I doubt it, due to how the leak is purportedly from 2017/2018 code, and according to the tweet from SteamDB is the version that is included to Source engine licensees.
There are YouTube channels like VNN that rely on Valve leaks, but most of it seems like running `strings` on their update files. He does claim to have some inside sources, but they mostly seem to provide social commentary on Valve internal politics.
tl;dr: A Valve employee in 2016 told Tyler about a few things Valve was working on. Tyler kept the chat log and shared it with friends. Unrelatedly, TF2 and CSGO's code was semi-publicly leaked in 2018, and one of the friends found and held onto that. Tyler and the friends worked on a fan project together named F-Stop, after an unreleased Valve project, but then one of the friends had a falling out with the rest of them and published this stuff together, probably to embarrass him for sharing the chat log and maybe to make him look involved in the TF2/CSGO leak.
I’m slightly shocked with the phrasing in that post “It is definitely possible that someone could install a virus on your machine by just being in the same server.”
That.... seems like a pretty shocking security hole, unless they are talking about unknown possibilities, in which case the term “definitely” is a bad choice. If this can be done with the source, it could have been done before, no?
That sounds pretty reasonable to assume for any game, even those that are singleplayer, if they access the network.
Game code is particularly known to be "spaghetti", "code cowoy"-style, where the result is more important than the form or correctness. I mean, that's art, after all, so that seems obvious.
And do you think a lot of companies update their games after they are out? Most often, the code is definitive, refactors are out of the question, etc. I've never seen a bug that fixes a security issue (CVE), let alone for old titles.
And that's when RCE is not by design. It is in Garry's mod, but that's for client-side mode scripted with lua, so theoretically sandboxed. Unreal Tournament 99 though, has plenty of servers that put some dlls for "anti-cheat" software on your computer before you join. That one probably sn't sandboxed.
While we talk about anti-cheat software, can we think a moment about everything that could go wrong with a piece of software that has a very deep access to the system, is sometimes in-house, and not necessarily audited, and whose functionality often includes:
* downloading challenges from servers, patch them into RAM and see what happens
* scan the RAM of the whole system, plus the filesystem, for known exploits
* upload parts of that RAM and filesystem to random servers for analysis
* take screenshots, log keypresses, monitor the system and upload all of this.
Takeaway: sandbox your games. There's a reason I run Steam in a flatpak, on Wayland... Convenience is part of it, but that's not the main one.
I agree, and that's unfortunate, but I value it far less than I value the integrity of my computer and the data on it.
Steam itself has an interesting "Linux runtime" option for games, but it is unclear if that isolates things more than the status quo.
I don't know what I could do, short of replacing every executable in the steam directory with something that uses a mount namespace or a similar restrictive mechanism before launching the actual executable. Inject a modified libc to perform this on steam's exec call? I think the ball is in Valve's camp to improve this.
Battle.net has been doing that since day 1, so if you played any game on Battle.net you have downloaded server provided code and executed locally with the privileges of the user running the game.
(when a client connects to a battle.net server, one of the early handshake steps is to download a fixed named MPQ file, which is a Blizzard proprietary archive protocol which contains a DLL that is loaded and a certain fixed named function runs from it, which will checksum your client binary and send the result to the server to compare and allow you to progress further)
I think there's a big difference between the game downloading a DLL straight from the game developers (not all that different from an update) and a game downloading a DLL from a random server you join (that could be run by anyone that you have no reason to trust and that you don't realize you're giving them full read-write access to your computer).
Even if you actually believe this, Riot is not known for their high-quality code. This sounds a bit snarky but is entirely serious: Giving games root rights is bad enough, I absolutely don't want to run anything in kernel space from the same people who wrote the client for League of Legends.
And it's not even about trusting that Riot are not bad actors, tencent conspiracy nonsense aside, it's about leaving that trash running with that level of access in a way that some malicious process could use to elevate its permissions. That is the (ab)use case that worries me.
As someone who plays CSGO, I agree with you. I wish valve did something like this. I'm tired of matches getting ruined by cheaters, which happens very often.
Servers can distribute custom maps and assets to players so there's a mechanism to download files to a users computer.
As for uploads, players used to be able to set custom models in quake 2 which were distributed to other players on the server. Though I am not sure if that was done by server admins in special cases for clan payers or members or if there was an actual upload mechanism in the game engine.
> If this can be done with the source, it could have been done before, no?
This analysis is on-point, and something a lot of sources seem to miss. A determined actor can find the exact same exploits with and without access to the source code, though I admit it is much more complicated without ("determined").
No, it's probably some random steam game downloaded an entire hard drive or network share. It's not like games installed via steam provide any kind of security or sandbox whatsoever. Every game you download and every library those games use could be downloading all your files, capturing your screen, logging your keyboard, scanning your network for vulnerable devices, etc...
The TF2 subreddit announcement: https://www.reddit.com/r/tf2/comments/g64t0b/data_leak_warni...