[HN Gopher] Team Fortress 2 source code has leaked ___________________________________________________________________ Team Fortress 2 source code has leaked Author : adam_fallon_ Score : 145 points Date : 2020-04-22 19:33 UTC (3 hours ago) (HTM) web link (www.techradar.com) (TXT) w3m dump (www.techradar.com) | abathur wrote: | @valvesoftware has commented on Twitter as of ~25m ago, I guess, | by retweeting https://twitter.com/CSGO/status/1253075594901774336 | VectorLock wrote: | If the remote code execution thing in CS:GO is true I wonder if | it could lead to virtual item theft. We're talking about | potential loss of items worth of tens of thousands of dollars. | I'm sure Valve could eventually recover them but that could be | some serious anxiety and opportunity loss for item holders that | are affected. | adam_fallon_ wrote: | So far what i've send of the RCE i've seen so far has been a | way of triggering pop-ups on the start screen - not to say its | not more dangerous than that, but just thought i'd give some | context. | | Most RCE's aren't carte blanche to run arbitrary code on a | users computer, but are some way of triggering a particular | code path on a remote computer. | dmurray wrote: | RCE by definition involves being able to run arbitrary code, | for some reasonable definition of arbitrary. "Triggering a | particular code path" doesn't get you anything: if you have a | webpage you can trivially make your visitors' computers | execute plenty of predictable code paths, like the one to | render text to the screen or to send audio to the speakers. | floatingatoll wrote: | Valve can unwind any item transaction that occurs within their | marketplaces under fraudulent circumstances. | [deleted] | trufas wrote: | The fact that the servers didn't immediately get shut down is | pretty irresponsible. There's tens of thousands of people logged | in to tf2 who are at risk of having their computers pwned because | the tf2 servers are still up. | seabird wrote: | Valve has no control over user-owned servers, only the listings | for the server browser. Valve was informed of this leak years | ago. All of this talk of an RCE is pure speculation; the leak | hasn't even been out for a day. | | It's good to be informed and take steps toward being safe, but | we're talking about a leak where any meaningful security flaws | have had multiple years to be patched. | deadbunny wrote: | Valve could shut down the servers they run but there are | thousands of community servers they have no control over. | | Valve could possibly kill the server browser service for TF2 to | stop people searching for servers but then people could just | connect directly to the community server of their choice either | from their favourites or by IP directly. | | They could push an update via steam which bricks the game | completely but that would piss off a metric fuckton of the | userbase when the game is still playable with some precautions | in place (playing on password protected servers with people you | know) | | A shutdown as you are suggesting would only work with a game | with published provided multiplayer servers and no community | servers. | | I know I for one don't want to live in a world with only | publisher provided servers, those games regularly have the | servers shut down because they are no longer profitable for the | publisher/devs leaving any remaing community out in the wind. | papermachete wrote: | There was (is?) also remote code execution on counter-strike | 1.6 servers valve didn't act upon for 10+ years. | ghostbrainalpha wrote: | Once you have the source code, how easy is it to "build" the | game? | | Using this code could I edit the character models so that certain | characters looked like Sesame Street characters and then publish | that game to my personal PC for my kids to have fun with? | HideousKojima wrote: | You could already do that even easier with the modding tools | available for TF2 | BetaDeltaAlpha wrote: | Any clues as to Half-Life 3? | gbrown wrote: | Maybe they should just embrace it and open source the code | (without giving away the trademarks). The community is pretty | engaged, so I bet it would be a boon for both security and | modding. | plopz wrote: | I don't know what this contains, but many times games cannot be | open sourced because they use libraries that would have to be | removed before they could open source it. | hutzlibu wrote: | I've heard this a few times as well, but couldn't the game | still be open-sources just without those libaries? | | And anyone who wants to compile it, needs a licence for those | libaries, which in many times is free for noncomercial | purposes, or students. Btw. what expensive libaries do exist | in that area anyway? | LeoTinnitus wrote: | They could be using those libraries to make market items | being sold. | hutzlibu wrote: | Ah yeah, the ingame market. A whole different story. | | But if it is centralized, you should not be able to | tamper with it, much, even if you have your own local | version running? | Arelius wrote: | So I've been involved in this process before. IANAL but the | answer likely yes, but it is complicated. | | So, firstly IP rights may not be your only encumbrances, | NDA's can be even more restrictive, since leaking | information about a library may be covered, for instance. | | Additionally, the IP of the game code itself may be | encumbered, for instance with publisher agreements, or if | your code is derivative, source for instance may still be | considered partially derived from id code, which zenimax, | or maybe some other party may own, and getting those rights | may be difficult, (even if some large percentage may be | released in the GPL'd id codebases) And if your core engine | is IP encumbered, that may not be something you could "just | release without" | | So then someone is going to have to actually do the work of | separating out all the third-party libraries, which may not | be trivial depending on how many, and how well separated | they are. | | Then at any reasonably risk-averse company, somebody is | going to have to do an audit, which could be a lot of work. | | And then we might not just have other people's files to | remove, while it may not be an copyright violation to | reference API calls of a copyright work (I'm honestly not | sure) It sure could be an NDA violation depending on the | NDA. Not to mention code that may be derived from library | samples. So you either have to cut out all of that code, or | rework it to just not be in violation. | | And lastly, most companies care enough about their | reputation to not want to just dump a large pile of broken | code in the wild (Maybe it'd be better if they would) but | want to make sure it builds and runs. So once you've | removed all those other bits, it may be a lot of work to | just get everything building, or running again. | | As I understand it, Valve licenses Havok, which they | possibly use for any and all collision (or maybe just | rigid-body stuff, who knows) and if so, even if you get the | game running you may fall through the world, or perhaps not | be able to move at all, which is hardly the TF2 we all want | open-sourced. And that's just one possible library, maybe | they use RAD Granny to do animation, etc. | | Or if you want to allow people to buy the licenses to | compile it, you still have to do almost all of the above, | then setup the infrastructure to download the correct | version, and set it up for builds, and that only works if | they didn't make any internal modifications, or maybe they | can setup a patch file that doesn't violate any copyrights, | but that's also work. And that also implies that the | company the libraries are licensed from still exists and is | still selling, and still offers the old versions the game | is built with. And now you have to release the engine under | a license that's compatible with the third-party licenses, | which given the precedent of using GPL that adds some extra | complications. | | So, yeah, there is a good chance it's possible but there is | a varying amount of work, which is most likely at least a | lot. | | As for libraries that exist in that area, of the top of my | head some examples: | | * Havok/PhysX, physics library * FMod/WWise, audio | libraries * Natural Motion, animation libraries * | Everything that RAD Game Tools offers, including | audio/video codecs, compressors, animation libraries. * | Scaleform, animation libraries * SpeedTree, tree modelling | libraries * Enlighten, lighting (global illumination) | libraries * Platform specific libraries * NDA encumbered | IHV libraries | | Keep in mind, some of these are expensive, but some are | more dependent on a corporate relationship, which is not | the sort of thing that frequently offers a student or | noncommercial version. | gbrown wrote: | Good point. IP law is such a headache. | quaquaqua1 wrote: | Reverse engineer everything that is worth reverse | engineering! :) | usercheto21351 wrote: | magnet:?xt=urn:btih:21dda6847dde983f2f8063739249d2d1d09a5dda&dn=A | pril%2022nd%202020%2c%20random%20leaked%20shit.rar&tr=udp%3a%2f%2 | ftracker.openbittorrent.com%3a1337%2fannounce&tr=udp%3a%2f%2ftrac | ker.opentrackr.org%3a1337%2fannounce | etaioinshrdlu wrote: | Maybe the community can help recompile the Source engine for 64 | bit on macOS now. | taawwwaaayyy wrote: | I know some may consider this unethical, but in the name of | curiosity, copy-left, whatever, here's a link: | | https://mega.nz/file/iUN33aBZ#4SsjlU_qixrRp0ifhkw0YTQjMAJhv7... | | password: leak | | I'll remove this shortly. | | Taken from a random forum, so i offer no guarantees. | exabrial wrote: | Cheats and hacks were already bad enough, I imagine this won't | help :( Darn, one of the most fun games I like to play. | | Sadly, OSX Catalina killed the game for Mac users because Apple | recognized the extreme demand by casual users to break all their | old 32bit applications. | ThomPete wrote: | I literally just downloaded Steam on the mac to show my boys | Team Fortress only to be met by this sad news :( | | I really hope something like TF2 resurfaces in some form again. | I never liked the feel of Fortnite. | minikites wrote: | What about Overwatch? | tapland wrote: | > Overwatch is the first game from Blizzard to hit consoles | the same time it was available on Windows PC. It's also the | only game from the company that isn't on the Mac | meestaahjoshee wrote: | if you're gonna game on a Mac, i'd suggest installing | windows via bootcamp. ime most games simply run better | that way anyway and you don't have to deal with the issue | of games that aren't MacOS compatible. | colinhmit wrote: | You should check out Overwatch, which I consider to be TF3. | They reimplemented many characters 1:1 including soldier | (pharah), medic (mercy), demo (junkrat), engi (torj), as well | as the 2 point capture and pushthecart modes. | | Valorant, a beta game from Riot, is then a blend of overwatch | + csgo, making it closer to tf2 6s. | markdown wrote: | The person you're replying to said he was disappointed to | find that MacOS Catalina can't run TF2. Why recommend a | game that won't run on any version of MacOS? | meestaahjoshee wrote: | > I really hope something like TF2 resurfaces in some | form again. I never liked the feel of Fortnite. | qqssccfftt wrote: | Overwatch and TF2 do not really have that much in common. | The skill in TF2 is far more movement based. | quaquaqua1 wrote: | Dont worry, Valve's official statement is that everything is | fine and this was already leaked and patched in 2017 :) | gbrown wrote: | Security by obscurity... isn't. | skykooler wrote: | I wonder if it would be possible to use this source code to | build a 64-bit version? | humaniania wrote: | What are the odds that this is a black hat move by Epic? | mappu wrote: | The leak also includes most of something called F-STOP, a | cancelled Portal project, that apparently looks like | Superliminal: | https://www.reddit.com/r/Games/comments/eebagv/gameplay_of_a... | philo23 wrote: | The F-STOP included in this leak, from my understanding, isn't | Valve's prototype. It's just in-development fan-made game to | try and replicate Valve's unreleased prototype. | krackers wrote: | Here's a gameplay video which I assume is from this leak on | account of the upload date: | https://www.youtube.com/watch?v=HboQWe3FYbg | klmadfejno wrote: | I think it's obvious why FStop wasn't finished... It looks | boring. The gist seems to be that you can use the device to | move and resize objects. Kind of cool but looks hella | tedious. I always assumed it was going to be about making | different sized portals so you could change size of things | (including yourself) by passing through. | | Those non-euclidean rooms at the end of the video are sweet | though. Honestly the most surprising thing is that we didn't | actually see any of these in the portal games given that it's | the same exact tech required to make it work as the portals | themselves. | | Edit: The concept looks boring, not the obviously unfinished | tech demo _ | notaplumber wrote: | What is up with the strange sensationalist claims in the article | on and Twitter? Source code availability is not a prerequisite to | people finding vulnerabilities or RCE exploits in games, there | are many established games with open source game clients. | Security researchers routinely reverse engineer proprietary | software. | | Bizarre. | [deleted] | russdill wrote: | As someone who's reverse engineered large portions of a game | with similar tech from the same era, I would be absolutely | shocked if there were not remote exploits. | surround wrote: | If it was open-source from the beginning, there wouldn't have | been this problem. | ocdtrekkie wrote: | Source code availability makes it a lot easier to find | vulnerabilities. Open source code is much more likely to | already have been audited better. Closed source code often | depends more heavily on security by obscurity, and unexpected | source release can definitely make vulnerabilities immediately | apparent that weren't known prior. | notaplumber wrote: | I have to believe given the sheer size of these communities, | that the source code being available only helped to confirm | what was already known. The panic seen here hearkens back to | the days when companies made similar ridiculous security | claims about open source software compared to proprietary | software. | whylie wrote: | That seems like quite a stretch. The difference between | having the source code and not having it is night and day | as far as exploring potential vulnerabilities...which is | one of the strengths of open source as you point out, but | this code was not intended to be || written as open source | hence the panic. Feel like you missed the mark on this one. | colejohnson66 wrote: | > Open source code is much more likely to already have been | audited better. | | Worth keeping in mind this isn't a silver bullet. OpenSSL | with Heartbleed comes to mind. | MaxBarraclough wrote: | Very true, but OpenSSL in particular is rather infamous. | Unfortunate given that so much relies on it. | https://news.ycombinator.com/item?id=7556407 | 3fe9a03ccd14ca5 wrote: | Every statement you just made is speculation and not backed | up by any meaningful data. While it's obviously "easier" to | find bugs when you can view the source code, making it one or | the other doesn't bestow any magical protections on the | software. | d1str0 wrote: | "Time and effort required" in order to find vulnerabilities | is not a magical protection. It is a legitimate protection. | Not one that should be relied on, but very much something | that factors in. Open sourcing software doesn't immediately | improve security, but it drastically lowers the barrier of | entry for researchers to start looking into it. | [deleted] | 3fe9a03ccd14ca5 wrote: | I'm wondering the same thing. Is there any evidence of an RCE | bug out in the wild? Or was it just wild speculation because | the source code is now available? | | Unless they specifically hardcoded a back door into the game, | I'm dubious a leak would result in an RCE so quickly, if ever. | trufas wrote: | Allegedly there's already an exploit in the wild that lets | you open a popup in game to all other players in a server. | You can find screenshots if you look around the /r/tf2 | subreddit. | humaniania wrote: | "allegedly" means nothing and screenshots are so easy to | fake, it's 2020. I want to see concrete proof of this | alleged exploit. | res0nat0r wrote: | I'm assuming that whomever leaked the code modified it and | added a remote exploit to the codebase and that's what folks | online are referring to. Happens a lot with shady non-scene | type of warez. | whymauri wrote: | >Unless they specifically hardcoded a back door into the | game, I'm dubious a leak would result in an RCE so quickly, | if ever. | | AFAIK, parts of the source code have already been leaked | since 2018 amongst certain circles outside Valve. It's only | been in the past few days that this is now common knowledge. | whymauri wrote: | I've been hearing that an RCE for TF2 is confirmed but not for | CS:GO or the other leaked code/clients. | runawaybottle wrote: | Is there some kind of secret agent inside Valve? Half Life 2 | source code got leaked before it's release date as well (or parts | of it). | | The TF2 subreddit announcement: | https://www.reddit.com/r/tf2/comments/g64t0b/data_leak_warni... | cameronbrown wrote: | The HL2 code wasn't leaked, it was stolen: | https://www.eurogamer.net/articles/2011-02-21-the-boy-who-st... | kroltan wrote: | Web link: https://www.eurogamer.net/articles/2011-02-21-the- | boy-who-st... | cameronbrown wrote: | Updated to remove AMP link above. | misnome wrote: | That was 2004, so not a very busy agent... | | I'm slightly shocked with the phrasing in that post "It is | definitely possible that someone could install a virus on your | machine by just being in the same server." | | That.... seems like a pretty shocking security hole, unless | they are talking about unknown possibilities, in which case the | term "definitely" is a bad choice. If this can be done with the | source, it could have been done before, no? | MayeulC wrote: | > If this can be done with the source, it could have been | done before, no? | | This analysis is on-point, and something a lot of sources | seem to miss. A determined actor can find the exact same | exploits with and without access to the source code, though I | admit it is much more complicated without ("determined"). | eswat wrote: | There are a few RCE disclosures for Valve games related to | this previously | | - https://hackerone.com/reports/542180 | | - https://nvd.nist.gov/vuln/detail/CVE-2020-9005 | | - https://nvd.nist.gov/vuln/detail/CVE-2020-7952 | | - https://nvd.nist.gov/vuln/detail/CVE-2020-7951 | | - https://nvd.nist.gov/vuln/detail/CVE-2020-7950 | | - https://nvd.nist.gov/vuln/detail/CVE-2020-7949 | MisterTea wrote: | Servers can distribute custom maps and assets to players so | there's a mechanism to download files to a users computer. | | As for uploads, players used to be able to set custom models | in quake 2 which were distributed to other players on the | server. Though I am not sure if that was done by server | admins in special cases for clan payers or members or if | there was an actual upload mechanism in the game engine. | MayeulC wrote: | That sounds pretty reasonable to assume for _any_ game, even | those that are singleplayer, if they access the network. | | Game code is particularly known to be "spaghetti", "code | cowoy"-style, where the result is more important than the | form or correctness. I mean, that's art, after all, so that | seems obvious. | | And do you think a lot of companies update their games after | they are out? Most often, the code is definitive, refactors | are out of the question, etc. I've never seen a bug that | fixes a security issue (CVE), let alone for old titles. | | And that's when RCE is not by design. It is in Garry's mod, | but that's for client-side mode scripted with lua, so | theoretically sandboxed. Unreal Tournament 99 though, has | plenty of servers that put some dlls for "anti-cheat" | software on your computer before you join. That one probably | sn't sandboxed. | | While we talk about anti-cheat software, can we think a | moment about everything that could go wrong with a piece of | software that has a very deep access to the system, is | sometimes in-house, and not necessarily audited, and whose | functionality often includes: | | * downloading challenges from servers, patch them into RAM | and see what happens | | * scan the RAM of the whole system, plus the filesystem, for | known exploits | | * upload parts of that RAM and filesystem to random servers | for analysis | | * take screenshots, log keypresses, monitor the system and | upload all of this. | | Takeaway: sandbox your games. There's a reason I run Steam in | a flatpak, on Wayland... Convenience is part of it, but | that's not the main one. | ccouzens wrote: | > sandbox your games. There's a reason I run Steam in a | flatpak, on Wayland | | If flatpak works perfectly, I suppose an attacker could | still steal the "cookie" that automatically logs you into | Steam. | | Ideally you want Steam to be sandboxed, and then Steam to | in turn run all the games in individual sandboxes. | gbrown wrote: | > Unreal Tournament 99 though, has plenty of servers that | put some dlls for "anti-cheat" software on your computer | before you join. | | D: | | People put up with that? | ThrowawayR2 wrote: | Better than putting up with cheaters ruining the game. | d1zzy wrote: | Battle.net has been doing that since day 1, so if you | played any game on Battle.net you have downloaded server | provided code and executed locally with the privileges of | the user running the game. | | (when a client connects to a battle.net server, one of | the early handshake steps is to download a fixed named | MPQ file, which is a Blizzard proprietary archive | protocol which contains a DLL that is loaded and a | certain fixed named function runs from it, which will | checksum your client binary and send the result to the | server to compare and allow you to progress further) | therealidiot wrote: | For reference, the anti-cheat plugin usually used by | Unreal Tournament servers is AntiCheatEngine ("ACE") | | https://ace.ut-files.com/index1a8f.html?p=about | wolfd wrote: | I doubt it, due to how the leak is purportedly from 2017/2018 | code, and according to the tweet from SteamDB is the version | that is included to Source engine licensees. | | The original hl2 code leak was a fan from Germany that hacked | into Valve's network and stole a version. | https://arstechnica.com/gaming/2016/06/what-drove-one-half-l... | | There are YouTube channels like VNN that rely on Valve leaks, | but most of it seems like running `strings` on their update | files. He does claim to have some inside sources, but they | mostly seem to provide social commentary on Valve internal | politics. | Cyph0n wrote: | It was actually leaked to VNN by a Valve employee. VNN then | gave it to a small group of friends, one of which went crazy | and leaked it. | | Refer to this r/Games thread for more details: https://reddit | .com/r/Games/comments/g61v4x/_/fo6r9ef/?contex... | arrivance wrote: | VNN indicates that he never had access to the code. | | https://twitter.com/ValveNewsNetwor/status/1252974482832138 | 2... | | He also re-tweeted this account of the events https://twitt | er.com/JaycieErysdren/status/125300494000139878... ___________________________________________________________________ (page generated 2020-04-22 23:00 UTC)