from Hacker News

Valve accused of ignoring existing RCE vulnerability in Source games for 2 years

by mxscho on 4/10/21, 3:30 PM with 119 comments

  • by dafelst on 4/10/21, 4:34 PM

    I have a friend who used to work at Valve as a software engineer - he mentioned to me that the entire source networking stack is chock full of unchecked buffers and all sorts of potential for fairly trivial RCEs, but due to Valve's internal structure (or lack thereof) there really isn't any incentive for anyone to fix them.

    This was 5-6 odd years ago and he no longer works there, so things might have changed, but based on this tweet it seems unlikely.

  • by sodality2 on 4/10/21, 5:55 PM

    Dozens of Counter-strike exploits exist and the cheating scene has just grown too rampantly. Valve simply doesn't care about the source engine. Any new CSGO player will tell you the anti-cheat doesn't work, I know first-hand.

    The lack of care regarding source engine netcode extends to every part of the source engine, including Valve Anti-cheat.

    The anti-cheat is trivial to reverse (several PUBLIC bypasses have existed for years on github, with zero patch), the engine source has been leaked, reverse engineered, and fiddled with by thousands of 14 year old kids. It is pathetically easy to bypass, for example, by changing a single byte in memory you can see through walls, see enemy money, etc. See this video I found about how miserably broken it is: https://files.catbox.moe/8e3bxz.mp4

    It is in my opinion the greatest loss to gaming that a classic, legendary game like Counter-strike got completely ruined by lack of care by a company that profits millions off of the case unboxings.

  • by guidovranken on 4/10/21, 6:09 PM

    There's a place for being patient and lenient, but HackerOne consistently seems to not shut down malfunctioning programs that never pay rewards and flat out stop talking to you, yet continue to collect bugs. Such a relationship is commonly called fraud so I suggest reporting HackerOne to the Federal Trade Commission as I have.

    The premise of bug bounties is that the reward amount is at the discretion of the program host and that the time incurred by developing a fix will influence the moment of payout, but refusing to pay and even communicate (for years!) for clearly eligible submissions is well beyond a reasonable interpretation of the conditions, and to consistently keep facilitating this abuse is simply fraudulent.

  • by xyst on 4/10/21, 4:02 PM

    This is why I have a separate machine for "gaming" and "work"

    Some game companies (riot games) even install their anti-cheat software so that is loads in the ring 0 space. Even with their best efforts, cheaters will still prosper.

    Might even go a step further and firewall my gaming machine off from the rest of my network.

  • by mxscho on 4/10/21, 4:06 PM

    According to a tweet that was also retweeted by the user @floesen_ who was mentioned in the original thread, the initial report 2 years ago was done using HackerOne but has probably not seen any helpful response from Valve [1]. There are also other reports of Valve not reacting to HackerOne reports appropriately [2].

    It is currently unclear whether there is a publicly available PoC or any exploitation going on in the wild.

    [1] https://twitter.com/AntiCheatPD/status/1380873722966503426

    [2] https://twitter.com/killa/status/1380872852090540032

  • by gsich on 4/10/21, 4:27 PM

    2 years? Just leak it. At some point "responsible" disclose is not worth it.

  • by Aissen on 4/10/21, 5:55 PM

    Totally believable. Someone I trust in the RE community told me about similar shenanigans when trying to report issues to Valve.

  • by lgats on 4/10/21, 7:45 PM

  • by dkarras on 4/10/21, 8:42 PM

    It would be a shame if an "anonymous hacker" "hacked" @floesen_, found their notes about the RCE and released it to public, accidentally of course.

  • by breakingcups on 4/11/21, 9:03 AM

    At this point, just leak it to Project Zero anonymously and let them wring Valve's hand for you.

    There's a small chance you might still get the bounty, because you reported it first. And if not, because it's already disclosed by another party, you can cry foul on social media.

  • by zokier on 4/10/21, 10:12 PM

    Source engine itself is at least 16 years old, and has pretty direct lineage to the original 21 year old Quake engine (Quake (-> Quake II) -> GoldSrc -> Source). I would be more surprised if there weren't lots of RCEs in it.

  • by rasz on 4/10/21, 10:46 PM

    Imagine you are Valve - why would you fix anything? Your money printer goes Brrr regardless, and legal assures you H1 deal prevent participants from leaking anything.

  • by DanAtC on 4/11/21, 5:48 PM

    Unless you have the clout of Project Zero, "responsible" disclosure is anything but.

    Full disclosure or no disclosure.