https://spiritov.github.io/posts/sv-pure-bypass
TLDR: I've sent emails to 2 valve employees, and the TF Team over the last 3 months, but hadn't received a reply. I disclosed in my email to the TF Team when I would make this exploit public, to raise awareness and hopefully prioritize creating a fix, and / or make it easier to come up with a community fix in the meantime.
[url=https://spiritov.github.io/posts/sv-pure-bypass]https://spiritov.github.io/posts/sv-pure-bypass[/url]
TLDR: I've sent emails to 2 valve employees, and the TF Team over the last 3 months, but hadn't received a reply. I disclosed in my email to the TF Team when I would make this exploit public, to raise awareness and hopefully prioritize creating a fix, and / or make it easier to come up with a community fix in the meantime.
it would be so awesome.
it would be cool.
it would be so awesome.
it would be cool.
Bring back [url=https://etf2l.org/forum/general/topic-21038/page-24/?recent=406689]AnAkIn[/url]
Issue transferred already per the Github by a Valve Employee
https://github.com/ValveSoftware/source-sdk-2013/issues/1427
Issue transferred already per the Github by a Valve Employee
https://github.com/ValveSoftware/source-sdk-2013/issues/1427
siyoIssue transferred already per the Github by a Valve Employee
https://github.com/ValveSoftware/source-sdk-2013/issues/1427
this (afaik) isn't valve employee, doesn't mean that it will be implemented, this person is literally just a moderator - he marks duplicate issues, sorts them into correct categories etc.
[quote=siyo]Issue transferred already per the Github by a Valve Employee
https://github.com/ValveSoftware/source-sdk-2013/issues/1427[/quote]
this (afaik) isn't valve employee, doesn't mean that it will be implemented, this person is literally just a moderator - he marks duplicate issues, sorts them into correct categories etc.
Now I am not a developer by any means, and not the most technically minded individual. But I really do not see your logic in not only making this public, but providing a step by step guide and posting it on TFTV and two TF2 subreddits.
You claim that this is to "raise awareness and hopefully prioritize creating a fix, and / or make it easier to come up with a community fix in the meantime". Yet, I don't see how making a laymans guide for replicating it public helps Valve in any way. You even disclose to Valve that you intend on making this public in your report with a fixed date, which isnt exactly blackmail but definitely in that ballpark.
I know that you have been communicating with community leaders / admins about this and that is the way it should have been. Reaching out to only Server Owners and League Operators with these issues and allowing them to share it in their circles is a much safer way of communicating these issues and would allow people do develop countermeasures in some level of secrecy. What you have done in doing this is made AC's already tough job even harder.
So until Valve fix it in an indeterminate amount of time, you've made a VAC-safe exploit that has been known for around 6 years, to my understanding, much more widely known. In my view this is incredibly irresponsible.
Edit: I've taken out part of my argument in light of people correcting me, many thanks. My overall point still stands however. Valve have public channels not commonly used by the general player base that are more appropriate than TFTV and Reddit, and this is known since you put up the issue on GitHub. I still think providing a step-by-step guide and sharing that with these forums was the wrong step.
Now I am not a developer by any means, and not the most technically minded individual. But I really do not see your logic in not only making this public, but providing a step by step guide and posting it on TFTV and two TF2 subreddits.
You claim that this is to "raise awareness and hopefully prioritize creating a fix, and / or make it easier to come up with a community fix in the meantime". Yet, I don't see how making a laymans guide for replicating it public helps Valve in any way. [s]You even disclose to Valve that you intend on making this public in your report with a fixed date, which isnt exactly blackmail but definitely in that ballpark.[/s]
[s]I know that you have been communicating with community leaders / admins about this and that is the way it should have been. Reaching out to only Server Owners and League Operators with these issues and allowing them to share it in their circles is a much safer way of communicating these issues and would allow people do develop countermeasures in some level of secrecy. What you have done in doing this is made AC's already tough job even harder.[/s]
So until Valve fix it in an indeterminate amount of time, you've made a VAC-safe exploit that has been known for around 6 years, to my understanding, much more widely known. In my view this is incredibly irresponsible.
Edit: I've taken out part of my argument in light of people correcting me, many thanks. My overall point still stands however. Valve have public channels not commonly used by the general player base that are more appropriate than TFTV and Reddit, and this is known since you put up the issue on GitHub. I still think providing a step-by-step guide and sharing that with these forums was the wrong step.
DrHappinessNow I am not a developer by any means, and not the most technically minded individual. But I really do not see your logic in not only making this public, but providing a step by step guide and posting it on TFTV and two TF2 subreddits.
If this was already spreading around in cheating circles then it probably makes sense to release, but if not then I agree that releasing it publicly doesn't make a lot of sense.
[quote=DrHappiness]Now I am not a developer by any means, and not the most technically minded individual. But I really do not see your logic in not only making this public, but providing a step by step guide and posting it on TFTV and two TF2 subreddits.[/quote]If this was already spreading around in cheating circles then it probably makes sense to release, but if not then I agree that releasing it publicly doesn't make a lot of sense.
Looks like this has been a known issue within AC a while (at least, the stem of the issue which is the sv_pure bypass portion with a preloader).
From the Github post by cukei there was an attempt at trying to prevent the bypass by having the mapmakers run through this python script cukei created, which would have authenticated the map files using MD5 verification. Ultimately it would allow sv_pure to work as intended for attempted visual modifications. If I'm wrong and someone has better input on what has been attempted behind the scenes feel free to correct me
Looks like this has been a known issue within AC a while (at least, the stem of the issue which is the sv_pure bypass portion with a preloader).
From the [url=https://github.com/ValveSoftware/Source-1-Games/issues/7389#issuecomment-3073437826]Github post[/url] by cukei there was an attempt at trying to prevent the bypass by having the mapmakers run through [url=https://github.com/sv-pure-stuff/sv-pure-bsp-patch]this python script [/url]cukei created, which would have authenticated the map files using MD5 verification. Ultimately it would allow sv_pure to work as intended for attempted visual modifications. If I'm wrong and someone has better input on what has been attempted behind the scenes feel free to correct me
thanks for sharing, looks like i can finally get rid of my paid subscription! WE will ALL be using this throughout seasons to come :D
thanks for sharing, looks like i can finally get rid of my paid subscription! WE will ALL be using this throughout seasons to come :D
JwDrHappinessNow I am not a developer by any means, and not the most technically minded individual. But I really do not see your logic in not only making this public, but providing a step by step guide and posting it on TFTV and two TF2 subreddits.
If this was already spreading around in cheating circles then it probably makes sense to release, but if not then I agree that releasing it publicly doesn't make a lot of sense.
It's been known to have already been used in the wild by a few people, and has been known about in those circles for years.
[quote=Jw][quote=DrHappiness]Now I am not a developer by any means, and not the most technically minded individual. But I really do not see your logic in not only making this public, but providing a step by step guide and posting it on TFTV and two TF2 subreddits.[/quote]If this was already spreading around in cheating circles then it probably makes sense to release, but if not then I agree that releasing it publicly doesn't make a lot of sense.[/quote]
It's been known to have already been used in the wild by a few people, and has been known about in those circles for years.
DrHappiness.
disclosing stuff in this way is common for software vulnerabilities, and 3 months is a generous amount of time if the fix does end up boiling down to "add a signature file to check this file wasn't tampered with". more info keyword is Coordinated vulnerability disclosure.
there are significant issues with keeping issues like this behind closed doors and only essentially leaking this information to certain parties:
- what stops them from leaking it to others who don't have good intentions?
- what is actually the common knowledge in the community as it is right now? we already knew about sv_pure bypass stuff with muzzle flashes and the like.
- can you imagine what league bans would look like? "why was i banned?" "you used an exploit." "which exploit?" "well we can't tell you since valve hasn't fixed it yet"
[quote=DrHappiness].[/quote]
disclosing stuff in this way is common for software vulnerabilities, and 3 months is a generous amount of time if the fix does end up boiling down to "add a signature file to check this file wasn't tampered with". more info keyword is Coordinated vulnerability disclosure.
there are significant issues with keeping issues like this behind closed doors and only essentially [i]leaking[/i] this information to certain parties:
[list]
[*] what stops them from leaking it to others who don't have good intentions?
[*] what is actually the common knowledge in the community as it is right now? we already knew about sv_pure bypass stuff with muzzle flashes and the like.
[*] can you imagine what league bans would look like? "why was i banned?" "you used an exploit." "which exploit?" "well we can't tell you since valve hasn't fixed it yet"
[/list]
DrHappinessYou even disclose to Valve that you intend on making this public in your report with a fixed date, which isnt exactly blackmail but definitely in that ballpark.
https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure
it is very funny/silly to me that this is the procedure followed but ah well who the fuck knows anymore
it also makes me laugh at my very serious attempts at not leaking the command that shows you the enemy team's composition (successful so far!)
siyoFrom the Github post by cukei there was an attempt at trying to prevent the bypass by having the mapmakers run through this python script cukei created, which would have authenticated the map files using MD5 verification. Ultimately it would allow sv_pure to work as intended for attempted visual modifications. If I'm wrong and someone has better input on what has been attempted behind the scenes feel free to correct me
before admins get excited
https://i.imgur.com/5M6qrqH.png
[quote=DrHappiness]You even disclose to Valve that you intend on making this public in your report with a fixed date, which isnt exactly blackmail but definitely in that ballpark.[/quote]
https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure
it is very funny/silly to me that this is the procedure followed but ah well who the fuck knows anymore
it also makes me laugh at my very serious attempts at not leaking the command that shows you the enemy team's composition (successful so far!)
[quote=siyo]From the [url=https://github.com/ValveSoftware/Source-1-Games/issues/7389#issuecomment-3073437826]Github post[/url] by cukei there was an attempt at trying to prevent the bypass by having the mapmakers run through [url=https://github.com/sv-pure-stuff/sv-pure-bsp-patch]this python script [/url]cukei created, which would have authenticated the map files using MD5 verification. Ultimately it would allow sv_pure to work as intended for attempted visual modifications. If I'm wrong and someone has better input on what has been attempted behind the scenes feel free to correct me[/quote]
before admins get excited [img]https://i.imgur.com/5M6qrqH.png[/img]
Last time someone "revealed" something like this in order to create awareness on this forum, we got a step by step guide on how to modify Spy decloak sounds. We are 6 years later and Valve has not done anything to mitigate that; all it did is put it on the radar of bad actors who didn't previously know. I don't understand how people can look at that and think giving Valve x amount of time to address an even worse issue, and then going public with this will lead to anything. But I would love to be wrong about this.
Last time someone "revealed" something like this in order to create awareness on this forum, we got a step by step guide on how to modify Spy decloak sounds. We are 6 years later and Valve has not done anything to mitigate that; all it did is put it on the radar of bad actors who didn't previously know. I don't understand how people can look at that and think giving Valve x amount of time to address an even worse issue, and then going public with this will lead to anything. But I would love to be wrong about this.
It's not a security or economy vulnerability, but i still wanted to loosely follow something like Project Zero's Vulnerability Disclosure Policy from my first email. Though, from this FAQ:
Doesn't disclosing a vulnerability when there's no fix endanger users?Since Project Zero typically discloses only one part of an exploit chain, attackers need to perform substantial additional research and development to complete the exploit and make it reliable. Any attacker with the resources and technical skills to turn a bug report into a reliable exploit chain would usually be able to build a similar exploit chain even if we had never disclosed the bug. They would either have the ability to find and exploit their own 0day vulnerabilities, or have access to a range of other interchangeable bugs (e.g. other fixed/disclosed bugs from the past weeks/months).
There's no "exploit chain" in this case... it's too simple to do and not really technically difficult at all. If I left out how to reproduce it and was more vague in my bug report and post, it'd take more effort for Valve to read while still being nearly as accessible to exploit for those who wanted to.
It's not a security or economy vulnerability, but i still wanted to loosely follow something like Project Zero's [url=https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html?m=0]Vulnerability Disclosure Policy[/url] from my first email. Though, from this FAQ:
[quote=Doesn't disclosing a vulnerability when there's no fix endanger users?]
Since Project Zero typically discloses only one part of an exploit chain, attackers need to perform substantial additional research and development to complete the exploit and make it reliable. Any attacker with the resources and technical skills to turn a bug report into a reliable exploit chain would usually be able to build a similar exploit chain even if we had never disclosed the bug. They would either have the ability to find and exploit their own 0day vulnerabilities, or have access to a range of other interchangeable bugs (e.g. other fixed/disclosed bugs from the past weeks/months).[/quote]
There's no "exploit chain" in this case... it's too simple to do and not really technically difficult at all. If I left out how to reproduce it and was more vague in my bug report and post, it'd take more effort for Valve to read while still being nearly as accessible to exploit for those who wanted to.
ashleyJwIf this was already spreading around in cheating circles then it probably makes sense to release, but if not then I agree that releasing it publicly doesn't make a lot of sense.
It's been known to have already been used in the wild by a few people, and has been known about in those circles for years.
+1 then, hope the benefits of releasing outweigh the costs...
twiikuuit also makes me laugh at my very serious attempts at not leaking the command that shows you the enemy team's composition (successful so far!)
That is crazy, how long has that been around?
[quote=ashley][quote=Jw]If this was already spreading around in cheating circles then it probably makes sense to release, but if not then I agree that releasing it publicly doesn't make a lot of sense.[/quote]It's been known to have already been used in the wild by a few people, and has been known about in those circles for years.[/quote]+1 then, hope the benefits of releasing outweigh the costs...
[quote=twiikuu]it also makes me laugh at my very serious attempts at not leaking the command that shows you the enemy team's composition (successful so far!)[/quote]That is crazy, how long has that been around?
JwThat is crazy, how long has that been around?
forever probably
[quote=Jw]That is crazy, how long has that been around?[/quote]
forever probably
looking forward to the rgl announcement next week that binding multiple actions to one button is banned while this goes unmentioned
looking forward to the rgl announcement next week that binding multiple actions to one button is banned while this goes unmentioned
Brimstonelooking forward to the rgl announcement next week that binding multiple actions to one button is banned while this goes unmentioned
The rule that bans wallhacks needs to be renewed at least once per month, otherwise it automatically expires and wallhacks become allowed
[quote=Brimstone]looking forward to the rgl announcement next week that binding multiple actions to one button is banned while this goes unmentioned[/quote]
The rule that bans wallhacks needs to be renewed at least once per month, otherwise it automatically expires and wallhacks become allowed
AdjeLast time someone "revealed" something like this in order to create awareness on this forum, we got a step by step guide on how to modify Spy decloak sounds. We are 6 years later and Valve has not done anything to mitigate that; all it did is put it on the radar of bad actors who didn't previously know. I don't understand how people can look at that and think giving Valve x amount of time to address an even worse issue, and then going public with this will lead to anything. But I would love to be wrong about this.
Having had 6 years to think about it I think you're right. The decision was mostly fueled by hearing that at least one player had been using it in invite, and it was relatively unknown (from my pov). My HOPE was that it would show people how easy it is for a player to convince themselves that it was just another tf2 customization like the explosion script, and provide a reference for players to identify if someone responding suspiciously to a spy cloak/uncloak could be exploiting.
I will say 4 years ago I felt extremely vindicated: https://www.teamfortress.tv/post/1008124/cheating-to-hear-spies-is-painfully-easy
But I believe there has been incorporation of mastercom's fixes into tf2's code and as far as I'm aware this still works.
I'm removing the instruction part of my post, but I know this is a Pandora's box situation where I have no way to take back the shared knowledge at this point.
I won't suggest mur remove this information but I do think we have definitively shown that Valve does not care about the competitive integrity of the game, if you don't find something that breaks the money making machine you probably won't find a Valve employee who cares.
[quote=Adje]Last time someone "revealed" something like this in order to create awareness on this forum, we got a step by step guide on how to modify Spy decloak sounds. We are 6 years later and Valve has not done anything to mitigate that; all it did is put it on the radar of bad actors who didn't previously know. I don't understand how people can look at that and think giving Valve x amount of time to address an even worse issue, and then going public with this will lead to anything. But I would love to be wrong about this.[/quote]
Having had 6 years to think about it I think you're right. The decision was mostly fueled by hearing that at least one player had been using it in invite, and it was relatively unknown (from my pov). My HOPE was that it would show people how easy it is for a player to convince themselves that it was just another tf2 customization like the explosion script, and provide a reference for players to identify if someone responding suspiciously to a spy cloak/uncloak could be exploiting.
I will say 4 years ago I felt extremely vindicated: https://www.teamfortress.tv/post/1008124/cheating-to-hear-spies-is-painfully-easy
But I believe there has been incorporation of mastercom's fixes into tf2's code and as far as I'm aware this still works.
I'm removing the instruction part of my post, but I know this is a Pandora's box situation where I have no way to take back the shared knowledge at this point.
I won't suggest mur remove this information but I do think we have definitively shown that Valve does not care about the competitive integrity of the game, if you don't find something that breaks the money making machine you probably won't find a Valve employee who cares.