[HN Gopher] Team Fortress 2 source code has leaked
___________________________________________________________________
Team Fortress 2 source code has leaked
Author : adam_fallon_
Score : 145 points
Date : 2020-04-22 19:33 UTC (3 hours ago)
(HTM) web link (www.techradar.com)
(TXT) w3m dump (www.techradar.com)
| abathur wrote:
| @valvesoftware has commented on Twitter as of ~25m ago, I guess,
| by retweeting https://twitter.com/CSGO/status/1253075594901774336
| VectorLock wrote:
| If the remote code execution thing in CS:GO is true I wonder if
| it could lead to virtual item theft. We're talking about
| potential loss of items worth of tens of thousands of dollars.
| I'm sure Valve could eventually recover them but that could be
| some serious anxiety and opportunity loss for item holders that
| are affected.
| adam_fallon_ wrote:
| So far what i've send of the RCE i've seen so far has been a
| way of triggering pop-ups on the start screen - not to say its
| not more dangerous than that, but just thought i'd give some
| context.
|
| Most RCE's aren't carte blanche to run arbitrary code on a
| users computer, but are some way of triggering a particular
| code path on a remote computer.
| dmurray wrote:
| RCE by definition involves being able to run arbitrary code,
| for some reasonable definition of arbitrary. "Triggering a
| particular code path" doesn't get you anything: if you have a
| webpage you can trivially make your visitors' computers
| execute plenty of predictable code paths, like the one to
| render text to the screen or to send audio to the speakers.
| floatingatoll wrote:
| Valve can unwind any item transaction that occurs within their
| marketplaces under fraudulent circumstances.
| [deleted]
| trufas wrote:
| The fact that the servers didn't immediately get shut down is
| pretty irresponsible. There's tens of thousands of people logged
| in to tf2 who are at risk of having their computers pwned because
| the tf2 servers are still up.
| seabird wrote:
| Valve has no control over user-owned servers, only the listings
| for the server browser. Valve was informed of this leak years
| ago. All of this talk of an RCE is pure speculation; the leak
| hasn't even been out for a day.
|
| It's good to be informed and take steps toward being safe, but
| we're talking about a leak where any meaningful security flaws
| have had multiple years to be patched.
| deadbunny wrote:
| Valve could shut down the servers they run but there are
| thousands of community servers they have no control over.
|
| Valve could possibly kill the server browser service for TF2 to
| stop people searching for servers but then people could just
| connect directly to the community server of their choice either
| from their favourites or by IP directly.
|
| They could push an update via steam which bricks the game
| completely but that would piss off a metric fuckton of the
| userbase when the game is still playable with some precautions
| in place (playing on password protected servers with people you
| know)
|
| A shutdown as you are suggesting would only work with a game
| with published provided multiplayer servers and no community
| servers.
|
| I know I for one don't want to live in a world with only
| publisher provided servers, those games regularly have the
| servers shut down because they are no longer profitable for the
| publisher/devs leaving any remaing community out in the wind.
| papermachete wrote:
| There was (is?) also remote code execution on counter-strike
| 1.6 servers valve didn't act upon for 10+ years.
| ghostbrainalpha wrote:
| Once you have the source code, how easy is it to "build" the
| game?
|
| Using this code could I edit the character models so that certain
| characters looked like Sesame Street characters and then publish
| that game to my personal PC for my kids to have fun with?
| HideousKojima wrote:
| You could already do that even easier with the modding tools
| available for TF2
| BetaDeltaAlpha wrote:
| Any clues as to Half-Life 3?
| gbrown wrote:
| Maybe they should just embrace it and open source the code
| (without giving away the trademarks). The community is pretty
| engaged, so I bet it would be a boon for both security and
| modding.
| plopz wrote:
| I don't know what this contains, but many times games cannot be
| open sourced because they use libraries that would have to be
| removed before they could open source it.
| hutzlibu wrote:
| I've heard this a few times as well, but couldn't the game
| still be open-sources just without those libaries?
|
| And anyone who wants to compile it, needs a licence for those
| libaries, which in many times is free for noncomercial
| purposes, or students. Btw. what expensive libaries do exist
| in that area anyway?
| LeoTinnitus wrote:
| They could be using those libraries to make market items
| being sold.
| hutzlibu wrote:
| Ah yeah, the ingame market. A whole different story.
|
| But if it is centralized, you should not be able to
| tamper with it, much, even if you have your own local
| version running?
| Arelius wrote:
| So I've been involved in this process before. IANAL but the
| answer likely yes, but it is complicated.
|
| So, firstly IP rights may not be your only encumbrances,
| NDA's can be even more restrictive, since leaking
| information about a library may be covered, for instance.
|
| Additionally, the IP of the game code itself may be
| encumbered, for instance with publisher agreements, or if
| your code is derivative, source for instance may still be
| considered partially derived from id code, which zenimax,
| or maybe some other party may own, and getting those rights
| may be difficult, (even if some large percentage may be
| released in the GPL'd id codebases) And if your core engine
| is IP encumbered, that may not be something you could "just
| release without"
|
| So then someone is going to have to actually do the work of
| separating out all the third-party libraries, which may not
| be trivial depending on how many, and how well separated
| they are.
|
| Then at any reasonably risk-averse company, somebody is
| going to have to do an audit, which could be a lot of work.
|
| And then we might not just have other people's files to
| remove, while it may not be an copyright violation to
| reference API calls of a copyright work (I'm honestly not
| sure) It sure could be an NDA violation depending on the
| NDA. Not to mention code that may be derived from library
| samples. So you either have to cut out all of that code, or
| rework it to just not be in violation.
|
| And lastly, most companies care enough about their
| reputation to not want to just dump a large pile of broken
| code in the wild (Maybe it'd be better if they would) but
| want to make sure it builds and runs. So once you've
| removed all those other bits, it may be a lot of work to
| just get everything building, or running again.
|
| As I understand it, Valve licenses Havok, which they
| possibly use for any and all collision (or maybe just
| rigid-body stuff, who knows) and if so, even if you get the
| game running you may fall through the world, or perhaps not
| be able to move at all, which is hardly the TF2 we all want
| open-sourced. And that's just one possible library, maybe
| they use RAD Granny to do animation, etc.
|
| Or if you want to allow people to buy the licenses to
| compile it, you still have to do almost all of the above,
| then setup the infrastructure to download the correct
| version, and set it up for builds, and that only works if
| they didn't make any internal modifications, or maybe they
| can setup a patch file that doesn't violate any copyrights,
| but that's also work. And that also implies that the
| company the libraries are licensed from still exists and is
| still selling, and still offers the old versions the game
| is built with. And now you have to release the engine under
| a license that's compatible with the third-party licenses,
| which given the precedent of using GPL that adds some extra
| complications.
|
| So, yeah, there is a good chance it's possible but there is
| a varying amount of work, which is most likely at least a
| lot.
|
| As for libraries that exist in that area, of the top of my
| head some examples:
|
| * Havok/PhysX, physics library * FMod/WWise, audio
| libraries * Natural Motion, animation libraries *
| Everything that RAD Game Tools offers, including
| audio/video codecs, compressors, animation libraries. *
| Scaleform, animation libraries * SpeedTree, tree modelling
| libraries * Enlighten, lighting (global illumination)
| libraries * Platform specific libraries * NDA encumbered
| IHV libraries
|
| Keep in mind, some of these are expensive, but some are
| more dependent on a corporate relationship, which is not
| the sort of thing that frequently offers a student or
| noncommercial version.
| gbrown wrote:
| Good point. IP law is such a headache.
| quaquaqua1 wrote:
| Reverse engineer everything that is worth reverse
| engineering! :)
| usercheto21351 wrote:
| magnet:?xt=urn:btih:21dda6847dde983f2f8063739249d2d1d09a5dda&dn=A
| pril%2022nd%202020%2c%20random%20leaked%20shit.rar&tr=udp%3a%2f%2
| ftracker.openbittorrent.com%3a1337%2fannounce&tr=udp%3a%2f%2ftrac
| ker.opentrackr.org%3a1337%2fannounce
| etaioinshrdlu wrote:
| Maybe the community can help recompile the Source engine for 64
| bit on macOS now.
| taawwwaaayyy wrote:
| I know some may consider this unethical, but in the name of
| curiosity, copy-left, whatever, here's a link:
|
| https://mega.nz/file/iUN33aBZ#4SsjlU_qixrRp0ifhkw0YTQjMAJhv7...
|
| password: leak
|
| I'll remove this shortly.
|
| Taken from a random forum, so i offer no guarantees.
| exabrial wrote:
| Cheats and hacks were already bad enough, I imagine this won't
| help :( Darn, one of the most fun games I like to play.
|
| Sadly, OSX Catalina killed the game for Mac users because Apple
| recognized the extreme demand by casual users to break all their
| old 32bit applications.
| ThomPete wrote:
| I literally just downloaded Steam on the mac to show my boys
| Team Fortress only to be met by this sad news :(
|
| I really hope something like TF2 resurfaces in some form again.
| I never liked the feel of Fortnite.
| minikites wrote:
| What about Overwatch?
| tapland wrote:
| > Overwatch is the first game from Blizzard to hit consoles
| the same time it was available on Windows PC. It's also the
| only game from the company that isn't on the Mac
| meestaahjoshee wrote:
| if you're gonna game on a Mac, i'd suggest installing
| windows via bootcamp. ime most games simply run better
| that way anyway and you don't have to deal with the issue
| of games that aren't MacOS compatible.
| colinhmit wrote:
| You should check out Overwatch, which I consider to be TF3.
| They reimplemented many characters 1:1 including soldier
| (pharah), medic (mercy), demo (junkrat), engi (torj), as well
| as the 2 point capture and pushthecart modes.
|
| Valorant, a beta game from Riot, is then a blend of overwatch
| + csgo, making it closer to tf2 6s.
| markdown wrote:
| The person you're replying to said he was disappointed to
| find that MacOS Catalina can't run TF2. Why recommend a
| game that won't run on any version of MacOS?
| meestaahjoshee wrote:
| > I really hope something like TF2 resurfaces in some
| form again. I never liked the feel of Fortnite.
| qqssccfftt wrote:
| Overwatch and TF2 do not really have that much in common.
| The skill in TF2 is far more movement based.
| quaquaqua1 wrote:
| Dont worry, Valve's official statement is that everything is
| fine and this was already leaked and patched in 2017 :)
| gbrown wrote:
| Security by obscurity... isn't.
| skykooler wrote:
| I wonder if it would be possible to use this source code to
| build a 64-bit version?
| humaniania wrote:
| What are the odds that this is a black hat move by Epic?
| mappu wrote:
| The leak also includes most of something called F-STOP, a
| cancelled Portal project, that apparently looks like
| Superliminal:
| https://www.reddit.com/r/Games/comments/eebagv/gameplay_of_a...
| philo23 wrote:
| The F-STOP included in this leak, from my understanding, isn't
| Valve's prototype. It's just in-development fan-made game to
| try and replicate Valve's unreleased prototype.
| krackers wrote:
| Here's a gameplay video which I assume is from this leak on
| account of the upload date:
| https://www.youtube.com/watch?v=HboQWe3FYbg
| klmadfejno wrote:
| I think it's obvious why FStop wasn't finished... It looks
| boring. The gist seems to be that you can use the device to
| move and resize objects. Kind of cool but looks hella
| tedious. I always assumed it was going to be about making
| different sized portals so you could change size of things
| (including yourself) by passing through.
|
| Those non-euclidean rooms at the end of the video are sweet
| though. Honestly the most surprising thing is that we didn't
| actually see any of these in the portal games given that it's
| the same exact tech required to make it work as the portals
| themselves.
|
| Edit: The concept looks boring, not the obviously unfinished
| tech demo _
| notaplumber wrote:
| What is up with the strange sensationalist claims in the article
| on and Twitter? Source code availability is not a prerequisite to
| people finding vulnerabilities or RCE exploits in games, there
| are many established games with open source game clients.
| Security researchers routinely reverse engineer proprietary
| software.
|
| Bizarre.
| [deleted]
| russdill wrote:
| As someone who's reverse engineered large portions of a game
| with similar tech from the same era, I would be absolutely
| shocked if there were not remote exploits.
| surround wrote:
| If it was open-source from the beginning, there wouldn't have
| been this problem.
| ocdtrekkie wrote:
| Source code availability makes it a lot easier to find
| vulnerabilities. Open source code is much more likely to
| already have been audited better. Closed source code often
| depends more heavily on security by obscurity, and unexpected
| source release can definitely make vulnerabilities immediately
| apparent that weren't known prior.
| notaplumber wrote:
| I have to believe given the sheer size of these communities,
| that the source code being available only helped to confirm
| what was already known. The panic seen here hearkens back to
| the days when companies made similar ridiculous security
| claims about open source software compared to proprietary
| software.
| whylie wrote:
| That seems like quite a stretch. The difference between
| having the source code and not having it is night and day
| as far as exploring potential vulnerabilities...which is
| one of the strengths of open source as you point out, but
| this code was not intended to be || written as open source
| hence the panic. Feel like you missed the mark on this one.
| colejohnson66 wrote:
| > Open source code is much more likely to already have been
| audited better.
|
| Worth keeping in mind this isn't a silver bullet. OpenSSL
| with Heartbleed comes to mind.
| MaxBarraclough wrote:
| Very true, but OpenSSL in particular is rather infamous.
| Unfortunate given that so much relies on it.
| https://news.ycombinator.com/item?id=7556407
| 3fe9a03ccd14ca5 wrote:
| Every statement you just made is speculation and not backed
| up by any meaningful data. While it's obviously "easier" to
| find bugs when you can view the source code, making it one or
| the other doesn't bestow any magical protections on the
| software.
| d1str0 wrote:
| "Time and effort required" in order to find vulnerabilities
| is not a magical protection. It is a legitimate protection.
| Not one that should be relied on, but very much something
| that factors in. Open sourcing software doesn't immediately
| improve security, but it drastically lowers the barrier of
| entry for researchers to start looking into it.
| [deleted]
| 3fe9a03ccd14ca5 wrote:
| I'm wondering the same thing. Is there any evidence of an RCE
| bug out in the wild? Or was it just wild speculation because
| the source code is now available?
|
| Unless they specifically hardcoded a back door into the game,
| I'm dubious a leak would result in an RCE so quickly, if ever.
| trufas wrote:
| Allegedly there's already an exploit in the wild that lets
| you open a popup in game to all other players in a server.
| You can find screenshots if you look around the /r/tf2
| subreddit.
| humaniania wrote:
| "allegedly" means nothing and screenshots are so easy to
| fake, it's 2020. I want to see concrete proof of this
| alleged exploit.
| res0nat0r wrote:
| I'm assuming that whomever leaked the code modified it and
| added a remote exploit to the codebase and that's what folks
| online are referring to. Happens a lot with shady non-scene
| type of warez.
| whymauri wrote:
| >Unless they specifically hardcoded a back door into the
| game, I'm dubious a leak would result in an RCE so quickly,
| if ever.
|
| AFAIK, parts of the source code have already been leaked
| since 2018 amongst certain circles outside Valve. It's only
| been in the past few days that this is now common knowledge.
| whymauri wrote:
| I've been hearing that an RCE for TF2 is confirmed but not for
| CS:GO or the other leaked code/clients.
| runawaybottle wrote:
| Is there some kind of secret agent inside Valve? Half Life 2
| source code got leaked before it's release date as well (or parts
| of it).
|
| The TF2 subreddit announcement:
| https://www.reddit.com/r/tf2/comments/g64t0b/data_leak_warni...
| cameronbrown wrote:
| The HL2 code wasn't leaked, it was stolen:
| https://www.eurogamer.net/articles/2011-02-21-the-boy-who-st...
| kroltan wrote:
| Web link: https://www.eurogamer.net/articles/2011-02-21-the-
| boy-who-st...
| cameronbrown wrote:
| Updated to remove AMP link above.
| misnome wrote:
| That was 2004, so not a very busy agent...
|
| I'm slightly shocked with the phrasing in that post "It is
| definitely possible that someone could install a virus on your
| machine by just being in the same server."
|
| That.... seems like a pretty shocking security hole, unless
| they are talking about unknown possibilities, in which case the
| term "definitely" is a bad choice. If this can be done with the
| source, it could have been done before, no?
| MayeulC wrote:
| > If this can be done with the source, it could have been
| done before, no?
|
| This analysis is on-point, and something a lot of sources
| seem to miss. A determined actor can find the exact same
| exploits with and without access to the source code, though I
| admit it is much more complicated without ("determined").
| eswat wrote:
| There are a few RCE disclosures for Valve games related to
| this previously
|
| - https://hackerone.com/reports/542180
|
| - https://nvd.nist.gov/vuln/detail/CVE-2020-9005
|
| - https://nvd.nist.gov/vuln/detail/CVE-2020-7952
|
| - https://nvd.nist.gov/vuln/detail/CVE-2020-7951
|
| - https://nvd.nist.gov/vuln/detail/CVE-2020-7950
|
| - https://nvd.nist.gov/vuln/detail/CVE-2020-7949
| MisterTea wrote:
| Servers can distribute custom maps and assets to players so
| there's a mechanism to download files to a users computer.
|
| As for uploads, players used to be able to set custom models
| in quake 2 which were distributed to other players on the
| server. Though I am not sure if that was done by server
| admins in special cases for clan payers or members or if
| there was an actual upload mechanism in the game engine.
| MayeulC wrote:
| That sounds pretty reasonable to assume for _any_ game, even
| those that are singleplayer, if they access the network.
|
| Game code is particularly known to be "spaghetti", "code
| cowoy"-style, where the result is more important than the
| form or correctness. I mean, that's art, after all, so that
| seems obvious.
|
| And do you think a lot of companies update their games after
| they are out? Most often, the code is definitive, refactors
| are out of the question, etc. I've never seen a bug that
| fixes a security issue (CVE), let alone for old titles.
|
| And that's when RCE is not by design. It is in Garry's mod,
| but that's for client-side mode scripted with lua, so
| theoretically sandboxed. Unreal Tournament 99 though, has
| plenty of servers that put some dlls for "anti-cheat"
| software on your computer before you join. That one probably
| sn't sandboxed.
|
| While we talk about anti-cheat software, can we think a
| moment about everything that could go wrong with a piece of
| software that has a very deep access to the system, is
| sometimes in-house, and not necessarily audited, and whose
| functionality often includes:
|
| * downloading challenges from servers, patch them into RAM
| and see what happens
|
| * scan the RAM of the whole system, plus the filesystem, for
| known exploits
|
| * upload parts of that RAM and filesystem to random servers
| for analysis
|
| * take screenshots, log keypresses, monitor the system and
| upload all of this.
|
| Takeaway: sandbox your games. There's a reason I run Steam in
| a flatpak, on Wayland... Convenience is part of it, but
| that's not the main one.
| ccouzens wrote:
| > sandbox your games. There's a reason I run Steam in a
| flatpak, on Wayland
|
| If flatpak works perfectly, I suppose an attacker could
| still steal the "cookie" that automatically logs you into
| Steam.
|
| Ideally you want Steam to be sandboxed, and then Steam to
| in turn run all the games in individual sandboxes.
| gbrown wrote:
| > Unreal Tournament 99 though, has plenty of servers that
| put some dlls for "anti-cheat" software on your computer
| before you join.
|
| D:
|
| People put up with that?
| ThrowawayR2 wrote:
| Better than putting up with cheaters ruining the game.
| d1zzy wrote:
| Battle.net has been doing that since day 1, so if you
| played any game on Battle.net you have downloaded server
| provided code and executed locally with the privileges of
| the user running the game.
|
| (when a client connects to a battle.net server, one of
| the early handshake steps is to download a fixed named
| MPQ file, which is a Blizzard proprietary archive
| protocol which contains a DLL that is loaded and a
| certain fixed named function runs from it, which will
| checksum your client binary and send the result to the
| server to compare and allow you to progress further)
| therealidiot wrote:
| For reference, the anti-cheat plugin usually used by
| Unreal Tournament servers is AntiCheatEngine ("ACE")
|
| https://ace.ut-files.com/index1a8f.html?p=about
| wolfd wrote:
| I doubt it, due to how the leak is purportedly from 2017/2018
| code, and according to the tweet from SteamDB is the version
| that is included to Source engine licensees.
|
| The original hl2 code leak was a fan from Germany that hacked
| into Valve's network and stole a version.
| https://arstechnica.com/gaming/2016/06/what-drove-one-half-l...
|
| There are YouTube channels like VNN that rely on Valve leaks,
| but most of it seems like running `strings` on their update
| files. He does claim to have some inside sources, but they
| mostly seem to provide social commentary on Valve internal
| politics.
| Cyph0n wrote:
| It was actually leaked to VNN by a Valve employee. VNN then
| gave it to a small group of friends, one of which went crazy
| and leaked it.
|
| Refer to this r/Games thread for more details: https://reddit
| .com/r/Games/comments/g61v4x/_/fo6r9ef/?contex...
| arrivance wrote:
| VNN indicates that he never had access to the code.
|
| https://twitter.com/ValveNewsNetwor/status/1252974482832138
| 2...
|
| He also re-tweeted this account of the events https://twitt
| er.com/JaycieErysdren/status/125300494000139878...
___________________________________________________________________
(page generated 2020-04-22 23:00 UTC)