Jump to content

[Developing] Valve accused of not patching several, years old RCE exploits in Source Engine and Steam Integration

rcmaehl

Summary

A group going by "Secret.Club" reports that Valve has refused to acknowledge or patch multiple, years old RCE exploits in the Source Engine.

 

Quotes

Quote

Two years ago, secret club member @floesen_  reported a remote code execution flaw affecting all source engine games. It can be triggered through a Steam invite. This has yet to be patched, and Valve is preventing us from publicly disclosing it. On the topic of our previous thread, we have @brymko, @cffsmith, @scannell_simon, showcasing their remote code execution 0-day for CS:GO. This has been reported to Valve months ago, but they have neither paid them nor acknowledged the exploit. Third times a charm; ...member mev showcases their remote code execution 0-day for CS:GO. This has been reported to Valve 5 months ago with no response from Valve.

 

My thoughts

While it's better to be safe than sorry and not accept invites at this time for Source Games, this isn't the first time someone has cried RCE Exploit! in the Source Community for it to be false, intentionally (see April of last year). Various groups are upset at the state of Source Engine and being shafted from Source 2 or patches entirely (*coughTF2cough*), so take these claims with a grain of salt. The entire group appears to be a newcomer and I see no links to their site on google.

 

Sources

The Verge

Reddit (PCGaming thread)

Tweet 1

Tweet 2

Tweet 3

Edited by rcmaehl
Add News Source

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 2700X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 48GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

4 minutes ago, rcmaehl said:

A group going by "Secret.Club" reports that Valve has refused to acknowledge or patch multiple, years old RCE exploits in the Source Engine.

Not surprised. Valve doesnt want to be a "Game Studio" anymore. They just want to rake in all that Steam Profit. My friend got a VR headset (The cheaper Facebook Model) and said Half Life Alyx has been pretty good. Like Valve has the talent to make games but doesnt seem interested in it any more. 

I just want to sit back and watch the world burn. 

Link to comment
Share on other sites

Link to post
Share on other sites

12 minutes ago, rcmaehl said:

This has been reported to Valve months ago, but they have neither paid them nor acknowledged the exploit.

The paid part ist the problem. If you report a flaw and want money to show the flaw that is not better than encrypting your data and ask for bitcoin. Usually you post a flaw and a potential fix and get some reward afterwards but not by asking for it in the first place. That's industry policy these days. Them probably playing around with the source code they got through some shady place doesn't help it either. I haven't looked into that supposed issue but if it were that big, I would assume Valve would have fixed it by now and created a workaround for it. 

Link to comment
Share on other sites

Link to post
Share on other sites

There is not enough info here to actually judge anything. We got 3 tweets and three short videos that frankly means nothing to me since I have no idea what I'm looking at and for all I know there's nothing strange about them.

 

The other issue is that if this is a duplicate ticket, Valve wouldn't be paying them regardless. Even if it's an ongoing issue that has yet to be patched, because it's not high on Valve's priorities.

It's likely something like what has happened to this guy and his unlikely man in the middle attack that requires specific scenarios that wouldn't matter much with proper client isolation :

https://blog.jakegealer.me/valve-a/

 

CPU: AMD Ryzen 3700x / GPU: Asus Radeon RX 6750XT OC 12GB / RAM: Corsair Vengeance LPX 2x8GB DDR4-3200
MOBO: MSI B450m Gaming Plus / NVME: Corsair MP510 240GB / Case: TT Core v21 / PSU: Seasonic 750W / OS: Win 10 Pro

Link to comment
Share on other sites

Link to post
Share on other sites

33 minutes ago, TetraSky said:

There is not enough info here to actually judge anything. We got 3 tweets and three short videos that frankly means nothing to me since I have no idea what I'm looking at and for all I know there's nothing strange about them

 

Yes, I've seen no one I trust validate these claims. I'm hoping these are too niche to exploit

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 2700X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 48GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

4 hours ago, TetraSky said:

There is not enough info here to actually judge anything. We got 3 tweets and three short videos that frankly means nothing to me since I have no idea what I'm looking at and for all I know there's nothing strange about them.

You think its normal for an invite to a CSGO match to open calculator instead of the game?

 

Number 3 is also pretty scary, it seems to be an exploited map that runs code as soon as the user finishes connecting to the game. This one means the user doesn't even have to click a link, remote code can be executed by them merely joining a game and getting unlucky.

Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to comment
Share on other sites

Link to post
Share on other sites

5 hours ago, Master Disaster said:

You think its normal for an invite to a CSGO match to open calculator instead of the game?

For all I know, from the videos, is that they could be using a hotkey/macro on their keyboard to open the calculator without doing anything in windows(which is what I do when I want to open the calculator).

That's why I said the videos means nothing to me. There's so many ways to fake it that I'm just skeptical. They don't explain anything in these tweets/videos.
They don't say how to replicate it, how it could happen, how it could be prevented, nothing. All we're seeing is a game invite, game opens > game closes > calculator open. Or join game > calculator open.
This can be faked extremely easily for the sake of making a video and scare the masses. Open game > Alt F4 > Hotkey to open the calculator.

If this RCE requires any sort of physical access to someone's device, or if it's a man in the middle attack or whatever else, it literally won't matter to 99% of the players and I'm not surprised that Valve doesn't care as much.

If it can be run from anywhere in the world, truly simply through a game invite or hacked server(VAC secured server should probably prevent this, no?), then sure, that's bad. But again, the source on this doesn't say anything.

Or am I just missing the obvious here??

CPU: AMD Ryzen 3700x / GPU: Asus Radeon RX 6750XT OC 12GB / RAM: Corsair Vengeance LPX 2x8GB DDR4-3200
MOBO: MSI B450m Gaming Plus / NVME: Corsair MP510 240GB / Case: TT Core v21 / PSU: Seasonic 750W / OS: Win 10 Pro

Link to comment
Share on other sites

Link to post
Share on other sites

40 minutes ago, TetraSky said:

For all I know, from the videos, is that they could be using a hotkey/macro on their keyboard to open the calculator without doing anything in windows(which is what I do when I want to open the calculator).

That's why I said the videos means nothing to me. There's so many ways to fake it that I'm just skeptical. They don't explain anything in these tweets/videos.
They don't say how to replicate it, how it could happen, how it could be prevented, nothing. All we're seeing is a game invite, game opens > game closes > calculator open. Or join game > calculator open.
This can be faked extremely easily for the sake of making a video and scare the masses. Open game > Alt F4 > Hotkey to open the calculator.

If this RCE requires any sort of physical access to someone's device, or if it's a man in the middle attack or whatever else, it literally won't matter to 99% of the players and I'm not surprised that Valve doesn't care as much.

If it can be run from anywhere in the world, truly simply through a game invite or hacked server(VAC secured server should probably prevent this, no?), then sure, that's bad. But again, the source on this doesn't say anything.

Or am I just missing the obvious here??

The secret.club is a group of highly skilled individuals.

"If it can be run from anywhere in the world, truly simply through a game invite or hacked server(VAC secured server should probably prevent this, no?), then sure, that's bad. But again, the source on this doesn't say anything.

Or am I just missing the obvious here??"

 

You are indeed kind of missing the obvious here. This exploit most likely allows the attackers to do anything (arbitrary code).

The secret.club / Floesen is not giving out any technical information as this would means many people with ill intend could infect thousands of computers with whatever they want.

Read more here:

https://twitter.com/floesen_/status/1380922450431647747?s=20

 

This group of people have no reason to fake an RCE Exploit (3 of them even) when a lot of them have jobs and a good reputation. The issue here isn't that Valve hasn't acknowledged the issue.One of the exploits that was found (Floesen's one) has been paid out his bounty for it and the exploit was verified on H1. But Valve hasn't bother fixing it for over 2 years now.

 

If you doubt the skill of these people you should read some of their articles;

https://secret.club/

https://revers.engineering/ (This blog belongs to one of the members and 2 other people who are Anti Cheat Engineers @ Riot Games (Vanguard)

Link to comment
Share on other sites

Link to post
Share on other sites

11 hours ago, James Evens said:

Might be a problem of properly reporting. Normal support is generally garbage and sometimes tells you to install and run a virus scanner instead of understanding the issue is on there site.

Valve takes part in hacker one:

https://hackerone.com/valve

The person who found the exploit got his exploit verified and bounty paid out by H1. The issue here is that valve hasn't bothered fixing it for 2+ years now. https://twitter.com/floesen_/status/1380922578185883649?s=20

Link to comment
Share on other sites

Link to post
Share on other sites

Didn’t know what was being talked about so I did some googling.  Likely won’t be useful for those who do understand what is going on, but for those such as myself that don’t:

https://developer.valvesoftware.com/wiki/Source_2
https://www.solarwindsmsp.com/blog/remote-code-execution

 

There at least was at least one claim that the earlier bug was real and really got patched, at least partially.
https://www.csoonline.com/article/3278273/valve-patches-decade-old-bug-that-made-steam-users-pcs-vulnerable.html so something is messed up somewhere Dunno what or where though.

 

Edited by Bombastinator

Not a pro, not even very good.  I’m just old and have time currently.  Assuming I know a lot about computers can be a mistake.

 

Life is like a bowl of chocolates: there are all these little crinkly paper cups everywhere.

Link to comment
Share on other sites

Link to post
Share on other sites

9 minutes ago, Bombastinator said:

Didn’t know what was being talked about so I did some googling.  Likely won’t be useful for those who do understand what is going on, but for those such as myself that don’t:

https://developer.valvesoftware.com/wiki/Source_2
https://www.solarwindsmsp.com/blog/remote-code-execution

 

There at least was at least one claim that the earlier bug was real and really got patched, at least partially.
https://www.csoonline.com/article/3278273/valve-patches-decade-old-bug-that-made-steam-users-pcs-vulnerable.html so something is messed up somewhere Dunno what or where though.

 

The article of the bug you linked is an old one from 2018. There are atleast 3 different RCE ones that work still as reported by secret.club.

Link to comment
Share on other sites

Link to post
Share on other sites

On 4/11/2021 at 2:29 AM, Donut417 said:

Not surprised. Valve doesnt want to be a "Game Studio" anymore. They just want to rake in all that Steam Profit. My friend got a VR headset (The cheaper Facebook Model) and said Half Life Alyx has been pretty good. Like Valve has the talent to make games but doesnt seem interested in it any more. 

That's the weird/interesting thing to me though. They do "nothing" for years and then out of nowhere they drop Half Life Alyx like an atomic bomb to show the VR scene how to make a game (Half Life Alyx is one of the best if not the epitome of VR gaming in my opinion).

 

I like the reasoning behind Half Life and I think HLA fits that bill perfectly, but I will personally take them to my grave if they don't make more HL sequels after Alyx lol.

 

I can't really judge the bug reporting process and why they won't fix it, but as a serious question though, what does Valve still do? Maybe it's not as big a company as I think it is in my mind, but the impression really is that they're just a (figurative) handful of people in an office counting fat stacks all day isn't it.

Crystal: CPU: i7 7700K | Motherboard: Asus ROG Strix Z270F | RAM: GSkill 16 GB@3200MHz | GPU: Nvidia GTX 1080 Ti FE | Case: Corsair Crystal 570X (black) | PSU: EVGA Supernova G2 1000W | Monitor: Asus VG248QE 24"

Laptop: Dell XPS 13 9370 | CPU: i5 10510U | RAM: 16 GB

Server: CPU: i5 4690k | RAM: 16 GB | Case: Corsair Graphite 760T White | Storage: 19 TB

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, tikker said:

hat's the weird/interesting thing to me though. They do "nothing" for years and then out of nowhere they drop Half Life Alyx like an atomic bomb to show the VR scene how to make a game (Half Life Alyx is one of the best if not the epitome of VR gaming in my opinion).

Well they sell VR hardware. Ive actually considered getting a headset and my living conditions and the price just isn't right...... But I think its because they sell the hardware and their way of looking at it, they can throw down a Half Life game and get the Half Life crowd to buy a headset. 

 

My friend owns the cheap oculus headset and he has Half Life Alyx. Not sure if he's spent that much time in it. He's been using the headset for Elite Dangerous however and said its worth it for just that. 

I just want to sit back and watch the world burn. 

Link to comment
Share on other sites

Link to post
Share on other sites

9 hours ago, Donut417 said:

Well they sell VR hardware. Ive actually considered getting a headset and my living conditions and the price just isn't right...... But I think its because they sell the hardware and their way of looking at it, they can throw down a Half Life game and get the Half Life crowd to buy a headset. 

 

My friend owns the cheap oculus headset and he has Half Life Alyx. Not sure if he's spent that much time in it. He's been using the headset for Elite Dangerous however and said its worth it for just that. 

I have a CV1 which I bought, ppfftt... Summer '17? Yeah, summer '17. So no, I didn't buy it for HL:A - I don't think anyone even knew HL:A was a thing back then.

 

Can confirm that Alyx is amazing - it's basically Valve saying "oh, you thought we didn't make games anymore, did you? TIME TO SMELL THE ASHES!"

 

Full disclosure, though - I am a bit of a Half Life fan, so my opinion on HL:A is a bit biased.

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, Nacht said:

Really Valve ? you suppose to be a good example not a bad example.

When has valve been a good example? 

I just want to sit back and watch the world burn. 

Link to comment
Share on other sites

Link to post
Share on other sites

i've been getting a lot random friend request on CS:GO - Steam

but i think that's more to do with me unboxing a knife the other day and they are scammers lol

 

Folding Stats

 

SYSTEM SPEC

AMD Ryzen 5 5600X | Motherboard Asus Strix B550i | RAM 32gb 3200 Crucial Ballistix | GPU Nvidia RTX 3070 Founder Edition | Cooling Barrow CPU/PUMP Block, EKWB Vector GPU Block, Corsair 280mm Radiator | Case NZXT H1 | Storage Sabrent Rocket 2tb, Samsung SM951 1tb

PSU NZXT S650 SFX Gold | Display Acer Predator XB271HU | Keyboard Corsair K70 Lux | Mouse Corsair M65 Pro  

Sound Logitech Z560 THX | Operating System Windows 10 Pro

Link to comment
Share on other sites

Link to post
Share on other sites

just don't get the valve F**** ups, where one could see others account details and maybe the payment cards too.

That was a huge mess, then again still not worse than a few big american companies hiding the fact of a lot of personal information leaks or the security issues they had.

Link to comment
Share on other sites

Link to post
Share on other sites

13 hours ago, Nacht said:

 

Just private your inventory, i know trading sites may ban you as result but its either that or random adds from scammers and phishers.

Yeah that's what i've done now 🙂

Folding Stats

 

SYSTEM SPEC

AMD Ryzen 5 5600X | Motherboard Asus Strix B550i | RAM 32gb 3200 Crucial Ballistix | GPU Nvidia RTX 3070 Founder Edition | Cooling Barrow CPU/PUMP Block, EKWB Vector GPU Block, Corsair 280mm Radiator | Case NZXT H1 | Storage Sabrent Rocket 2tb, Samsung SM951 1tb

PSU NZXT S650 SFX Gold | Display Acer Predator XB271HU | Keyboard Corsair K70 Lux | Mouse Corsair M65 Pro  

Sound Logitech Z560 THX | Operating System Windows 10 Pro

Link to comment
Share on other sites

Link to post
Share on other sites

On 4/13/2021 at 9:29 AM, Rauten said:

I have a CV1 which I bought, ppfftt... Summer '17? Yeah, summer '17. So no, I didn't buy it for HL:A - I don't think anyone even knew HL:A was a thing back then.

 

Can confirm that Alyx is amazing - it's basically Valve saying "oh, you thought we didn't make games anymore, did you? TIME TO SMELL THE ASHES!"

 

Full disclosure, though - I am a bit of a Half Life fan, so my opinion on HL:A is a bit biased.

It was more Valve saying "You want more Half life? Go buy our $400 hardware first then we'll grace you with more gaming".

 

Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×