I shouldn't have to install 3rd party software to secure my servers from problems with valve's code.
On Thu, Sep 3, 2015 at 4:32 PM, Kyle Sanderson <[email protected]> wrote: > No, just TF has these Remote Code Execution patches. CS:S and friends are > still completely vulnerable for the public issues. Don't kid yourself, > there's definitely other vulnerable code paths. Personally, I'm disgusted > as this has been public knowledge for a year now, the exploits being back > from Quake... Sync the games that are still being sold for money. > > Valve doesn't care about your workstation, your server, anything that runs > their completely vulnerable code. Don't play on servers that aren't yours; > use SourceMod to secure your servers. > > Kyle. > On 3 Sep 2015 2:39 pm, "Refeek Yeglek" <[email protected]> wrote: > >> Yeah. The big games have it fixed, sourcemods are at risk here. >> >> On Thu, Sep 3, 2015 at 1:34 PM, E. Olsen <[email protected]> wrote: >> >>> So, to confirm - Team Fortress 2 has already had this exploit fixed, >>> correct? >>> >>> On Thu, Sep 3, 2015 at 4:32 PM, Nathaniel Theis <[email protected]> >>> wrote: >>> >>>> Actually, it looks like that only affects very old versions, (pre-2009 >>>> / aluigi) which have much worse exploits anyways. Sorry for the confusion. >>>> >>>> On Thu, Sep 3, 2015 at 1:28 PM, Refeek Yeglek <[email protected]> >>>> wrote: >>>> >>>>> I'll let the guys on my sourcemod's team who are looking into it know, >>>>> thanks. >>>>> >>>>> On Thu, Sep 3, 2015 at 1:26 PM, Nathaniel Theis <[email protected]> >>>>> wrote: >>>>> >>>>>> Note that, depending on the engine version you're on (and even SDK >>>>>> 2013 may not do this, I haven't checked), setting sv_allowupload 0 may do >>>>>> literally nothing; on older versions, sv_allowupload just tells the >>>>>> client >>>>>> not to upload anything to the server. The client can ignore it and do it >>>>>> anyways. >>>>>> >>>>>> On Thu, Sep 3, 2015 at 1:19 PM, Ross Bemrose <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> You'd know if that'd been done as there would be announcements on >>>>>>> the various hlds lists about updates for Counter-Strike: Source, Day of >>>>>>> Defeat: Source, and Half-Life 2: Deathmatch. >>>>>>> >>>>>>> However, what he's actually asking is that Valve update the Source >>>>>>> SDK 2013 with these fixes so that game developers can pull the changes >>>>>>> from >>>>>>> Github and merge them into their own games' code. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Thu, Sep 3, 2015 at 4:10 PM, Matthias "InstantMuffin" Kollek < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> He is basically saying that the exploits Nathaniel found and >>>>>>>> reported have only been fixed in Valve's main titles. He hasn't found >>>>>>>> or >>>>>>>> reported a new exploit. >>>>>>>> I think it has been mentioned by KyleS on one or multiple of these >>>>>>>> mailing lists that these exploit fixes should be ported onto other >>>>>>>> branches. Apparently that has not been done? >>>>>>>> >>>>>>>> >>>>>>>> On 03.09.2015 22:06, N-Gon wrote: >>>>>>>> >>>>>>>> Someone give this man an unusual Finder's Fee >>>>>>>> >>>>>>>> On Thu, Sep 3, 2015 at 3:59 PM, Refeek Yeglek < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi, I'm one of the developers for Team Fortress 2 Classic, a >>>>>>>>> source mod project. Recently, someone abused a bug present in Source >>>>>>>>> SDK >>>>>>>>> 2013 MP to distribute viruses to quite a few of our players and >>>>>>>>> developers. >>>>>>>>> The way they did it was by abusing a spray exploit present in the SDK >>>>>>>>> 2013 >>>>>>>>> MP edition to upload a file pretending to be a spray to all players >>>>>>>>> and >>>>>>>>> executing it. The technical info on how it works from one of our other >>>>>>>>> coders will be posted at the end of this email, but here's what you >>>>>>>>> need to >>>>>>>>> know as a server owner: >>>>>>>>> >>>>>>>>> We don't know how many source games are vulnerable. The big name >>>>>>>>> VALVe ones aren't, but any sourcemod probably is. This includes ones >>>>>>>>> on >>>>>>>>> steam like Fortress Forever, or Fistful of Frags. >>>>>>>>> >>>>>>>>> If you're running a server for a non-VALVe or bigname(Titanfall, >>>>>>>>> GMOD, etc.) Source Engine game, then here's what you need to do: >>>>>>>>> >>>>>>>>> 1. Set sv_upload to 0 on your server. >>>>>>>>> >>>>>>>>> 2. If you are a TF2C server host, shut your server down and start >>>>>>>>> scanning your server for viruses. >>>>>>>>> >>>>>>>>> 3. Pester valve to fix this ASAP. >>>>>>>>> >>>>>>>>> TL;DR: >>>>>>>>> Sprays can be exploited to run code on people's systems and break >>>>>>>>> into accounts, we've had quite a few CS:GO and TF2 items lifted from >>>>>>>>> accounts and moved to trade alts and disappearing after that. Disable >>>>>>>>> sprays ASAP if you host a sourcemod multiplayer server. >>>>>>>>> >>>>>>>>> Here's the technical info for how stuff works: >>>>>>>>> >>>>>>>>> "The vulnerability is triggered by a missing check to see if a >>>>>>>>> memory allocation succeded in the loading of VTFs. When the material >>>>>>>>> is >>>>>>>>> loaded, there is space allocated for the material. The crucial option >>>>>>>>> in >>>>>>>>> the using of this exploit is the option to skip Mipmaps from the >>>>>>>>> material. >>>>>>>>> If, for instance, the first mipmap is skipped, the game will copy the >>>>>>>>> mipmap data to buffer + size of first mipmap. When the memory >>>>>>>>> allocation >>>>>>>>> fails, the buffer will be 0, because thats what malloc returns on out >>>>>>>>> of >>>>>>>>> memory. This means, that the only factor determining where the block >>>>>>>>> is put >>>>>>>>> is determined by the size of the first mipmap. This way you can put >>>>>>>>> the >>>>>>>>> data in the second mipmap whereever you want, meaning you can write >>>>>>>>> to a >>>>>>>>> predictable location in memory. This is additionally encouraged due >>>>>>>>> to the >>>>>>>>> fact that ASLR is disabled for the module in question. From that >>>>>>>>> point on >>>>>>>>> ROP is used to mark a controlled memory location executable and >>>>>>>>> transfer >>>>>>>>> control to it, bypassing DEP. The distribution of the malicious >>>>>>>>> material >>>>>>>>> file can be easily done through the use of the spray system, which >>>>>>>>> uploads >>>>>>>>> a custom material to the server and distributes it. This is of course >>>>>>>>> not >>>>>>>>> the only way to distribute it, but one used in this case. This is not >>>>>>>>> absolutely accurate and technical details have been left out due to >>>>>>>>> them >>>>>>>>> not influencing this exploit." >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>>> archives, please visit: >>>>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>>>>> please >>>>>>>> visit:https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>>> archives, please visit: >>>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Ross Bemrose >>>>>>> >>>>>>> _______________________________________________ >>>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>>> archives, please visit: >>>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> To unsubscribe, edit your list preferences, or view the list >>>>>> archives, please visit: >>>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>> please visit: >>>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> To unsubscribe, edit your list preferences, or view the list archives, >>>> please visit: >>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>>> >>>> >>> >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >>> >>> >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >> >> > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds > >
_______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
