A new ban evasion hack?
 

So I have this command called /id that gives me the users steam2/steam3/steam64 ids via GetClientAuthId.

I tried to ban someone via sourcebans and it was telling me 'The ban couldn't be verified' so I tried to check the users profile by getting his steam64 link, only for it to say his profile doesn't exist.

So I finally id'd him and saw this:

[SM] Skully's SteamID: STEAM_ID_STOP_IGNORI | STEAM_ID_STOP_IGNORI | http://steamcommunity.com/profiles/STEAM_ID_STOP_IGNORI

Wat da eff

Re: A new ban evasion hack?
 

Seen this about 2 times this week as well.
The client was banned and still was able to join, you have to IP ban him and it fixes it.
But either way , wonder what can be patched for this regardless to ip banning them.

Re: A new ban evasion hack?
 

The players steamid wasn't validated (probably because your server wasn't connected to Steam - standard Tuesday maintenance window for Valve); unlike sm_ban, SourceBans requires validated steamids (because it is ancient and unmaintained, and thus has not been updated since validation became the default); your sm_id plugin doesn't check the fucking return value of GetClientAuthId and blindly uses the buffer (which is set to STEAMID_STOP_IGNORING_RETVALS because of the number of people like you who think their plugins are too good for error checking, and were reusing the same buffer for multiple calls without clearing it or checking the return value).

Re: A new ban evasion hack?
 

Dang...asherkin beat me to it. Was gonna link this:

https://forums.alliedmods.net/showpo...43&postcount=4

Re: A new ban evasion hack?
 

My plugin actually did have error checking, but I'm not familiar with everything about how steam works so I didn't have proper error checking where I thought I did.

I remember like a year ago I had this problem where it'd just return empty strings if I used it on people who weren't fully in-game yet, and after putting a check in for that I thought it was more or less fixed.

I didn't think it was failing because it was only returning that little undocumented "easter egg error" for one player out of anyone else, and I don't really know much about how steamid validation works.

Since the "error" string wasn't just an empty one like I'd expect, for all I knew a hacker was just trolling me with some nonsense steam id, maybe he was trying to say STOP IGNORANT ADMINS or something. Which I know, is ironic for me to say when a small plugin I made a year ago has the very mistake you want people to avoid.

I feel like if you're going to get mad about people forgetting to check if the call fails, you could've had a note in the damn documentation instead of some easter egg error that's this rare to come across.

Now that I "got lucky" and found out about this I have a hunch behind various other plugins being broken since until now I only somewhat bothered to check if the call fails on whims.

Re: A new ban evasion hack?
 

I guess this is only needed in SM 1.8-1.9 and for CSGO?

There's also "SteamAuthstringValidation" "no" that you can try in configs/core.cfg

Re: A new ban evasion hack?
 

There have always been cases where getting auth id could fail, regardless of game and SM version. Those cases were just more rare before SteamAuthstringValidation existing and being enabled on any game, and also a recent-ish CS:GO update.

The documentation has always said that the function (the old GetClientAuthString and the newer GetClientAuthId) would return false if they failed to retrieve the id. In older SM versions, the buffer passed in wasn't touched, so if you had used decl instead of new, it would have garbage data in it, often a different user's Steam id. That is why we explicitly write the string we do now upon failure.

Re: A new ban evasion hack?
 

asherkin, sounds like one of those facts about Chuck Norris.
Sometimes my server loose connection to steam and can't validate steam id's for a while, though it's not my server's problem. Steam has been working not very well recently.

Re: A new ban evasion hack?
 

I just found out that status will show STEAM_ID_STOP_IGNORING_...

Was status always a sourcemod command?

What is going on there?

Re: A new ban evasion hack?
 

No, you are running a plugin that is hooking and replacing the status command.