[HN Gopher] 'Counter Strike' Bug Allows Hackers to Take over a P...
___________________________________________________________________
'Counter Strike' Bug Allows Hackers to Take over a PC with a Steam
Invite
Author : jbegley
Score : 186 points
Date : 2021-04-13 17:46 UTC (5 hours ago)
(HTM) web link (www.vice.com)
(TXT) w3m dump (www.vice.com)
| beatrobot wrote:
| Google's Project Zero should look into this. It is not the first
| time that Valve slept on known and reported vulnerabilities.
| Artur96 wrote:
| Just publish the exploit. That'll get Valve off their bottoms
| once public lobbies start to install ransomware with
| cryptominers.
| wnevets wrote:
| People love to complain on HN about how companies like Google
| only incentivize developers to create new revenue streams rather
| than maintaining them however _some_ former employees claim Valve
| takes that concept and turns it up to 11.
| TazeTSchnitzel wrote:
| Previous discussion:
| https://news.ycombinator.com/item?id=26762170
| question000 wrote:
| I remember there was a DEFCON talk about anti-cheating measure
| for counter strike and speaker just noted casually that Valve
| just scans all processes running on your machine during a match
| and determines what's a cheating process and what is not via a
| blacklist. Which begs the question what can't Valve do vis Steam?
| hulahoof wrote:
| Reminds me of Warden used (at least in the heyday) by Blizzard
| to prevent cheating in WoW. In the automation community they
| ended up having to use rootkits to hide the process, as
| previous methods of spoofing the return signal were denied in
| Blizzard vs. Glider over EULA infringement.
| ArchOversight wrote:
| Any software running on your machine can do this unless it is
| sandboxed. In fact many games go even further and install
| kernel level rootkits to make sure you are not running
| unapproved software.
|
| See https://www.osnews.com/story/131665/riot-games-maker-of-
| leag...
| oeiiooeieo wrote:
| Valve's development practices are apparently good for a chuckle.
|
| https://www.youtube.com/watch?v=k238XpMMn38
|
| The devs don't seem like they have enough time to deal with the
| code they have to write, let alone respond to security issues.
| (not their fault, of course)
| wqsz7xn wrote:
| The fact that this is wormable is huge.
| jsheard wrote:
| Funnily enough the same group found a wormable exploit in
| Valve's Alien Swarm, a mostly forgotten game with a tiny
| playerbase, and Valve fixed it in 3 months.
|
| https://secret.club/2020/10/30/alien-swarm-rce.html
|
| Meanwhile CS:GO, their flagship game with over a million daily
| peak players, has numerous wormable RCEs reported and ignored
| for as long as 2 years.
|
| Valve works in mysterious ways.
| hn8788 wrote:
| I think the difference with this exploit is that according to
| the people who found the exploit, it affects all Valve games
| that use the Source engine, not just CS:GO like the article
| says. Trying to fix it could end up breaking multiple games
| if it's done incorrectly.
| Forbo wrote:
| > A security researcher alerted Valve about the bug in June of
| 2019.
|
| Holy shit, Valve. Really? Nearly two years later and this is
| still exploitable.
|
| Edit, further on:
|
| > This is not the first time Valve has been slow to respond and
| fix reported vulnerabilities. In 2018, Motherboard reported that
| a security researcher found a bug in Steam that allowed hackers
| to take over victims' computers--a bug that had been present for
| 10 years. In 2019, Valve banned a security researcher from its
| bug bounty program, prompting him to publish the exploit
| publicly.
|
| I'm pretty appalled by this.
| Chlorus wrote:
| the dedicated server situation was (is?) pretty dire back when
| i hosted a few SRCDS instances. here's a small taste:
| https://wiki.alliedmods.net/SRCDS_Hardening#Current_Exploits
|
| not to mention that the commands themselves obey absolutely
| zero *NIX conventions at all. Left a bad taste in my mouth ever
| since
| uncoder0 wrote:
| Now think about this... Steam is running on nearly every
| gamer's PC. That's what I'm more worried about than exploits in
| individual games.
| enjoiful wrote:
| If you want to see something really appalling, looking into the
| "coaching bug" that was recently exposed. It was known for
| years by Valve and it wasn't patched. It wasn't until the
| exploit was made public that dozens of professional CS coaches
| were banned.
| weird-eye-issue wrote:
| That wasn't a security or privacy issue and nobody forced
| those coaches who abused it
| spicybright wrote:
| I don't know any context on the situation, but if there was
| a mechanic that's known and been around for years, bug or
| not, wouldn't anyone using it have an edge over anyone not
| using it? Therefore people need to use it to stay
| competitive?
| weird-eye-issue wrote:
| No because in sports you have rules that you must follow
| or there are consequences. This bug is considered an
| exploit and therefore it is against the rules to use.
| asdff wrote:
| Yes but this is Esports. Bugs are famously used
| competitively. The entire super smash brothers melee
| tournament circuit uses bugs to wave run; if you don't
| use the bug you won't be competitive. People practice
| using this bug and others like skipping animations. Most
| competitive FPS games had something similar, like being
| able to reload cancel or bunny hop. Things that are
| legitimately bugs, that you won't learn until you hear
| about them.
| bentcorner wrote:
| Read about the bug:
| https://en.wikipedia.org/wiki/Counter-
| Strike_coaching_bug_sc...
|
| Yes, bugs are used competitively but communities will
| often come to consensus on which bugs are allowed and
| which aren't.
|
| I think for the most part when you see a bug it's easy to
| tell if it'll be acceptable for competitive use. Bugs
| that allow enable more counterplay or raise skill
| ceilings are usually fine. Bugs that give you an unfair
| advantage or go against the spirit of the game are
| usually not.
|
| FWIW I think bugs in the latter bucket should be fixed
| asap. While you can forbid exploits in a tournament,
| these kinds of bugs can ruin ladder play.
| throwaway3699 wrote:
| Counter-Strike's culture is not like that.
| weird-eye-issue wrote:
| Like I said - "This bug is considered an exploit and
| therefore it is against the rules to use."
|
| Exploits aren't allowed. If a bug isn't considered an
| exploit and isn't explicitly against the rules they are
| fine to use them.
| cthor wrote:
| Are you also under the impression that most Olympic
| medalists aren't doping?
|
| Following the rules doesn't get you very far when
| cheaters don't get punished.
| weird-eye-issue wrote:
| Well in this case the cheaters did get punished. Quite
| harshly. So I'm not sure what your point is, if you even
| had one?
| cthor wrote:
| That the mere existence of rules is not enough. They must
| also be enforced.
|
| Basically, I think you're letting Valve off the hook.
| Sure, the competitors shouldn't cheat, but Valve should
| also make sure they create an environment in which
| cheating isn't incentivised. In the world of software, a
| few years is a long time. Leaving a known bug that gives
| a massive competitive advantage unfixed for that long
| borders on negligence, especially when the fix is
| relatively trivial.
| takoid wrote:
| > It was known for years by Valve and it wasn't patched.
|
| This is not true. Once the exploit became known, Valve
| released an update same day.
| mhh__ wrote:
| It seems genuinely unbelievable it was being used for as
| long as it was without _someone_ finding out
| MayeulC wrote:
| I've said it before, I'm saying it again: this is the reason I
| sandbox steam (I run it in a flatpak).
|
| Remote code execution vulnerabilities galore in games that
| haven't been patched in decades. UT99 servers can send dlls, so
| some even do it on purpose back then. It doesn't require much:
| imagine a RSS feed on a game menu. The parser has a RCE. The
| domain name expires. It doesn't take much.
|
| For now, some anti cheat systems do not work on Linux. If that's
| the price to pay for avoiding these invasive tools, then so be
| it. I don't want a 0day in some random anti cheat system to ruin
| my day/year/life.
| antpls wrote:
| Flatpak is backed by Linux containers, which are not designed
| to be secure against hacks. Flatpak (like Snap) is a
| convenience to distribute and install apps, not a security
| protection.
| matheusmoreira wrote:
| Games also require root access to the machine for the sake of DRM
| and ineffective anti-cheating software so it's impossible to
| contain the damage they do.
| cyberlurker wrote:
| No excuses for Valve or the seriousness of this, but I believe
| the user needs to "accept" the invite. I did not see that
| mentioned in the article.
|
| Edit: My mistake, I thought there were accept/deny buttons for
| invites. In the example video they only have a link:
| https://youtu.be/rNQn--9xR1Q
| Godel_unicode wrote:
| The very first sentence in the article is """Hackers could take
| control of victims' computers just by tricking them into
| clicking on a Steam invite"""
| sitzkrieg wrote:
| ive been following this for a while and am glad its getting a lot
| of coverage since apparently valve cant be bothered to take a
| break from their money printer to fix a remote code execution!
| gr33nq wrote:
| I have several thousands of hours logged in CS:GO since it was
| released in 2012, and Valve's lack of concern with this
| particular exploit seems to mimic their inattentiveness to so
| many other aspects of the game. With the massive following that
| the Counter Strike franchise has and the boatloads of cash they
| continually bring in from digital cases/keys/skins, they most
| certainly have the resources to put out these types of fires
| immediately. Instead, they have taken a bare minimum approach to
| community outreach and maintaining a game that touts a 26 million
| player count each month [0]. The cheating situation is the most
| prominent example of how little focus the game earns from its
| developers. Compared to how other popular FPS titles (Valorant)
| handles anti-cheat, CS:GO is years behind. It's not uncommon to
| face at least one or two players a day who are using some form of
| cheat (some more obvious than others). Reporting the player does
| nothing, and when you visit their player profile on Steam and see
| accusatory comments about cheating going back months or years,
| you can be confident that your report will have little-to-no
| impact -- chalk it up as a loss and hope for more honest
| opponents next time. I've even seen exploits in the wild that can
| be used to prevent anyone else in the server from reporting a
| cheater in the game's UI; spinbots that can kill an entire team
| with perfect aim accuracy within a couple seconds; bunny hop
| scripts that allow for movements rates that far exceed what is
| normal when running -- basically things that some basic AI/ML
| should be able to detect with relative ease. Fortunately, other
| third-party services have built large player bases by offering
| their own in-house anti-cheat software and matchmaking service
| which is far more effective, but I digress. It's unfortunate to
| see something with such great potential get so little TLC from a
| company that is more than capable.
|
| [0] https://blog.counter-strike.net/
| pbhjpbhj wrote:
| I've recently broken into GN ranks on CSGO and am watching
| suspected cheats ... I can only think the first dozen videos
| are a test of me, because algorithmically spotting the cheating
| seems like it would be super easy. About half of mine so far
| only look at the floor, get only awp headshots. I mean, really?
|
| I guess scammers money is just as green.
|
| There are loads of farming accounts that just walk in a circle.
| Why do they put those players in matches with real players. If
| you're not going to ban them then at least honeypot them.
|
| All seems needlessly lackadaisical.
| tester756 wrote:
| It's interesting to see because HN tends to constantly shit on
| Riot because of that anti cheat
| mberning wrote:
| You are absolutely right. This lackadaisical attitude towards
| their games was present in CS:S as well. Security, gameplay,
| performance. All of it takes a back seat to milking the cow.
| sseneca wrote:
| I think Valve's ineptitude in regards to CS:GO becomes easier
| to explain when considering their history with Counter Strike.
|
| The game that became 1.6 wasn't even their game. It was a mod
| for the original Half Life and they hired the modders after it
| got popular.
|
| Then CS:Source came around the same time HL2 did. That is to
| say it exists only because HL2 did, and Source is just HL2 with
| guns (lol). It was very divisive in the pro scene and the
| majority of professional players rejected it.
|
| GO's history is even worse. It wasn't even meant to exist at
| first; Hidden Path were porting CS:Source to consoles and Valve
| decided that it could live as its own game. They release it in
| 2012 and, by all accounts, it sucks. Nobody plays it. Things
| begin to change when they create a virtual economy (skins) and
| admittedly do actually improve the game a fair bit. It's only
| when the game sees those improvements (2013-14?) that the pro
| scene _finally_ moves from 1.6 to GO.
|
| So the situation in 2021: The most popular game on Steam is a
| game which, according to Valve themselves, shares 75-85% of its
| code with a game released almost 20 years ago (Half Life 2),
| and which everybody knows is a complete and utter mess under
| the hood (thanks in part due to the source code getting leaked,
| also thanks to ex-devs sharing their stories of their time
| working on CS:GO). This along with Valve being notorious for
| just not having the internal incentive structures to get bugs
| fixed (hence GO's spaghetti code)... it's easier to understand
| (but not excuse!) Valve's attitude for serious security flaws
| like these.
|
| I am similar to you in that I have about 1000 hours in CS:GO,
| and I've spent many 1000s of hours watching the pro scene. I
| love Counter Strike, but with Valve the way it is, I don't see
| how these fundamental flaws will ever get fixed. Look at how
| they're allowing Valorant to decimate the North American CS
| scene, just like they allowed Overwatch to take from TF2's
| player base back in 2016.
| ep103 wrote:
| I looked into what was going on with CS:Go after trying to get
| back into it a few years ago, and noticing just how
| horrifically bad the amount of cheating was.
|
| The most damning thing for me wasn't just the subreddits
| dedicated to just indexing valve's lack of attention, or the
| way they appear to genuinely make money off of the cheating
| ecosystem.
|
| The worst was when I learned that VAC (their anti-cheating
| platform, IIRC) was so bad (at the time) that it appeared to
| only ban exact binary matches for detected cheats.
|
| So if you wrote a cheat, that eventually, ages later did end up
| getting banned by VAC, all you would have to do would be to go
| back to your source, rename a few functions and files,
| recompile to a new binary, and you'd be good to go again.
|
| As a sidenote, I just attempted to find the article that
| documented what I said above, and I found github repositories
| like this instead: https://github.com/danielkrupinski/VAC-
| Bypass The fact that things like this are front page google
| responses to phrases like "VAC Ban" (what I typed in google),
| really demonstrates just how abysmal Valve's performance is
| here.
| ArchOversight wrote:
| That VAC Bypass is rather crude... but I guess it works.
|
| When my friends and I wrote some cheats in the past we used
| to hook VAC so that when it wanted to run we'd unload our
| hooks/cheats and let it complete scanning as normal, then
| once VAC was completed we'd re-hook and re-load our
| library/hooks.
|
| This also allowed us to iterate on development by having
| live-reload of the .dll on disk by unhooking, reloading dll,
| and rehooking.
|
| This was back in the days of Counter Strike: Source, when it
| first came out.
|
| The day it was first released on macOS was fun too... Valve
| forgot to strip debug symbols on their macOS, so we were able
| to dump all of the debug symbols and get a much better idea
| on what to hook/look for and what the various structures were
| used for!
| MayeulC wrote:
| On the other hand, I cheated once (I was bored with TF2's new
| gameplay, and a teenager) _11 years ago_ , and got a lifetime
| VAC ban, while most die-hard cheaters would probably laugh it
| off and create a new account (especially now that it is f2p).
| Lifetime bans hardly seem proportional if you are on the
| receiving side.
|
| The solution to cheating problems isn't necessarily
| technical, it's also social, and I think it reflects a bigger
| issue in our society, also present on social platforms. When
| anyone can interact with strangers and behave however they
| want, there's going to be trolls and others, motivated by the
| feeling that they can't be held accountable for ruining
| someone else's fun (or, just not realizing they are not
| having healthy interactions).
|
| Lots of online platforms have developed lots of ways to cope
| with this, from karma systems to moderators, to social
| credits, to ID verification. Couldn't games take a page from
| that book?
| asdff wrote:
| It sucks that developers only crack down on cheating when
| it hurts a revenue stream. I'm sure if people figured out
| how to clone hats, valve would hire an entire independent
| team to come in and work overtime for a blank check until
| its fixed.
|
| Rockstar only cared about cheating in GTA5 because people
| were duplicating in game money that Rockstar was trying to
| sell you for real money. They didn't care about cheating in
| GTA4 because it didn't affect any potential revenue since
| it only affected people who had already bought the game.
| xahrepap wrote:
| I had a brand new computer that i built at the start of the
| year. 100% new hardware. Brand new install of windows.
| Installed Steam, installed CS:GO. And I was unable to play
| because Steam flagged my system for cheating. The fix was
| to run some random steam exe found in the steam install
| directory. I guess it caused Steam to re-scan my system?
|
| Not the same level of frustration as a permaban. But I was
| pretty annoyed that I had to jump through hoops on a brand-
| new system. Really weird.
| asdff wrote:
| Steam is terrible software. It's been losing track of my
| games lately, so every time I want to play something I
| have to wait around for 5 minutes or so for steam to
| rediscover the local game files it had already installed.
| Download management is terrible too, frequently coming to
| a crawl or stopping entirely. It's not my ISP throttling
| me, either, because this only happens with steam and not
| when I am downloading other massive things from other
| places.
| rland wrote:
| TF2 is exactly the same. It's a great game, tons of people
| still buying items from the store, just slowly being choked out
| by developer neglect.
|
| I guess they're just printing so much money from the steam
| store that it's hard for anyone to care any more. I'm curious
| if we will ever see a great game out of valve again.
| scotth wrote:
| Did you try Half-Life: Alyx? It was incredible, imho. I can't
| stop going back to it.
| marcinzm wrote:
| Hasn't Valve been in the news a number of times now for ignoring
| bugs and strong arming people on HackerOne into not disclosing
| them?
|
| At this point you should probably assume all of Valve's products
| are riddled with security bugs that are being sold to the highest
| bidder and act accordingly.
| brundolf wrote:
| Worth noting that it requires clicking the invite. Still bad, but
| something you can easily avoid if you know to be suspicious.
| petee wrote:
| It's not going to be suspicious if someones account is
| compromised, or gets a virus that sends an invite to all their
| friends. Official interfaces like 'invite' should never be need
| to be viewed with suspicion
| ziml77 wrote:
| Suspicious of an invite? Back around my college years it was
| very common to get an unexpected invite to a game. Usually
| friends decided they wanted to play a game and then want to
| grab whatever other friends are available to fill out their
| team. In that case you just spam invites and take the first
| people who accept it.
| brundolf wrote:
| Personally I usually text or am texted by the relevant
| friends, we jump in discord, and then we hop into a game,
| pretty much in that order
| JakeTheAndroid wrote:
| If its not someone you just played with and isn't on your
| friends list, I feel like most people don't really interact
| with the message. CSGO has had so many skin scammers through
| chats that it's basically expected that you're being hit up
| by someone trying to get into your account for skins or trade
| scam you.
|
| This is much worse than those situations, but luckily (and
| unluckily) I think the CSGO culture is fairly prepared to
| avoid random invites to parties.
| dubbel wrote:
| If the attacker gets code execution on just one victim, it
| should be possible to send invites to all of their friends.
| So you can't rely on just interacting with people you know
| well.
| jsheard wrote:
| The invite exploit is far from the only one, supposedly
|
| - RCE through malicious game invite (reported 2 years ago)
|
| https://twitter.com/the_secret_club/status/13808687591292969...
|
| - RCE through loading a malicious map/level (reported 5 months
| ago)
|
| https://twitter.com/the_secret_club/status/13809661705227509...
|
| - RCE through connecting to a malicious game server (reported
| "months" ago)
|
| https://twitter.com/the_secret_club/status/13809601207257333...
|
| - RCE through connecting to a malicious game server, again
| (reported 2 years ago)
|
| https://twitter.com/the_secret_club/status/13812019496479047...
|
| - RCE through connecting to a malicious game server, again,
| again (reported a year ago)
|
| https://twitter.com/bienpnn/status/1381616325391384577
|
| The creator of SteamDB also says he was paid for an exploit
| that was never fixed...
|
| https://twitter.com/thexpaw/status/1381621297982103553
|
| ...and one of the above RCE finders says Valve has fixed bugs
| in one game while not fixing it in others
|
| https://twitter.com/bienpnn/status/1381627400467804161
| [deleted]
___________________________________________________________________
(page generated 2021-04-13 23:01 UTC)