I know, I suck at updating my blog lately. I guess it’s because I can use twitter to post little things now, so don’t feel the need to expand on them in a big blog post.
There’s another big exploit in the Source DS. Basically, it lets clients download and upload any file to/from a server. I haven’t emailed Valve about it – I assume they know and are working on a patch for it asap. (Which will hopefully be applied to GMod’s server too this time!).
Here’s the post AzuiSleet kindly posted on HLDS:
It seems the upload/download exploits aren’t dead yet, and Valve didn’t do a good job at patching them. A blacklist didn’t work too well. Here is a serverplugin POC to upload and download files. It’s fairly trivial to use:
download_file cfg/server.cfg
upload_file addons/serverplugin_sample.dllupload_file doesn’t work in TF2, but download_file does. I’m told you can upload DLLs in Gmod and L4D2. Credit to Chrisaster and the rest of the Gmod scene.
Codename “Source Engine Suck Server Pwner” in memory of nitro2o:
http://dl.dropbox.com/u/759758/sourcenginesuck_serverowner.7z
So.. you might want to either shut your servers down for the time being, or protect them. Protecting them involves installing some server addon or something. I haven’t really looked into it too much – so do your own research. I’ve just shut my server down for now (as I was already finding runme.exe in the game folder).
To be honest, this kind of exploit really does surprise me. I’m not the greatest coder in the world but if I was coding some system that allowed clients to upload files to the server – the first thing in my mind would be “don’t let them upload exe’s to the server”. If I was coding something to let clients download stuff from the server, the first thing in my mind would be “don’t let them download any file they want”. But maybe it’s more complicated than that, I dunno.
this could be a really bad problem if someone added rawio and something that allows him to send to automatically send a virus to a server
Garry there is one 100% working fix:
sv_allowupload 0
sv_allowdownload 0
sv_downloadurl facepunch.com/fastdl/garrysmod (or whatever)
+ Upload a clients engine.dll
No idea why you tell us protecting needs an addon (D-FENS)
We have ERA but even then its not as secure as closing down your server would be or using the fix that we/people thought up.
Loving the header, people who exploit really need to find something better to do though.
So why exactly did you post what the exploit was and how to use it? Now we could get flocks of minges coming to all the servers that are still up and start destroying them all.
This is Valve we’re talking about here. Anything sensible to us is a patch to come out in six months to them.
The fact that these commands EXIST is something of a mystery to me. Way to go, ValVe.
It’s seems Valve just fixed exploit now.
http://bit.ly/6PUcXw
Source never really was a good engine, really. That’s not a matter of bias to say that, either. Valve was doing a lot of new stuff (at the time) while coding it, so it makes sense that they hadn’t ironed out some key design issues by then. And you can only get by so far with patching.
Nice theme Garry, just one small thing I noticed with the header.
font-family: Arial Black;
That’s wrong since Arial Black is actually a weight in the Arial family, so when a browser that uses DirectWrite (say, IE9 and this build of Firefox I’m using) looks up the font it won’t find it and it’ll use a serif font instead.
font-family: ‘Arial Black’, Arial;
font-weight: 900;
That will work in every case and will make it actually be “bold” to the browser.
Yes they updated it in TF2 but garry has to get their newest version of the engine code and manually apply it, if he can be bothered to do.
@garry – You can’t just upload an exe, the problem is it lets you upload a file like “runme.exe. ” with 3 spaces afterward and the engine drops the last “. ” which leaves the original filename intact and thus is the vunerability.
Buy source games now, source has the most glitches and exploits!
I remember the first time I looked at the Source Engine game source. I was so excited because I was going to look at some of the code behind what people had called an Awesome engine. I was shocked at how bad the code was managed. Well I guess that is what you get when you have a Microsoft programmer running your studio. *cough* Gabe Newell *cough*
*Former Microsoft Programmer
@14:
“Yes they updated it in TF2 but garry has to get their newest version of the engine code and manually apply it, if he can be bothered to do.”
It should be obvious from the blog post, and from the last time that this happened, that Garry doesn’t touch the engine code. As such, it is up to valve to update this part, and the servers.
You don’t have to install any dumb server plugins, just update the engine.dll from your own Gmod then turn downloading and uploading off with the commands.
You really ought to talk to Valve about them not distributing the new engine files with their server installations.
http://www.facepunch.com/showthread.php?t=856379
Seems as if everything has been updated now.