Tweet
[ATTACH=CONFIG]3759[/ATTACH]
There is a post on the Steam section of Reddit by a user that claims he discovered a severe security loophole with Source Engine games. Specifically, it's a problem with multiplayer games running on Source, including games like Team Fortress 2, Counter-Strike: Global Offensive, Garry's Mod, Dota 2, and more. The user claims that he found a way to not only spoof Steam IDs, but he also found a way that would allow malicious server admins to "(write) files on every client."To put it bluntly if this is true, it could be quite harmful if used by the wrong types of people. Here is his Reddit post in full including examples of how he's able to force a server to push an executable to a client.
Short version: If you join any source engine server your PC might be compromised or your steamid stolen& few other exploits.
Not too long ago I've reported 8 exploits involving steam & source engine games. CSGO is affected too.
As a proof of my report not being a lie, I've recorded this video of the hardest to properly abuse exploit. If however more proof is needed, then feel free to ask, but I'm not going to release all of this to the public.
Alright, I added a new POC demonstrating a infection on join ( no one was harmed in the making of this video ) - because I feel like I wasn't taken seriously.
Poc1: https://www.youtube.com/watch?v=K-UXrmvjV04 executeable file automatically getting saved into my startup directory ( aka it would start upon reboot )
Poc2: https://www.youtube.com/watch?v=1oy7YN_fnns another one of the file write everywhere exploits, notice how a bat file gets saved on my desktop:
The exploits involve: Bypassing cmd restrictions, a second method for bypassing cmd restrictions and being able to easily make it persist,
spoofing the friendsid, spoofing the steamid, a second method for spoofing the steamid ( unlike the first, this would affect all steam games and also make steam tell the server that you've successfully authenticated, even though you're just spoofing ). This spoofing affects all steam products.
I've also reported a way to force servers to spoof a higher playercount by sending 2 packets,
and the most dangerous ones: writing files on every client with any contents ANY location ( enough knowledge about encoding algorithms and a lot of fiddling around to write any contents though ), writing files everywhere with any contents, ANY location with a fairly easy method.
This essentially means that all clients are at risk and could be infected with a virus by simply joining a server.
However, since my report didn't get any E-Mail reply yet, I'm hereby warning the players.
Edit: I might wanna add, 4 of these could've been prevented if valve would've fixed the issues behind previous severe exploits, instead of just the exploits themselfs. I saw one of the exploits being abused prior to my report and PSA, so some other people might have knowledge about stuff like SteamID spoofing too.
Not too long ago I've reported 8 exploits involving steam & source engine games. CSGO is affected too.
As a proof of my report not being a lie, I've recorded this video of the hardest to properly abuse exploit. If however more proof is needed, then feel free to ask, but I'm not going to release all of this to the public.
Alright, I added a new POC demonstrating a infection on join ( no one was harmed in the making of this video ) - because I feel like I wasn't taken seriously.
Poc1: https://www.youtube.com/watch?v=K-UXrmvjV04 executeable file automatically getting saved into my startup directory ( aka it would start upon reboot )
Poc2: https://www.youtube.com/watch?v=1oy7YN_fnns another one of the file write everywhere exploits, notice how a bat file gets saved on my desktop:
The exploits involve: Bypassing cmd restrictions, a second method for bypassing cmd restrictions and being able to easily make it persist,
spoofing the friendsid, spoofing the steamid, a second method for spoofing the steamid ( unlike the first, this would affect all steam games and also make steam tell the server that you've successfully authenticated, even though you're just spoofing ). This spoofing affects all steam products.
I've also reported a way to force servers to spoof a higher playercount by sending 2 packets,
and the most dangerous ones: writing files on every client with any contents ANY location ( enough knowledge about encoding algorithms and a lot of fiddling around to write any contents though ), writing files everywhere with any contents, ANY location with a fairly easy method.
This essentially means that all clients are at risk and could be infected with a virus by simply joining a server.
However, since my report didn't get any E-Mail reply yet, I'm hereby warning the players.
Edit: I might wanna add, 4 of these could've been prevented if valve would've fixed the issues behind previous severe exploits, instead of just the exploits themselfs. I saw one of the exploits being abused prior to my report and PSA, so some other people might have knowledge about stuff like SteamID spoofing too.
If true (again, we cannot verify this ourselves right now), your safest bets would be to either avoid playing on Source multiplayer games until Valve issues a fix, or play only on official Valve servers.
The problem with this issue isn't just that it exists. Let's face it, if this is true, it has the potential to be extremely damaging. The problem is that the guy that posted the above on Reddit said he submitted the information to Valve earlier in the day on Saturday. Almost immediately after on the same day, he posted this information on Reddit and Facepunch because he had not yet heard back from Valve. By not waiting even a day after making this issue public, he has potentially made an already bad situation far, far worse.
