013 MP to distribute viruses to quite a few of our players and 
>>> developers.
>>> The way they did it was by abusing a spray exploit present in the 
>>> SDK 2013
>>> MP edition to upload a file pretending to be a spray to all players 
>>> and
>>> executing it. The technical info on how it works from 

[hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Refeek Yeglek]

Hi, I'm one of the developers for Team Fortress 2 Classic, a source mod
project. Recently, someone abused a bug present in Source SDK 2013 MP to
distribute viruses to quite a few of our players and developers. The way
they did it was by abusing a spray exploit present in the SDK 2013 MP
edition to upload a file pretending to be a spray to all players and
executing it. The technical info on how it works from one of our other
coders will be posted at the end of this email, but here's what you need to
know as a server owner:

We don't know how many source games are vulnerable. The big name VALVe ones
aren't, but any sourcemod probably is. This includes ones on steam like
Fortress Forever, or Fistful of Frags.

If you're running a server for a non-VALVe or bigname(Titanfall, GMOD,
etc.) Source Engine game, then here's what you need to do:

1. Set sv_upload to 0 on your server.

2. If you are a TF2C server host, shut your server down and start scanning
your server for viruses.

3. Pester valve to fix this ASAP.

TL;DR:
Sprays can be exploited to run code on people's systems and break into
accounts, we've had quite a few CS:GO and TF2 items lifted from accounts
and moved to trade alts and disappearing after that. Disable sprays ASAP if
you host a sourcemod multiplayer server.

Here's the technical info for how stuff works:

"The vulnerability is triggered by a missing check to see if a memory
allocation succeded in the loading of VTFs. When the material is loaded,
there is space allocated for the material. The crucial option in the using
of this exploit is the option to skip Mipmaps from the material. If, for
instance, the first mipmap is skipped, the game will copy the mipmap data
to buffer + size of first mipmap. When the memory allocation fails, the
buffer will be 0, because thats what malloc returns on out of memory. This
means, that the only factor determining where the block is put is
determined by the size of the first mipmap. This way you can put the data
in the second mipmap whereever you want, meaning you can write to a
predictable location in memory. This is additionally encouraged due to the
fact that ASLR is disabled for the module in question. From that point on
ROP is used to mark a controlled memory location executable and transfer
control to it, bypassing DEP. The distribution of the malicious material
file can be easily done through the use of the spray system, which uploads
a custom material to the server and distributes it. This is of course not
the only way to distribute it, but one used in this case. This is not
absolutely accurate and technical details have been left out due to them
not influencing this exploit."
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Refeek Yeglek]

I'll let the guys on my sourcemod's team who are looking into it know,
thanks.

On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis  wrote:

> Note that, depending on the engine version you're on (and even SDK 2013
> may not do this, I haven't checked), setting sv_allowupload 0 may do
> literally nothing; on older versions, sv_allowupload just tells the client
> not to upload anything to the server. The client can ignore it and do it
> anyways.
>
> On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose  wrote:
>
>> You'd know if that'd been done as there would be announcements on the
>> various hlds lists about updates for Counter-Strike: Source, Day of Defeat:
>> Source, and Half-Life 2: Deathmatch.
>>
>> However, what he's actually asking is that Valve update the Source SDK
>> 2013 with these fixes so that game developers can pull the changes from
>> Github and merge them into their own games' code.
>>
>>
>>
>> On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek <
>> proph...@sticed.org> wrote:
>>
>>> He is basically saying that the exploits Nathaniel found and reported
>>> have only been fixed in Valve's main titles. He hasn't found or reported a
>>> new exploit.
>>> I think it has been mentioned by KyleS on one or multiple of these
>>> mailing lists that these exploit fixes should be ported onto other
>>> branches. Apparently that has not been done?
>>>
>>>
>>> On 03.09.2015 22:06, N-Gon wrote:
>>>
>>> Someone give this man an unusual Finder's Fee
>>>
>>> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek 
>>> wrote:
>>>
 Hi, I'm one of the developers for Team Fortress 2 Classic, a source mod
 project. Recently, someone abused a bug present in Source SDK 2013 MP to
 distribute viruses to quite a few of our players and developers. The way
 they did it was by abusing a spray exploit present in the SDK 2013 MP
 edition to upload a file pretending to be a spray to all players and
 executing it. The technical info on how it works from one of our other
 coders will be posted at the end of this email, but here's what you need to
 know as a server owner:

 We don't know how many source games are vulnerable. The big name VALVe
 ones aren't, but any sourcemod probably is. This includes ones on steam
 like Fortress Forever, or Fistful of Frags.

 If you're running a server for a non-VALVe or bigname(Titanfall, GMOD,
 etc.) Source Engine game, then here's what you need to do:

 1. Set sv_upload to 0 on your server.

 2. If you are a TF2C server host, shut your server down and start
 scanning your server for viruses.

 3. Pester valve to fix this ASAP.

 TL;DR:
 Sprays can be exploited to run code on people's systems and break into
 accounts, we've had quite a few CS:GO and TF2 items lifted from accounts
 and moved to trade alts and disappearing after that. Disable sprays ASAP if
 you host a sourcemod multiplayer server.

 Here's the technical info for how stuff works:

 "The vulnerability is triggered by a missing check to see if a memory
 allocation succeded in the loading of VTFs. When the material is loaded,
 there is space allocated for the material. The crucial option in the using
 of this exploit is the option to skip Mipmaps from the material. If, for
 instance, the first mipmap is skipped, the game will copy the mipmap data
 to buffer + size of first mipmap. When the memory allocation fails, the
 buffer will be 0, because thats what malloc returns on out of memory. This
 means, that the only factor determining where the block is put is
 determined by the size of the first mipmap. This way you can put the data
 in the second mipmap whereever you want, meaning you can write to a
 predictable location in memory. This is additionally encouraged due to the
 fact that ASLR is disabled for the module in question. From that point on
 ROP is used to mark a controlled memory location executable and transfer
 control to it, bypassing DEP. The distribution of the malicious material
 file can be easily done through the use of the spray system, which uploads
 a custom material to the server and distributes it. This is of course not
 the only way to distribute it, but one used in this case. This is not
 absolutely accurate and technical details have been left out due to them
 not influencing this exploit."

 ___
 To unsubscribe, edit your list preferences, or view the list archives,
 please visit:
 https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds


>>>
>>>
>>> ___
>>> To unsubscribe, edit your list preferences, or view the list archives, 
>>> please visit:https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>>>
>>>
>>>
>>> 

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Nathaniel Theis]

How do you know that this is the spray exploit being used?  The spray issue
is exceedingly difficult to exploit. There's another, very practical RCE
exploit I'm aware of, but it requires control of the server.

Do you have any samples of the malicious sprays?

Thanks,
Nate

On Thu, Sep 3, 2015 at 1:30 PM, Refeek Yeglek  wrote:

> I'm not the guy who found it either, I'm just letting you guys know
> because this is some bad shit and we've already had account hijacks.
>
> On Thu, Sep 3, 2015 at 1:06 PM, N-Gon  wrote:
>
>> Someone give this man an unusual Finder's Fee
>>
>> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek 
>> wrote:
>>
>>> Hi, I'm one of the developers for Team Fortress 2 Classic, a source mod
>>> project. Recently, someone abused a bug present in Source SDK 2013 MP to
>>> distribute viruses to quite a few of our players and developers. The way
>>> they did it was by abusing a spray exploit present in the SDK 2013 MP
>>> edition to upload a file pretending to be a spray to all players and
>>> executing it. The technical info on how it works from one of our other
>>> coders will be posted at the end of this email, but here's what you need to
>>> know as a server owner:
>>>
>>> We don't know how many source games are vulnerable. The big name VALVe
>>> ones aren't, but any sourcemod probably is. This includes ones on steam
>>> like Fortress Forever, or Fistful of Frags.
>>>
>>> If you're running a server for a non-VALVe or bigname(Titanfall, GMOD,
>>> etc.) Source Engine game, then here's what you need to do:
>>>
>>> 1. Set sv_upload to 0 on your server.
>>>
>>> 2. If you are a TF2C server host, shut your server down and start
>>> scanning your server for viruses.
>>>
>>> 3. Pester valve to fix this ASAP.
>>>
>>> TL;DR:
>>> Sprays can be exploited to run code on people's systems and break into
>>> accounts, we've had quite a few CS:GO and TF2 items lifted from accounts
>>> and moved to trade alts and disappearing after that. Disable sprays ASAP if
>>> you host a sourcemod multiplayer server.
>>>
>>> Here's the technical info for how stuff works:
>>>
>>> "The vulnerability is triggered by a missing check to see if a memory
>>> allocation succeded in the loading of VTFs. When the material is loaded,
>>> there is space allocated for the material. The crucial option in the using
>>> of this exploit is the option to skip Mipmaps from the material. If, for
>>> instance, the first mipmap is skipped, the game will copy the mipmap data
>>> to buffer + size of first mipmap. When the memory allocation fails, the
>>> buffer will be 0, because thats what malloc returns on out of memory. This
>>> means, that the only factor determining where the block is put is
>>> determined by the size of the first mipmap. This way you can put the data
>>> in the second mipmap whereever you want, meaning you can write to a
>>> predictable location in memory. This is additionally encouraged due to the
>>> fact that ASLR is disabled for the module in question. From that point on
>>> ROP is used to mark a controlled memory location executable and transfer
>>> control to it, bypassing DEP. The distribution of the malicious material
>>> file can be easily done through the use of the spray system, which uploads
>>> a custom material to the server and distributes it. This is of course not
>>> the only way to distribute it, but one used in this case. This is not
>>> absolutely accurate and technical details have been left out due to them
>>> not influencing this exploit."
>>>
>>> ___
>>> To unsubscribe, edit your list preferences, or view the list archives,
>>> please visit:
>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>>>
>>>
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>>
>>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Nathaniel Theis]

If, and that's a big if... hold on

IF it's the VTF exploit I reported, yes. I'm skeptical that it is, just
because of how difficult it is to exploit in practice. It would require
very advanced Windows exploitation skills, and suggest a well-motivated,
targeted attacker. My hunch is that it's another exploit, one that only
works from malicious servers or custom maps. This one is incredibly
practical and easy to exploit.

- Nate

On Thu, Sep 3, 2015 at 1:34 PM, E. Olsen  wrote:

> So, to confirm - Team Fortress 2 has already had this exploit fixed,
> correct?
>
> On Thu, Sep 3, 2015 at 4:32 PM, Nathaniel Theis  wrote:
>
>> Actually, it looks like that only affects very old versions, (pre-2009 /
>> aluigi) which have much worse exploits anyways. Sorry for the confusion.
>>
>> On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek 
>> wrote:
>>
>>> I'll let the guys on my sourcemod's team who are looking into it know,
>>> thanks.
>>>
>>> On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis 
>>> wrote:
>>>
 Note that, depending on the engine version you're on (and even SDK 2013
 may not do this, I haven't checked), setting sv_allowupload 0 may do
 literally nothing; on older versions, sv_allowupload just tells the client
 not to upload anything to the server. The client can ignore it and do it
 anyways.

 On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose 
 wrote:

> You'd know if that'd been done as there would be announcements on the
> various hlds lists about updates for Counter-Strike: Source, Day of 
> Defeat:
> Source, and Half-Life 2: Deathmatch.
>
> However, what he's actually asking is that Valve update the Source SDK
> 2013 with these fixes so that game developers can pull the changes from
> Github and merge them into their own games' code.
>
>
>
> On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek <
> proph...@sticed.org> wrote:
>
>> He is basically saying that the exploits Nathaniel found and reported
>> have only been fixed in Valve's main titles. He hasn't found or reported 
>> a
>> new exploit.
>> I think it has been mentioned by KyleS on one or multiple of these
>> mailing lists that these exploit fixes should be ported onto other
>> branches. Apparently that has not been done?
>>
>>
>> On 03.09.2015 22:06, N-Gon wrote:
>>
>> Someone give this man an unusual Finder's Fee
>>
>> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek 
>> wrote:
>>
>>> Hi, I'm one of the developers for Team Fortress 2 Classic, a source
>>> mod project. Recently, someone abused a bug present in Source SDK 2013 
>>> MP
>>> to distribute viruses to quite a few of our players and developers. The 
>>> way
>>> they did it was by abusing a spray exploit present in the SDK 2013 MP
>>> edition to upload a file pretending to be a spray to all players and
>>> executing it. The technical info on how it works from one of our other
>>> coders will be posted at the end of this email, but here's what you 
>>> need to
>>> know as a server owner:
>>>
>>> We don't know how many source games are vulnerable. The big name
>>> VALVe ones aren't, but any sourcemod probably is. This includes ones on
>>> steam like Fortress Forever, or Fistful of Frags.
>>>
>>> If you're running a server for a non-VALVe or bigname(Titanfall,
>>> GMOD, etc.) Source Engine game, then here's what you need to do:
>>>
>>> 1. Set sv_upload to 0 on your server.
>>>
>>> 2. If you are a TF2C server host, shut your server down and start
>>> scanning your server for viruses.
>>>
>>> 3. Pester valve to fix this ASAP.
>>>
>>> TL;DR:
>>> Sprays can be exploited to run code on people's systems and break
>>> into accounts, we've had quite a few CS:GO and TF2 items lifted from
>>> accounts and moved to trade alts and disappearing after that. Disable
>>> sprays ASAP if you host a sourcemod multiplayer server.
>>>
>>> Here's the technical info for how stuff works:
>>>
>>> "The vulnerability is triggered by a missing check to see if a
>>> memory allocation succeded in the loading of VTFs. When the material is
>>> loaded, there is space allocated for the material. The crucial option in
>>> the using of this exploit is the option to skip Mipmaps from the 
>>> material.
>>> If, for instance, the first mipmap is skipped, the game will copy the
>>> mipmap data to buffer + size of first mipmap. When the memory allocation
>>> fails, the buffer will be 0, because thats what malloc returns on out of
>>> memory. This means, that the only factor determining where the block is 
>>> put
>>> is determined by the size of the first mipmap. This way you 

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Refeek Yeglek]

Okay, so, going by this forum post (
http://facepunch.com/showthread.php?t=1483571=48603565=1#post48603565)
this is a thing called LuminosityLink, which is supposedly some beefy shit
in the script kiddie community.

On Thu, Sep 3, 2015 at 1:45 PM, Refeek Yeglek  wrote:

> Our guys who decompiled the copy when they got infected figured out it was
> a very very bad script kiddie thing designed for doing exactly what is
> going on right now. Lemme go find the name of it, someone posted the name
> and feature list in the FP thread when we were trying to figure out what
> the hell happened, as they're doing hijacks by remote desktopping your
> computers.
>
> On Thu, Sep 3, 2015 at 1:40 PM, Nathaniel Theis  wrote:
>
>> If, and that's a big if... hold on
>>
>> IF it's the VTF exploit I reported, yes. I'm skeptical that it is, just
>> because of how difficult it is to exploit in practice. It would require
>> very advanced Windows exploitation skills, and suggest a well-motivated,
>> targeted attacker. My hunch is that it's another exploit, one that only
>> works from malicious servers or custom maps. This one is incredibly
>> practical and easy to exploit.
>>
>> - Nate
>>
>> On Thu, Sep 3, 2015 at 1:34 PM, E. Olsen  wrote:
>>
>>> So, to confirm - Team Fortress 2 has already had this exploit fixed,
>>> correct?
>>>
>>> On Thu, Sep 3, 2015 at 4:32 PM, Nathaniel Theis 
>>> wrote:
>>>
 Actually, it looks like that only affects very old versions, (pre-2009
 / aluigi) which have much worse exploits anyways. Sorry for the confusion.

 On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek 
 wrote:

> I'll let the guys on my sourcemod's team who are looking into it know,
> thanks.
>
> On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis 
> wrote:
>
>> Note that, depending on the engine version you're on (and even SDK
>> 2013 may not do this, I haven't checked), setting sv_allowupload 0 may do
>> literally nothing; on older versions, sv_allowupload just tells the 
>> client
>> not to upload anything to the server. The client can ignore it and do it
>> anyways.
>>
>> On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose 
>> wrote:
>>
>>> You'd know if that'd been done as there would be announcements on
>>> the various hlds lists about updates for Counter-Strike: Source, Day of
>>> Defeat: Source, and Half-Life 2: Deathmatch.
>>>
>>> However, what he's actually asking is that Valve update the Source
>>> SDK 2013 with these fixes so that game developers can pull the changes 
>>> from
>>> Github and merge them into their own games' code.
>>>
>>>
>>>
>>> On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek <
>>> proph...@sticed.org> wrote:
>>>
 He is basically saying that the exploits Nathaniel found and
 reported have only been fixed in Valve's main titles. He hasn't found 
 or
 reported a new exploit.
 I think it has been mentioned by KyleS on one or multiple of these
 mailing lists that these exploit fixes should be ported onto other
 branches. Apparently that has not been done?


 On 03.09.2015 22:06, N-Gon wrote:

 Someone give this man an unusual Finder's Fee

 On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek <
 iamgoofb...@gmail.com> wrote:

> Hi, I'm one of the developers for Team Fortress 2 Classic, a
> source mod project. Recently, someone abused a bug present in Source 
> SDK
> 2013 MP to distribute viruses to quite a few of our players and 
> developers.
> The way they did it was by abusing a spray exploit present in the SDK 
> 2013
> MP edition to upload a file pretending to be a spray to all players 
> and
> executing it. The technical info on how it works from one of our other
> coders will be posted at the end of this email, but here's what you 
> need to
> know as a server owner:
>
> We don't know how many source games are vulnerable. The big name
> VALVe ones aren't, but any sourcemod probably is. This includes ones 
> on
> steam like Fortress Forever, or Fistful of Frags.
>
> If you're running a server for a non-VALVe or bigname(Titanfall,
> GMOD, etc.) Source Engine game, then here's what you need to do:
>
> 1. Set sv_upload to 0 on your server.
>
> 2. If you are a TF2C server host, shut your server down and start
> scanning your server for viruses.
>
> 3. Pester valve to fix this ASAP.
>
> TL;DR:
> Sprays can be exploited to run code on people's systems and break

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Weasels Lair]

​I wonder how long it is until some script-kiddie figures-out how to
exploit the built-in Streaming (ala
https://github.com/ValveSoftware/steam-for-linux/issues/3990).  Valve's
response when I mentioned it was, effectively "expected behavior").

On Thu, Sep 3, 2015 at 1:45 PM, Refeek Yeglek  wrote:

> Our guys who decompiled the copy when they got infected figured out it was
> a very very bad script kiddie thing designed for doing exactly what is
> going on right now. Lemme go find the name of it, someone posted the name
> and feature list in the FP thread when we were trying to figure out what
> the hell happened, as they're doing hijacks by remote desktopping your
> computers.
>
> On Thu, Sep 3, 2015 at 1:40 PM, Nathaniel Theis  wrote:
>
>> If, and that's a big if... hold on
>>
>> IF it's the VTF exploit I reported, yes. I'm skeptical that it is, just
>> because of how difficult it is to exploit in practice. It would require
>> very advanced Windows exploitation skills, and suggest a well-motivated,
>> targeted attacker. My hunch is that it's another exploit, one that only
>> works from malicious servers or custom maps. This one is incredibly
>> practical and easy to exploit.
>>
>> - Nate
>>
>> On Thu, Sep 3, 2015 at 1:34 PM, E. Olsen  wrote:
>>
>>> So, to confirm - Team Fortress 2 has already had this exploit fixed,
>>> correct?
>>>
>>> On Thu, Sep 3, 2015 at 4:32 PM, Nathaniel Theis 
>>> wrote:
>>>
 Actually, it looks like that only affects very old versions, (pre-2009
 / aluigi) which have much worse exploits anyways. Sorry for the confusion.

 On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek 
 wrote:

> I'll let the guys on my sourcemod's team who are looking into it know,
> thanks.
>
> On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis 
> wrote:
>
>> Note that, depending on the engine version you're on (and even SDK
>> 2013 may not do this, I haven't checked), setting sv_allowupload 0 may do
>> literally nothing; on older versions, sv_allowupload just tells the 
>> client
>> not to upload anything to the server. The client can ignore it and do it
>> anyways.
>>
>> On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose 
>> wrote:
>>
>>> You'd know if that'd been done as there would be announcements on
>>> the various hlds lists about updates for Counter-Strike: Source, Day of
>>> Defeat: Source, and Half-Life 2: Deathmatch.
>>>
>>> However, what he's actually asking is that Valve update the Source
>>> SDK 2013 with these fixes so that game developers can pull the changes 
>>> from
>>> Github and merge them into their own games' code.
>>>
>>>
>>>
>>> On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek <
>>> proph...@sticed.org> wrote:
>>>
 He is basically saying that the exploits Nathaniel found and
 reported have only been fixed in Valve's main titles. He hasn't found 
 or
 reported a new exploit.
 I think it has been mentioned by KyleS on one or multiple of these
 mailing lists that these exploit fixes should be ported onto other
 branches. Apparently that has not been done?


 On 03.09.2015 22:06, N-Gon wrote:

 Someone give this man an unusual Finder's Fee

 On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek <
 iamgoofb...@gmail.com> wrote:

> Hi, I'm one of the developers for Team Fortress 2 Classic, a
> source mod project. Recently, someone abused a bug present in Source 
> SDK
> 2013 MP to distribute viruses to quite a few of our players and 
> developers.
> The way they did it was by abusing a spray exploit present in the SDK 
> 2013
> MP edition to upload a file pretending to be a spray to all players 
> and
> executing it. The technical info on how it works from one of our other
> coders will be posted at the end of this email, but here's what you 
> need to
> know as a server owner:
>
> We don't know how many source games are vulnerable. The big name
> VALVe ones aren't, but any sourcemod probably is. This includes ones 
> on
> steam like Fortress Forever, or Fistful of Frags.
>
> If you're running a server for a non-VALVe or bigname(Titanfall,
> GMOD, etc.) Source Engine game, then here's what you need to do:
>
> 1. Set sv_upload to 0 on your server.
>
> 2. If you are a TF2C server host, shut your server down and start
> scanning your server for viruses.
>
> 3. Pester valve to fix this ASAP.
>
> TL;DR:
> Sprays can be exploited to run code on 

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[N-Gon]

Someone give this man an unusual Finder's Fee

On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek  wrote:

> Hi, I'm one of the developers for Team Fortress 2 Classic, a source mod
> project. Recently, someone abused a bug present in Source SDK 2013 MP to
> distribute viruses to quite a few of our players and developers. The way
> they did it was by abusing a spray exploit present in the SDK 2013 MP
> edition to upload a file pretending to be a spray to all players and
> executing it. The technical info on how it works from one of our other
> coders will be posted at the end of this email, but here's what you need to
> know as a server owner:
>
> We don't know how many source games are vulnerable. The big name VALVe
> ones aren't, but any sourcemod probably is. This includes ones on steam
> like Fortress Forever, or Fistful of Frags.
>
> If you're running a server for a non-VALVe or bigname(Titanfall, GMOD,
> etc.) Source Engine game, then here's what you need to do:
>
> 1. Set sv_upload to 0 on your server.
>
> 2. If you are a TF2C server host, shut your server down and start scanning
> your server for viruses.
>
> 3. Pester valve to fix this ASAP.
>
> TL;DR:
> Sprays can be exploited to run code on people's systems and break into
> accounts, we've had quite a few CS:GO and TF2 items lifted from accounts
> and moved to trade alts and disappearing after that. Disable sprays ASAP if
> you host a sourcemod multiplayer server.
>
> Here's the technical info for how stuff works:
>
> "The vulnerability is triggered by a missing check to see if a memory
> allocation succeded in the loading of VTFs. When the material is loaded,
> there is space allocated for the material. The crucial option in the using
> of this exploit is the option to skip Mipmaps from the material. If, for
> instance, the first mipmap is skipped, the game will copy the mipmap data
> to buffer + size of first mipmap. When the memory allocation fails, the
> buffer will be 0, because thats what malloc returns on out of memory. This
> means, that the only factor determining where the block is put is
> determined by the size of the first mipmap. This way you can put the data
> in the second mipmap whereever you want, meaning you can write to a
> predictable location in memory. This is additionally encouraged due to the
> fact that ASLR is disabled for the module in question. From that point on
> ROP is used to mark a controlled memory location executable and transfer
> control to it, bypassing DEP. The distribution of the malicious material
> file can be easily done through the use of the spray system, which uploads
> a custom material to the server and distributes it. This is of course not
> the only way to distribute it, but one used in this case. This is not
> absolutely accurate and technical details have been left out due to them
> not influencing this exploit."
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Ross Bemrose]

You'd know if that'd been done as there would be announcements on the
various hlds lists about updates for Counter-Strike: Source, Day of Defeat:
Source, and Half-Life 2: Deathmatch.

However, what he's actually asking is that Valve update the Source SDK 2013
with these fixes so that game developers can pull the changes from Github
and merge them into their own games' code.



On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek <
proph...@sticed.org> wrote:

> He is basically saying that the exploits Nathaniel found and reported have
> only been fixed in Valve's main titles. He hasn't found or reported a new
> exploit.
> I think it has been mentioned by KyleS on one or multiple of these mailing
> lists that these exploit fixes should be ported onto other branches.
> Apparently that has not been done?
>
>
> On 03.09.2015 22:06, N-Gon wrote:
>
> Someone give this man an unusual Finder's Fee
>
> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek 
> wrote:
>
>> Hi, I'm one of the developers for Team Fortress 2 Classic, a source mod
>> project. Recently, someone abused a bug present in Source SDK 2013 MP to
>> distribute viruses to quite a few of our players and developers. The way
>> they did it was by abusing a spray exploit present in the SDK 2013 MP
>> edition to upload a file pretending to be a spray to all players and
>> executing it. The technical info on how it works from one of our other
>> coders will be posted at the end of this email, but here's what you need to
>> know as a server owner:
>>
>> We don't know how many source games are vulnerable. The big name VALVe
>> ones aren't, but any sourcemod probably is. This includes ones on steam
>> like Fortress Forever, or Fistful of Frags.
>>
>> If you're running a server for a non-VALVe or bigname(Titanfall, GMOD,
>> etc.) Source Engine game, then here's what you need to do:
>>
>> 1. Set sv_upload to 0 on your server.
>>
>> 2. If you are a TF2C server host, shut your server down and start
>> scanning your server for viruses.
>>
>> 3. Pester valve to fix this ASAP.
>>
>> TL;DR:
>> Sprays can be exploited to run code on people's systems and break into
>> accounts, we've had quite a few CS:GO and TF2 items lifted from accounts
>> and moved to trade alts and disappearing after that. Disable sprays ASAP if
>> you host a sourcemod multiplayer server.
>>
>> Here's the technical info for how stuff works:
>>
>> "The vulnerability is triggered by a missing check to see if a memory
>> allocation succeded in the loading of VTFs. When the material is loaded,
>> there is space allocated for the material. The crucial option in the using
>> of this exploit is the option to skip Mipmaps from the material. If, for
>> instance, the first mipmap is skipped, the game will copy the mipmap data
>> to buffer + size of first mipmap. When the memory allocation fails, the
>> buffer will be 0, because thats what malloc returns on out of memory. This
>> means, that the only factor determining where the block is put is
>> determined by the size of the first mipmap. This way you can put the data
>> in the second mipmap whereever you want, meaning you can write to a
>> predictable location in memory. This is additionally encouraged due to the
>> fact that ASLR is disabled for the module in question. From that point on
>> ROP is used to mark a controlled memory location executable and transfer
>> control to it, bypassing DEP. The distribution of the malicious material
>> file can be easily done through the use of the spray system, which uploads
>> a custom material to the server and distributes it. This is of course not
>> the only way to distribute it, but one used in this case. This is not
>> absolutely accurate and technical details have been left out due to them
>> not influencing this exploit."
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>>
>>
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives, please 
> visit:https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>
>


-- 
Ross Bemrose
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Refeek Yeglek]

I'm not the guy who found it either, I'm just letting you guys know because
this is some bad shit and we've already had account hijacks.

On Thu, Sep 3, 2015 at 1:06 PM, N-Gon  wrote:

> Someone give this man an unusual Finder's Fee
>
> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek 
> wrote:
>
>> Hi, I'm one of the developers for Team Fortress 2 Classic, a source mod
>> project. Recently, someone abused a bug present in Source SDK 2013 MP to
>> distribute viruses to quite a few of our players and developers. The way
>> they did it was by abusing a spray exploit present in the SDK 2013 MP
>> edition to upload a file pretending to be a spray to all players and
>> executing it. The technical info on how it works from one of our other
>> coders will be posted at the end of this email, but here's what you need to
>> know as a server owner:
>>
>> We don't know how many source games are vulnerable. The big name VALVe
>> ones aren't, but any sourcemod probably is. This includes ones on steam
>> like Fortress Forever, or Fistful of Frags.
>>
>> If you're running a server for a non-VALVe or bigname(Titanfall, GMOD,
>> etc.) Source Engine game, then here's what you need to do:
>>
>> 1. Set sv_upload to 0 on your server.
>>
>> 2. If you are a TF2C server host, shut your server down and start
>> scanning your server for viruses.
>>
>> 3. Pester valve to fix this ASAP.
>>
>> TL;DR:
>> Sprays can be exploited to run code on people's systems and break into
>> accounts, we've had quite a few CS:GO and TF2 items lifted from accounts
>> and moved to trade alts and disappearing after that. Disable sprays ASAP if
>> you host a sourcemod multiplayer server.
>>
>> Here's the technical info for how stuff works:
>>
>> "The vulnerability is triggered by a missing check to see if a memory
>> allocation succeded in the loading of VTFs. When the material is loaded,
>> there is space allocated for the material. The crucial option in the using
>> of this exploit is the option to skip Mipmaps from the material. If, for
>> instance, the first mipmap is skipped, the game will copy the mipmap data
>> to buffer + size of first mipmap. When the memory allocation fails, the
>> buffer will be 0, because thats what malloc returns on out of memory. This
>> means, that the only factor determining where the block is put is
>> determined by the size of the first mipmap. This way you can put the data
>> in the second mipmap whereever you want, meaning you can write to a
>> predictable location in memory. This is additionally encouraged due to the
>> fact that ASLR is disabled for the module in question. From that point on
>> ROP is used to mark a controlled memory location executable and transfer
>> control to it, bypassing DEP. The distribution of the malicious material
>> file can be easily done through the use of the spray system, which uploads
>> a custom material to the server and distributes it. This is of course not
>> the only way to distribute it, but one used in this case. This is not
>> absolutely accurate and technical details have been left out due to them
>> not influencing this exploit."
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>>
>>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Refeek Yeglek]

1. we have permission from valve to use it

2. this isn't a problem with our code, this is a problem with the Source
SDK Base 2013 Multiplayer that is being distributed on Steam itself. If
this was TF2C specific I wouldn't be letting server hosts know to take
steps to prevent it happening in shit like Fistful of Frags or Fortress
Forever.

On Thu, Sep 3, 2015 at 1:53 PM, AnAkkk  wrote:

> What did you expect, this leaked and illegal version of the Source Engine
> you're talking of has years of unfixed exploits, obviously such thing was
> going to happen one day.
> I'm sure there are lot more exploits that Valve has already fixed.
> Le 3 sept. 2015 22:47, "Refeek Yeglek"  a écrit :
>
>> Our guys who decompiled the copy when they got infected figured out it
>> was a very very bad script kiddie thing designed for doing exactly what is
>> going on right now. Lemme go find the name of it, someone posted the name
>> and feature list in the FP thread when we were trying to figure out what
>> the hell happened, as they're doing hijacks by remote desktopping your
>> computers.
>>
>> On Thu, Sep 3, 2015 at 1:40 PM, Nathaniel Theis 
>> wrote:
>>
>>> If, and that's a big if... hold on
>>>
>>> IF it's the VTF exploit I reported, yes. I'm skeptical that it is, just
>>> because of how difficult it is to exploit in practice. It would require
>>> very advanced Windows exploitation skills, and suggest a well-motivated,
>>> targeted attacker. My hunch is that it's another exploit, one that only
>>> works from malicious servers or custom maps. This one is incredibly
>>> practical and easy to exploit.
>>>
>>> - Nate
>>>
>>> On Thu, Sep 3, 2015 at 1:34 PM, E. Olsen  wrote:
>>>
 So, to confirm - Team Fortress 2 has already had this exploit fixed,
 correct?

 On Thu, Sep 3, 2015 at 4:32 PM, Nathaniel Theis 
 wrote:

> Actually, it looks like that only affects very old versions, (pre-2009
> / aluigi) which have much worse exploits anyways. Sorry for the confusion.
>
> On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek 
> wrote:
>
>> I'll let the guys on my sourcemod's team who are looking into it
>> know, thanks.
>>
>> On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis 
>> wrote:
>>
>>> Note that, depending on the engine version you're on (and even SDK
>>> 2013 may not do this, I haven't checked), setting sv_allowupload 0 may 
>>> do
>>> literally nothing; on older versions, sv_allowupload just tells the 
>>> client
>>> not to upload anything to the server. The client can ignore it and do it
>>> anyways.
>>>
>>> On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose 
>>> wrote:
>>>
 You'd know if that'd been done as there would be announcements on
 the various hlds lists about updates for Counter-Strike: Source, Day of
 Defeat: Source, and Half-Life 2: Deathmatch.

 However, what he's actually asking is that Valve update the Source
 SDK 2013 with these fixes so that game developers can pull the changes 
 from
 Github and merge them into their own games' code.



 On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek <
 proph...@sticed.org> wrote:

> He is basically saying that the exploits Nathaniel found and
> reported have only been fixed in Valve's main titles. He hasn't found 
> or
> reported a new exploit.
> I think it has been mentioned by KyleS on one or multiple of these
> mailing lists that these exploit fixes should be ported onto other
> branches. Apparently that has not been done?
>
>
> On 03.09.2015 22:06, N-Gon wrote:
>
> Someone give this man an unusual Finder's Fee
>
> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek <
> iamgoofb...@gmail.com> wrote:
>
>> Hi, I'm one of the developers for Team Fortress 2 Classic, a
>> source mod project. Recently, someone abused a bug present in Source 
>> SDK
>> 2013 MP to distribute viruses to quite a few of our players and 
>> developers.
>> The way they did it was by abusing a spray exploit present in the 
>> SDK 2013
>> MP edition to upload a file pretending to be a spray to all players 
>> and
>> executing it. The technical info on how it works from one of our 
>> other
>> coders will be posted at the end of this email, but here's what you 
>> need to
>> know as a server owner:
>>
>> We don't know how many source games are vulnerable. The big name
>> VALVe ones aren't, but any sourcemod probably is. This includes ones 
>> on

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Matthias "InstantMuffin" Kollek]

He is basically saying that the exploits Nathaniel found and reported 
have only been fixed in Valve's main titles. He hasn't found or reported 
a new exploit.
I think it has been mentioned by KyleS on one or multiple of these 
mailing lists that these exploit fixes should be ported onto other 
branches. Apparently that has not been done?


On 03.09.2015 22:06, N-Gon wrote:

Someone give this man an unusual Finder's Fee

On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek > wrote:


Hi, I'm one of the developers for Team Fortress 2 Classic, a
source mod project. Recently, someone abused a bug present in
Source SDK 2013 MP to distribute viruses to quite a few of our
players and developers. The way they did it was by abusing a spray
exploit present in the SDK 2013 MP edition to upload a file
pretending to be a spray to all players and executing it. The
technical info on how it works from one of our other coders will
be posted at the end of this email, but here's what you need to
know as a server owner:

We don't know how many source games are vulnerable. The big name
VALVe ones aren't, but any sourcemod probably is. This includes
ones on steam like Fortress Forever, or Fistful of Frags.

If you're running a server for a non-VALVe or bigname(Titanfall,
GMOD, etc.) Source Engine game, then here's what you need to do:

1. Set sv_upload to 0 on your server.

2. If you are a TF2C server host, shut your server down and start
scanning your server for viruses.

3. Pester valve to fix this ASAP.

TL;DR:
Sprays can be exploited to run code on people's systems and break
into accounts, we've had quite a few CS:GO and TF2 items lifted
from accounts and moved to trade alts and disappearing after that.
Disable sprays ASAP if you host a sourcemod multiplayer server.

Here's the technical info for how stuff works:

"The vulnerability is triggered by a missing check to see if a
memory allocation succeded in the loading of VTFs. When the
material is loaded, there is space allocated for the material. The
crucial option in the using of this exploit is the option to skip
Mipmaps from the material. If, for instance, the first mipmap is
skipped, the game will copy the mipmap data to buffer + size of
first mipmap. When the memory allocation fails, the buffer will be
0, because thats what malloc returns on out of memory. This means,
that the only factor determining where the block is put is
determined by the size of the first mipmap. This way you can put
the data in the second mipmap whereever you want, meaning you can
write to a predictable location in memory. This is additionally
encouraged due to the fact that ASLR is disabled for the module in
question. From that point on ROP is used to mark a controlled
memory location executable and transfer control to it, bypassing
DEP. The distribution of the malicious material file can be easily
done through the use of the spray system, which uploads a custom
material to the server and distributes it. This is of course not
the only way to distribute it, but one used in this case. This is
not absolutely accurate and technical details have been left out
due to them not influencing this exploit."

___
To unsubscribe, edit your list preferences, or view the list
archives, please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds




___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds


___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Refeek Yeglek]

Yeah. The big games have it fixed, sourcemods are at risk here.

On Thu, Sep 3, 2015 at 1:34 PM, E. Olsen  wrote:

> So, to confirm - Team Fortress 2 has already had this exploit fixed,
> correct?
>
> On Thu, Sep 3, 2015 at 4:32 PM, Nathaniel Theis  wrote:
>
>> Actually, it looks like that only affects very old versions, (pre-2009 /
>> aluigi) which have much worse exploits anyways. Sorry for the confusion.
>>
>> On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek 
>> wrote:
>>
>>> I'll let the guys on my sourcemod's team who are looking into it know,
>>> thanks.
>>>
>>> On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis 
>>> wrote:
>>>
 Note that, depending on the engine version you're on (and even SDK 2013
 may not do this, I haven't checked), setting sv_allowupload 0 may do
 literally nothing; on older versions, sv_allowupload just tells the client
 not to upload anything to the server. The client can ignore it and do it
 anyways.

 On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose 
 wrote:

> You'd know if that'd been done as there would be announcements on the
> various hlds lists about updates for Counter-Strike: Source, Day of 
> Defeat:
> Source, and Half-Life 2: Deathmatch.
>
> However, what he's actually asking is that Valve update the Source SDK
> 2013 with these fixes so that game developers can pull the changes from
> Github and merge them into their own games' code.
>
>
>
> On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek <
> proph...@sticed.org> wrote:
>
>> He is basically saying that the exploits Nathaniel found and reported
>> have only been fixed in Valve's main titles. He hasn't found or reported 
>> a
>> new exploit.
>> I think it has been mentioned by KyleS on one or multiple of these
>> mailing lists that these exploit fixes should be ported onto other
>> branches. Apparently that has not been done?
>>
>>
>> On 03.09.2015 22:06, N-Gon wrote:
>>
>> Someone give this man an unusual Finder's Fee
>>
>> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek 
>> wrote:
>>
>>> Hi, I'm one of the developers for Team Fortress 2 Classic, a source
>>> mod project. Recently, someone abused a bug present in Source SDK 2013 
>>> MP
>>> to distribute viruses to quite a few of our players and developers. The 
>>> way
>>> they did it was by abusing a spray exploit present in the SDK 2013 MP
>>> edition to upload a file pretending to be a spray to all players and
>>> executing it. The technical info on how it works from one of our other
>>> coders will be posted at the end of this email, but here's what you 
>>> need to
>>> know as a server owner:
>>>
>>> We don't know how many source games are vulnerable. The big name
>>> VALVe ones aren't, but any sourcemod probably is. This includes ones on
>>> steam like Fortress Forever, or Fistful of Frags.
>>>
>>> If you're running a server for a non-VALVe or bigname(Titanfall,
>>> GMOD, etc.) Source Engine game, then here's what you need to do:
>>>
>>> 1. Set sv_upload to 0 on your server.
>>>
>>> 2. If you are a TF2C server host, shut your server down and start
>>> scanning your server for viruses.
>>>
>>> 3. Pester valve to fix this ASAP.
>>>
>>> TL;DR:
>>> Sprays can be exploited to run code on people's systems and break
>>> into accounts, we've had quite a few CS:GO and TF2 items lifted from
>>> accounts and moved to trade alts and disappearing after that. Disable
>>> sprays ASAP if you host a sourcemod multiplayer server.
>>>
>>> Here's the technical info for how stuff works:
>>>
>>> "The vulnerability is triggered by a missing check to see if a
>>> memory allocation succeded in the loading of VTFs. When the material is
>>> loaded, there is space allocated for the material. The crucial option in
>>> the using of this exploit is the option to skip Mipmaps from the 
>>> material.
>>> If, for instance, the first mipmap is skipped, the game will copy the
>>> mipmap data to buffer + size of first mipmap. When the memory allocation
>>> fails, the buffer will be 0, because thats what malloc returns on out of
>>> memory. This means, that the only factor determining where the block is 
>>> put
>>> is determined by the size of the first mipmap. This way you can put the
>>> data in the second mipmap whereever you want, meaning you can write to a
>>> predictable location in memory. This is additionally encouraged due to 
>>> the
>>> fact that ASLR is disabled for the module in question. From that point 
>>> on
>>> ROP is used to mark a controlled memory location executable and transfer
>>> 

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Refeek Yeglek]

I don't have a sample, sorry. We're like 99% certain they're using the
spray exploit however.

On Thu, Sep 3, 2015 at 1:34 PM, Nathaniel Theis  wrote:

> How do you know that this is the spray exploit being used?  The spray
> issue is exceedingly difficult to exploit. There's another, very practical
> RCE exploit I'm aware of, but it requires control of the server.
>
> Do you have any samples of the malicious sprays?
>
> Thanks,
> Nate
>
> On Thu, Sep 3, 2015 at 1:30 PM, Refeek Yeglek 
> wrote:
>
>> I'm not the guy who found it either, I'm just letting you guys know
>> because this is some bad shit and we've already had account hijacks.
>>
>> On Thu, Sep 3, 2015 at 1:06 PM, N-Gon  wrote:
>>
>>> Someone give this man an unusual Finder's Fee
>>>
>>> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek 
>>> wrote:
>>>
 Hi, I'm one of the developers for Team Fortress 2 Classic, a source mod
 project. Recently, someone abused a bug present in Source SDK 2013 MP to
 distribute viruses to quite a few of our players and developers. The way
 they did it was by abusing a spray exploit present in the SDK 2013 MP
 edition to upload a file pretending to be a spray to all players and
 executing it. The technical info on how it works from one of our other
 coders will be posted at the end of this email, but here's what you need to
 know as a server owner:

 We don't know how many source games are vulnerable. The big name VALVe
 ones aren't, but any sourcemod probably is. This includes ones on steam
 like Fortress Forever, or Fistful of Frags.

 If you're running a server for a non-VALVe or bigname(Titanfall, GMOD,
 etc.) Source Engine game, then here's what you need to do:

 1. Set sv_upload to 0 on your server.

 2. If you are a TF2C server host, shut your server down and start
 scanning your server for viruses.

 3. Pester valve to fix this ASAP.

 TL;DR:
 Sprays can be exploited to run code on people's systems and break into
 accounts, we've had quite a few CS:GO and TF2 items lifted from accounts
 and moved to trade alts and disappearing after that. Disable sprays ASAP if
 you host a sourcemod multiplayer server.

 Here's the technical info for how stuff works:

 "The vulnerability is triggered by a missing check to see if a memory
 allocation succeded in the loading of VTFs. When the material is loaded,
 there is space allocated for the material. The crucial option in the using
 of this exploit is the option to skip Mipmaps from the material. If, for
 instance, the first mipmap is skipped, the game will copy the mipmap data
 to buffer + size of first mipmap. When the memory allocation fails, the
 buffer will be 0, because thats what malloc returns on out of memory. This
 means, that the only factor determining where the block is put is
 determined by the size of the first mipmap. This way you can put the data
 in the second mipmap whereever you want, meaning you can write to a
 predictable location in memory. This is additionally encouraged due to the
 fact that ASLR is disabled for the module in question. From that point on
 ROP is used to mark a controlled memory location executable and transfer
 control to it, bypassing DEP. The distribution of the malicious material
 file can be easily done through the use of the spray system, which uploads
 a custom material to the server and distributes it. This is of course not
 the only way to distribute it, but one used in this case. This is not
 absolutely accurate and technical details have been left out due to them
 not influencing this exploit."

 ___
 To unsubscribe, edit your list preferences, or view the list archives,
 please visit:
 https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds


>>>
>>> ___
>>> To unsubscribe, edit your list preferences, or view the list archives,
>>> please visit:
>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>>>
>>>
>>
>> ___
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>>
>>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[AnAkkk]

What did you expect, this leaked and illegal version of the Source Engine
you're talking of has years of unfixed exploits, obviously such thing was
going to happen one day.
I'm sure there are lot more exploits that Valve has already fixed.
Le 3 sept. 2015 22:47, "Refeek Yeglek"  a écrit :

> Our guys who decompiled the copy when they got infected figured out it was
> a very very bad script kiddie thing designed for doing exactly what is
> going on right now. Lemme go find the name of it, someone posted the name
> and feature list in the FP thread when we were trying to figure out what
> the hell happened, as they're doing hijacks by remote desktopping your
> computers.
>
> On Thu, Sep 3, 2015 at 1:40 PM, Nathaniel Theis  wrote:
>
>> If, and that's a big if... hold on
>>
>> IF it's the VTF exploit I reported, yes. I'm skeptical that it is, just
>> because of how difficult it is to exploit in practice. It would require
>> very advanced Windows exploitation skills, and suggest a well-motivated,
>> targeted attacker. My hunch is that it's another exploit, one that only
>> works from malicious servers or custom maps. This one is incredibly
>> practical and easy to exploit.
>>
>> - Nate
>>
>> On Thu, Sep 3, 2015 at 1:34 PM, E. Olsen  wrote:
>>
>>> So, to confirm - Team Fortress 2 has already had this exploit fixed,
>>> correct?
>>>
>>> On Thu, Sep 3, 2015 at 4:32 PM, Nathaniel Theis 
>>> wrote:
>>>
 Actually, it looks like that only affects very old versions, (pre-2009
 / aluigi) which have much worse exploits anyways. Sorry for the confusion.

 On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek 
 wrote:

> I'll let the guys on my sourcemod's team who are looking into it know,
> thanks.
>
> On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis 
> wrote:
>
>> Note that, depending on the engine version you're on (and even SDK
>> 2013 may not do this, I haven't checked), setting sv_allowupload 0 may do
>> literally nothing; on older versions, sv_allowupload just tells the 
>> client
>> not to upload anything to the server. The client can ignore it and do it
>> anyways.
>>
>> On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose 
>> wrote:
>>
>>> You'd know if that'd been done as there would be announcements on
>>> the various hlds lists about updates for Counter-Strike: Source, Day of
>>> Defeat: Source, and Half-Life 2: Deathmatch.
>>>
>>> However, what he's actually asking is that Valve update the Source
>>> SDK 2013 with these fixes so that game developers can pull the changes 
>>> from
>>> Github and merge them into their own games' code.
>>>
>>>
>>>
>>> On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek <
>>> proph...@sticed.org> wrote:
>>>
 He is basically saying that the exploits Nathaniel found and
 reported have only been fixed in Valve's main titles. He hasn't found 
 or
 reported a new exploit.
 I think it has been mentioned by KyleS on one or multiple of these
 mailing lists that these exploit fixes should be ported onto other
 branches. Apparently that has not been done?


 On 03.09.2015 22:06, N-Gon wrote:

 Someone give this man an unusual Finder's Fee

 On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek <
 iamgoofb...@gmail.com> wrote:

> Hi, I'm one of the developers for Team Fortress 2 Classic, a
> source mod project. Recently, someone abused a bug present in Source 
> SDK
> 2013 MP to distribute viruses to quite a few of our players and 
> developers.
> The way they did it was by abusing a spray exploit present in the SDK 
> 2013
> MP edition to upload a file pretending to be a spray to all players 
> and
> executing it. The technical info on how it works from one of our other
> coders will be posted at the end of this email, but here's what you 
> need to
> know as a server owner:
>
> We don't know how many source games are vulnerable. The big name
> VALVe ones aren't, but any sourcemod probably is. This includes ones 
> on
> steam like Fortress Forever, or Fistful of Frags.
>
> If you're running a server for a non-VALVe or bigname(Titanfall,
> GMOD, etc.) Source Engine game, then here's what you need to do:
>
> 1. Set sv_upload to 0 on your server.
>
> 2. If you are a TF2C server host, shut your server down and start
> scanning your server for viruses.
>
> 3. Pester valve to fix this ASAP.
>
> TL;DR:
> Sprays can be exploited to run code on people's 

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Kyle Sanderson]

No, just TF has these Remote Code Execution patches. CS:S and friends are
still completely vulnerable for the public issues. Don't kid yourself,
there's definitely other vulnerable code paths. Personally, I'm disgusted
as this has been public knowledge for a year now, the exploits being back
from Quake... Sync the games that are still being sold for money.

Valve doesn't care about your workstation, your server, anything that runs
their completely vulnerable code. Don't play on servers that aren't yours;
use SourceMod to secure your servers.

Kyle.
On 3 Sep 2015 2:39 pm, "Refeek Yeglek"  wrote:

> Yeah. The big games have it fixed, sourcemods are at risk here.
>
> On Thu, Sep 3, 2015 at 1:34 PM, E. Olsen  wrote:
>
>> So, to confirm - Team Fortress 2 has already had this exploit fixed,
>> correct?
>>
>> On Thu, Sep 3, 2015 at 4:32 PM, Nathaniel Theis 
>> wrote:
>>
>>> Actually, it looks like that only affects very old versions, (pre-2009 /
>>> aluigi) which have much worse exploits anyways. Sorry for the confusion.
>>>
>>> On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek 
>>> wrote:
>>>
 I'll let the guys on my sourcemod's team who are looking into it know,
 thanks.

 On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis 
 wrote:

> Note that, depending on the engine version you're on (and even SDK
> 2013 may not do this, I haven't checked), setting sv_allowupload 0 may do
> literally nothing; on older versions, sv_allowupload just tells the client
> not to upload anything to the server. The client can ignore it and do it
> anyways.
>
> On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose 
> wrote:
>
>> You'd know if that'd been done as there would be announcements on the
>> various hlds lists about updates for Counter-Strike: Source, Day of 
>> Defeat:
>> Source, and Half-Life 2: Deathmatch.
>>
>> However, what he's actually asking is that Valve update the Source
>> SDK 2013 with these fixes so that game developers can pull the changes 
>> from
>> Github and merge them into their own games' code.
>>
>>
>>
>> On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek <
>> proph...@sticed.org> wrote:
>>
>>> He is basically saying that the exploits Nathaniel found and
>>> reported have only been fixed in Valve's main titles. He hasn't found or
>>> reported a new exploit.
>>> I think it has been mentioned by KyleS on one or multiple of these
>>> mailing lists that these exploit fixes should be ported onto other
>>> branches. Apparently that has not been done?
>>>
>>>
>>> On 03.09.2015 22:06, N-Gon wrote:
>>>
>>> Someone give this man an unusual Finder's Fee
>>>
>>> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek >> > wrote:
>>>
 Hi, I'm one of the developers for Team Fortress 2 Classic, a source
 mod project. Recently, someone abused a bug present in Source SDK 2013 
 MP
 to distribute viruses to quite a few of our players and developers. 
 The way
 they did it was by abusing a spray exploit present in the SDK 2013 MP
 edition to upload a file pretending to be a spray to all players and
 executing it. The technical info on how it works from one of our other
 coders will be posted at the end of this email, but here's what you 
 need to
 know as a server owner:

 We don't know how many source games are vulnerable. The big name
 VALVe ones aren't, but any sourcemod probably is. This includes ones on
 steam like Fortress Forever, or Fistful of Frags.

 If you're running a server for a non-VALVe or bigname(Titanfall,
 GMOD, etc.) Source Engine game, then here's what you need to do:

 1. Set sv_upload to 0 on your server.

 2. If you are a TF2C server host, shut your server down and start
 scanning your server for viruses.

 3. Pester valve to fix this ASAP.

 TL;DR:
 Sprays can be exploited to run code on people's systems and break
 into accounts, we've had quite a few CS:GO and TF2 items lifted from
 accounts and moved to trade alts and disappearing after that. Disable
 sprays ASAP if you host a sourcemod multiplayer server.

 Here's the technical info for how stuff works:

 "The vulnerability is triggered by a missing check to see if a
 memory allocation succeded in the loading of VTFs. When the material is
 loaded, there is space allocated for the material. The crucial option 
 in
 the using of this exploit is the option to skip Mipmaps from the 
 material.
 If, for instance, the 

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[E. Olsen]

So, to confirm - Team Fortress 2 has already had this exploit fixed,
correct?

On Thu, Sep 3, 2015 at 4:32 PM, Nathaniel Theis  wrote:

> Actually, it looks like that only affects very old versions, (pre-2009 /
> aluigi) which have much worse exploits anyways. Sorry for the confusion.
>
> On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek 
> wrote:
>
>> I'll let the guys on my sourcemod's team who are looking into it know,
>> thanks.
>>
>> On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis 
>> wrote:
>>
>>> Note that, depending on the engine version you're on (and even SDK 2013
>>> may not do this, I haven't checked), setting sv_allowupload 0 may do
>>> literally nothing; on older versions, sv_allowupload just tells the client
>>> not to upload anything to the server. The client can ignore it and do it
>>> anyways.
>>>
>>> On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose  wrote:
>>>
 You'd know if that'd been done as there would be announcements on the
 various hlds lists about updates for Counter-Strike: Source, Day of Defeat:
 Source, and Half-Life 2: Deathmatch.

 However, what he's actually asking is that Valve update the Source SDK
 2013 with these fixes so that game developers can pull the changes from
 Github and merge them into their own games' code.



 On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek <
 proph...@sticed.org> wrote:

> He is basically saying that the exploits Nathaniel found and reported
> have only been fixed in Valve's main titles. He hasn't found or reported a
> new exploit.
> I think it has been mentioned by KyleS on one or multiple of these
> mailing lists that these exploit fixes should be ported onto other
> branches. Apparently that has not been done?
>
>
> On 03.09.2015 22:06, N-Gon wrote:
>
> Someone give this man an unusual Finder's Fee
>
> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek 
> wrote:
>
>> Hi, I'm one of the developers for Team Fortress 2 Classic, a source
>> mod project. Recently, someone abused a bug present in Source SDK 2013 MP
>> to distribute viruses to quite a few of our players and developers. The 
>> way
>> they did it was by abusing a spray exploit present in the SDK 2013 MP
>> edition to upload a file pretending to be a spray to all players and
>> executing it. The technical info on how it works from one of our other
>> coders will be posted at the end of this email, but here's what you need 
>> to
>> know as a server owner:
>>
>> We don't know how many source games are vulnerable. The big name
>> VALVe ones aren't, but any sourcemod probably is. This includes ones on
>> steam like Fortress Forever, or Fistful of Frags.
>>
>> If you're running a server for a non-VALVe or bigname(Titanfall,
>> GMOD, etc.) Source Engine game, then here's what you need to do:
>>
>> 1. Set sv_upload to 0 on your server.
>>
>> 2. If you are a TF2C server host, shut your server down and start
>> scanning your server for viruses.
>>
>> 3. Pester valve to fix this ASAP.
>>
>> TL;DR:
>> Sprays can be exploited to run code on people's systems and break
>> into accounts, we've had quite a few CS:GO and TF2 items lifted from
>> accounts and moved to trade alts and disappearing after that. Disable
>> sprays ASAP if you host a sourcemod multiplayer server.
>>
>> Here's the technical info for how stuff works:
>>
>> "The vulnerability is triggered by a missing check to see if a
>> memory allocation succeded in the loading of VTFs. When the material is
>> loaded, there is space allocated for the material. The crucial option in
>> the using of this exploit is the option to skip Mipmaps from the 
>> material.
>> If, for instance, the first mipmap is skipped, the game will copy the
>> mipmap data to buffer + size of first mipmap. When the memory allocation
>> fails, the buffer will be 0, because thats what malloc returns on out of
>> memory. This means, that the only factor determining where the block is 
>> put
>> is determined by the size of the first mipmap. This way you can put the
>> data in the second mipmap whereever you want, meaning you can write to a
>> predictable location in memory. This is additionally encouraged due to 
>> the
>> fact that ASLR is disabled for the module in question. From that point on
>> ROP is used to mark a controlled memory location executable and transfer
>> control to it, bypassing DEP. The distribution of the malicious material
>> file can be easily done through the use of the spray system, which 
>> uploads
>> a custom material to the server and distributes it. This is of course not
>> the only way to distribute it, but 

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Spencer 'voogru' MacDonald]

Well you don't have to run valves code.
On Sep 3, 2015 9:45 PM, "Refeek Yeglek"  wrote:

> I shouldn't have to install 3rd party software to secure my servers from
> problems with valve's code.
>
> On Thu, Sep 3, 2015 at 4:32 PM, Kyle Sanderson 
> wrote:
>
>> No, just TF has these Remote Code Execution patches. CS:S and friends are
>> still completely vulnerable for the public issues. Don't kid yourself,
>> there's definitely other vulnerable code paths. Personally, I'm disgusted
>> as this has been public knowledge for a year now, the exploits being back
>> from Quake... Sync the games that are still being sold for money.
>>
>> Valve doesn't care about your workstation, your server, anything that
>> runs their completely vulnerable code. Don't play on servers that aren't
>> yours; use SourceMod to secure your servers.
>>
>> Kyle.
>> On 3 Sep 2015 2:39 pm, "Refeek Yeglek"  wrote:
>>
>>> Yeah. The big games have it fixed, sourcemods are at risk here.
>>>
>>> On Thu, Sep 3, 2015 at 1:34 PM, E. Olsen  wrote:
>>>
 So, to confirm - Team Fortress 2 has already had this exploit fixed,
 correct?

 On Thu, Sep 3, 2015 at 4:32 PM, Nathaniel Theis 
 wrote:

> Actually, it looks like that only affects very old versions, (pre-2009
> / aluigi) which have much worse exploits anyways. Sorry for the confusion.
>
> On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek 
> wrote:
>
>> I'll let the guys on my sourcemod's team who are looking into it
>> know, thanks.
>>
>> On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis 
>> wrote:
>>
>>> Note that, depending on the engine version you're on (and even SDK
>>> 2013 may not do this, I haven't checked), setting sv_allowupload 0 may 
>>> do
>>> literally nothing; on older versions, sv_allowupload just tells the 
>>> client
>>> not to upload anything to the server. The client can ignore it and do it
>>> anyways.
>>>
>>> On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose 
>>> wrote:
>>>
 You'd know if that'd been done as there would be announcements on
 the various hlds lists about updates for Counter-Strike: Source, Day of
 Defeat: Source, and Half-Life 2: Deathmatch.

 However, what he's actually asking is that Valve update the Source
 SDK 2013 with these fixes so that game developers can pull the changes 
 from
 Github and merge them into their own games' code.



 On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek <
 proph...@sticed.org> wrote:

> He is basically saying that the exploits Nathaniel found and
> reported have only been fixed in Valve's main titles. He hasn't found 
> or
> reported a new exploit.
> I think it has been mentioned by KyleS on one or multiple of these
> mailing lists that these exploit fixes should be ported onto other
> branches. Apparently that has not been done?
>
>
> On 03.09.2015 22:06, N-Gon wrote:
>
> Someone give this man an unusual Finder's Fee
>
> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek <
> iamgoofb...@gmail.com> wrote:
>
>> Hi, I'm one of the developers for Team Fortress 2 Classic, a
>> source mod project. Recently, someone abused a bug present in Source 
>> SDK
>> 2013 MP to distribute viruses to quite a few of our players and 
>> developers.
>> The way they did it was by abusing a spray exploit present in the 
>> SDK 2013
>> MP edition to upload a file pretending to be a spray to all players 
>> and
>> executing it. The technical info on how it works from one of our 
>> other
>> coders will be posted at the end of this email, but here's what you 
>> need to
>> know as a server owner:
>>
>> We don't know how many source games are vulnerable. The big name
>> VALVe ones aren't, but any sourcemod probably is. This includes ones 
>> on
>> steam like Fortress Forever, or Fistful of Frags.
>>
>> If you're running a server for a non-VALVe or bigname(Titanfall,
>> GMOD, etc.) Source Engine game, then here's what you need to do:
>>
>> 1. Set sv_upload to 0 on your server.
>>
>> 2. If you are a TF2C server host, shut your server down and start
>> scanning your server for viruses.
>>
>> 3. Pester valve to fix this ASAP.
>>
>> TL;DR:
>> Sprays can be exploited to run code on people's systems and break
>> into accounts, we've had quite a few CS:GO and TF2 items lifted from

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Refeek Yeglek]

I shouldn't have to install 3rd party software to secure my servers from
problems with valve's code.

On Thu, Sep 3, 2015 at 4:32 PM, Kyle Sanderson  wrote:

> No, just TF has these Remote Code Execution patches. CS:S and friends are
> still completely vulnerable for the public issues. Don't kid yourself,
> there's definitely other vulnerable code paths. Personally, I'm disgusted
> as this has been public knowledge for a year now, the exploits being back
> from Quake... Sync the games that are still being sold for money.
>
> Valve doesn't care about your workstation, your server, anything that runs
> their completely vulnerable code. Don't play on servers that aren't yours;
> use SourceMod to secure your servers.
>
> Kyle.
> On 3 Sep 2015 2:39 pm, "Refeek Yeglek"  wrote:
>
>> Yeah. The big games have it fixed, sourcemods are at risk here.
>>
>> On Thu, Sep 3, 2015 at 1:34 PM, E. Olsen  wrote:
>>
>>> So, to confirm - Team Fortress 2 has already had this exploit fixed,
>>> correct?
>>>
>>> On Thu, Sep 3, 2015 at 4:32 PM, Nathaniel Theis 
>>> wrote:
>>>
 Actually, it looks like that only affects very old versions, (pre-2009
 / aluigi) which have much worse exploits anyways. Sorry for the confusion.

 On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek 
 wrote:

> I'll let the guys on my sourcemod's team who are looking into it know,
> thanks.
>
> On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis 
> wrote:
>
>> Note that, depending on the engine version you're on (and even SDK
>> 2013 may not do this, I haven't checked), setting sv_allowupload 0 may do
>> literally nothing; on older versions, sv_allowupload just tells the 
>> client
>> not to upload anything to the server. The client can ignore it and do it
>> anyways.
>>
>> On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose 
>> wrote:
>>
>>> You'd know if that'd been done as there would be announcements on
>>> the various hlds lists about updates for Counter-Strike: Source, Day of
>>> Defeat: Source, and Half-Life 2: Deathmatch.
>>>
>>> However, what he's actually asking is that Valve update the Source
>>> SDK 2013 with these fixes so that game developers can pull the changes 
>>> from
>>> Github and merge them into their own games' code.
>>>
>>>
>>>
>>> On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek <
>>> proph...@sticed.org> wrote:
>>>
 He is basically saying that the exploits Nathaniel found and
 reported have only been fixed in Valve's main titles. He hasn't found 
 or
 reported a new exploit.
 I think it has been mentioned by KyleS on one or multiple of these
 mailing lists that these exploit fixes should be ported onto other
 branches. Apparently that has not been done?


 On 03.09.2015 22:06, N-Gon wrote:

 Someone give this man an unusual Finder's Fee

 On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek <
 iamgoofb...@gmail.com> wrote:

> Hi, I'm one of the developers for Team Fortress 2 Classic, a
> source mod project. Recently, someone abused a bug present in Source 
> SDK
> 2013 MP to distribute viruses to quite a few of our players and 
> developers.
> The way they did it was by abusing a spray exploit present in the SDK 
> 2013
> MP edition to upload a file pretending to be a spray to all players 
> and
> executing it. The technical info on how it works from one of our other
> coders will be posted at the end of this email, but here's what you 
> need to
> know as a server owner:
>
> We don't know how many source games are vulnerable. The big name
> VALVe ones aren't, but any sourcemod probably is. This includes ones 
> on
> steam like Fortress Forever, or Fistful of Frags.
>
> If you're running a server for a non-VALVe or bigname(Titanfall,
> GMOD, etc.) Source Engine game, then here's what you need to do:
>
> 1. Set sv_upload to 0 on your server.
>
> 2. If you are a TF2C server host, shut your server down and start
> scanning your server for viruses.
>
> 3. Pester valve to fix this ASAP.
>
> TL;DR:
> Sprays can be exploited to run code on people's systems and break
> into accounts, we've had quite a few CS:GO and TF2 items lifted from
> accounts and moved to trade alts and disappearing after that. Disable
> sprays ASAP if you host a sourcemod multiplayer server.
>
> Here's the technical info for how stuff works:
>
> "The vulnerability 

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Nicholas Hastings]

It's not just Valve games.

They've also not disclosed any of these issues nor fixes to at least
some developers of third-party Source games, leaving those completely
vulnerable as well.

-- 
Nicholas Hastings
Developer

GameConnect
http://www.gameconnect.net/ 

> Refeek Yeglek 
> Thursday, September 3, 2015 9:43 PM
> I shouldn't have to install 3rd party software to secure my servers
> from problems with valve's code.
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
> Kyle Sanderson 
> Thursday, September 3, 2015 7:32 PM
> No, just TF has these Remote Code Execution patches. CS:S and friends are
> still completely vulnerable for the public issues. Don't kid yourself,
> there's definitely other vulnerable code paths. Personally, I'm disgusted
> as this has been public knowledge for a year now, the exploits being back
> from Quake... Sync the games that are still being sold for money.
>
> Valve doesn't care about your workstation, your server, anything that runs
> their completely vulnerable code. Don't play on servers that aren't yours;
> use SourceMod to secure your servers.
>
> Kyle.
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> Refeek Yeglek 
> Thursday, September 3, 2015 4:37 PM
> Yeah. The big games have it fixed, sourcemods are at risk here.
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
> E. Olsen 
> Thursday, September 3, 2015 4:34 PM
> So, to confirm - Team Fortress 2 has already had this exploit fixed,
> correct?
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
> Nathaniel Theis 
> Thursday, September 3, 2015 4:32 PM
> Actually, it looks like that only affects very old versions, (pre-2009
> / aluigi) which have much worse exploits anyways. Sorry for the confusion.
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Weasels Lair]

So, ok wait. Now I am more confused than when the thread started.
Which games still have this exploit?
- TF2? = No/fixed?
- DoS:S = ?
- CS:S = ?
- HL2MP: = ?
- Mods like FoF, etc. = ?

Is that old "exploit fix" SourceMod plug-in a fix or not? (it seems old
from 2009).


On Thu, Sep 3, 2015 at 6:55 PM, Nicholas Hastings  wrote:

> It's not just Valve games.
>
> They've also not disclosed any of these issues nor fixes to at least some
> developers of third-party Source games, leaving those completely vulnerable
> as well.
>
> --
> Nicholas Hastings
> Developer
>
> GameConnect
> http://www.gameconnect.net/ 
>
> Refeek Yeglek 
> Thursday, September 3, 2015 9:43 PM
> I shouldn't have to install 3rd party software to secure my servers from
> problems with valve's code.
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
> Kyle Sanderson 
> Thursday, September 3, 2015 7:32 PM
> No, just TF has these Remote Code Execution patches. CS:S and friends are
> still completely vulnerable for the public issues. Don't kid yourself,
> there's definitely other vulnerable code paths. Personally, I'm disgusted
> as this has been public knowledge for a year now, the exploits being back
> from Quake... Sync the games that are still being sold for money.
>
> Valve doesn't care about your workstation, your server, anything that runs
> their completely vulnerable code. Don't play on servers that aren't yours;
> use SourceMod to secure your servers.
>
> Kyle.
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> Refeek Yeglek 
> Thursday, September 3, 2015 4:37 PM
> Yeah. The big games have it fixed, sourcemods are at risk here.
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
> E. Olsen 
> Thursday, September 3, 2015 4:34 PM
> So, to confirm - Team Fortress 2 has already had this exploit fixed,
> correct?
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
> Nathaniel Theis 
> Thursday, September 3, 2015 4:32 PM
> Actually, it looks like that only affects very old versions, (pre-2009 /
> aluigi) which have much worse exploits anyways. Sorry for the confusion.
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>
>
___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds

Re: [hlds] PSA: Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts.

[Nicholas Hastings]

It's not just Valve games.

They've also not disclosed any of these issues nor fixes to at least
some developers of third-party Source games, leaving those completely
vulnerable as well.

-- 
Nicholas Hastings
Developer

GameConnect
http://www.gameconnect.net/ 

> Refeek Yeglek 
> Thursday, September 3, 2015 9:43 PM
> I shouldn't have to install 3rd party software to secure my servers
> from problems with valve's code.
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
> Kyle Sanderson 
> Thursday, September 3, 2015 7:32 PM
> No, just TF has these Remote Code Execution patches. CS:S and friends are
> still completely vulnerable for the public issues. Don't kid yourself,
> there's definitely other vulnerable code paths. Personally, I'm disgusted
> as this has been public knowledge for a year now, the exploits being back
> from Quake... Sync the games that are still being sold for money.
>
> Valve doesn't care about your workstation, your server, anything that runs
> their completely vulnerable code. Don't play on servers that aren't yours;
> use SourceMod to secure your servers.
>
> Kyle.
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
> Refeek Yeglek 
> Thursday, September 3, 2015 4:37 PM
> Yeah. The big games have it fixed, sourcemods are at risk here.
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
> E. Olsen 
> Thursday, September 3, 2015 4:34 PM
> So, to confirm - Team Fortress 2 has already had this exploit fixed,
> correct?
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
> Nathaniel Theis 
> Thursday, September 3, 2015 4:32 PM
> Actually, it looks like that only affects very old versions, (pre-2009
> / aluigi) which have much worse exploits anyways. Sorry for the confusion.
>
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds

___
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds