Raised This Month: $7 Target: $400
 1% 

[ANY] SRCDS Server Crasher Exploit Patch [6/27/19]


Post New Thread Reply   
 
Thread Tools Display Modes
Author
backwards
AlliedModders Donor
Join Date: Feb 2014
Location: USA
Plugin ID:
6621
Plugin Version:
1
Plugin Category:
Server Management
Plugin Game:
Any
Plugin Dependencies:
    Servers with this Plugin:
     
    Plugin Description:
    This exploit affects all SRCDS versions
    Old 06-27-2019 , 21:26   [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
    Reply With Quote #1

    There's a new exploit in the wild which allows any client to attack the server after connecting if you have sv_allowdownload set to 1. On Linux the servers will most likely restart within 30 seconds if there's a watchdog timer installed. On Windows this exploit can be utilized to cause a Blue Screen Of Death on your dedicated hosters box. The exploit involves the use of the RequestFile command and has already been reported to Valve (~8 Months ago) through the bounty bug reward program. The report was ignored by the HackerOne Staff because it didnt meet the standards of "crashing the server" ( Report #472858 ). Even though this can lead to a BSOD if used correctly and as shown in my submited Proof Of Concept. ...

    The exploit's POC was stolen from one of my un-secured dedicated test servers recently by some "Hackers" and now is being sold by them. The POC was written to work on all versions of SRCDS so many servers are at risk until valve releases an official patch. I've written my own patch for the community to use until that date comes.

    Symptoms of the exploit being used on your server would be to see the text "File '%s' requested from" spammed in your SRCDS console. These messages do not create logs in any document so it may be hard for some users to track what's happening. This is mostly expected to plauge CS:GO/CStrike servers currently.

    I've only tested this on css/csgo and it seems to work fine. I'm unaware if any game mode will utilize the request file function after a player conects (for example sprays) but i believe it's handled differently (server sends files rather than client requesting file). Let me know if you run into any issues.

    Edit: Added OnFileReceive Hook as well to prevent clients from spamming file sends to the server. Nopped out a message that still prints on file receive when the server has sv_allowupload set to 0 (Untested Changes) Updated 1/2/2021, Please post a report if it crashes on linux or windows CSGO servers


    Updated 02/03/2023:
    Untested, updated for linux changes.

    Newest version: SendFileFix 3.3.zip
    Attached Files
    File Type: sp Get Plugin or Get Source (SendFileExploitFixV2.sp - 4816 views - 1.7 KB)
    File Type: zip SendFileFix 3.1.zip (7.9 KB, 5769 views)
    File Type: zip SendFileFix 3.3.zip (7.6 KB, 604 views)

    Last edited by backwards; 02-03-2023 at 17:05. Reason: Updated Plugin To Fix Some Issues.
    backwards is offline
    RumbleFrog
    Great Tester of Whatever
    Join Date: Dec 2016
    Location: Fish Tank
    Old 06-27-2019 , 23:34   Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
    Reply With Quote #2

    Eggcellent

    Last edited by RumbleFrog; 06-27-2019 at 23:35.
    RumbleFrog is offline
    SimpleRealistic
    Junior Member
    Join Date: Oct 2017
    Old 06-27-2019 , 23:44   Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
    Reply With Quote #3

    what a server being crashed from console looks like:



    https://www.youtube.com/watch?v=fMo_Au6QqBo
    me doing it
    SimpleRealistic is offline
    Wanheda
    Junior Member
    Join Date: Oct 2017
    Location: Portugal ♥
    Old 06-28-2019 , 08:28   Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
    Reply With Quote #4

    Code:
    RequestCount[client] -= 32;
    why exactly 32?

    Code:
    for (new client = 0; client <= MaxClients; client++)
    iterating through 32 entities and checking if <= is wrong, you should start your for loop with 1 for that, there's no '0' client (let me mention i might be wrong, not sure)

    Code:
    for (new client = 1; client <= MaxClients; client++)
    after some lines you do the same exact thing but correctly, you should always start with 1 if you're checking <=

    anyways, i didnt find any other wrong code besides that
    __________________
    ʙᴇɪɴɢ ʜᴀᴘᴘʏ ᴅᴏᴇsɴ'ᴛ ᴍᴇᴀɴ ᴛʜᴀᴛ ᴇᴠᴇʀʏᴛʜɪɴɢ ɪs ᴘᴇʀꜰᴇᴄᴛ
    ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ𝐒𝐭𝐞𝐚𝐦

    Last edited by Wanheda; 06-28-2019 at 08:47.
    Wanheda is offline
    Pan32
    Member
    Join Date: Dec 2010
    Location: ?
    Old 06-28-2019 , 11:05   Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
    Reply With Quote #5

    Quote:
    Originally Posted by Wanheda View Post
    iterating through 32 entities and checking if <= is wrong, you should start your for loop with 1 for that, there's no '0' client (let me mention i might be wrong, not sure)
    Console is entity 0, although I'm not sure if it's a oversight or the console can play a role in this exploit.

    Also to note, MaxClients variates depending on the number of clients the server can accept, so it could be iterating through 10, 32, 64 or whatever number of players the server is set up to.

    Last edited by Pan32; 06-28-2019 at 15:04.
    Pan32 is offline
    dustinandband
    Senior Member
    Join Date: May 2015
    Old 06-28-2019 , 20:35   Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
    Reply With Quote #6

    why does the plugin loop through all clients every 5 seconds and subtract 32 from their RequestCount?
    Spoiler


    edit: I'm guessing it's to account for false-positive scenarios in case there's a game mode that happens to send a large amount of files:
    Quote:
    "I'm unaware if any game mode will utilize the request file function after a player conects (for example sprays) but i believe it's handled differently (server sends files rather than client requesting file)."

    Last edited by dustinandband; 06-28-2019 at 21:00. Reason: edit #2
    dustinandband is offline
    Xutax_Kamay
    Member
    Join Date: Feb 2016
    Old 06-28-2019 , 21:25   Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
    Reply With Quote #7

    Oh shit man, I feel sorry for you to get your work stolen and not even recognized.
    Xutax_Kamay is offline
    backwards
    AlliedModders Donor
    Join Date: Feb 2014
    Location: USA
    Old 06-28-2019 , 22:22   Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
    Reply With Quote #8

    Quote:
    Originally Posted by dustinandband View Post
    why does the plugin loop through all clients every 5 seconds and subtract 32 from their RequestCount?

    edit: I'm guessing it's to account for false-positive scenarios in case there's a game mode that happens to send a large amount of files:
    Yes exactly, some game modes will send player sprays/jingle sound after a client is actively in the server. This will prevent a server of 64 slot players with all custom sprays and no map changes causing false postives from happening. When a new client connects on the same map it will count towards the requestcount.
    __________________
    I highly recommend joining the SourceMod Discord Server for real time support.
    backwards is offline
    404UserNotFound
    BANNED
    Join Date: Dec 2011
    Old 06-29-2019 , 15:56   Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
    Reply With Quote #9

    Quote:
    Originally Posted by Xutax_Kamay View Post
    Oh shit man, I feel sorry for you to get your work stolen and not even recognized.
    404UserNotFound is offline
    September
    Senior Member
    Join Date: Jul 2015
    Location: Russian Federation
    Old 06-29-2019 , 16:00   Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
    Reply With Quote #10

    In csgo you just need to use sv_allowdownload 0 and sv_allowupload 0.

    This exploit has been running since 2018.
    September is offline
    Send a message via Skype™ to September
    Reply


    Thread Tools
    Display Modes

    Posting Rules
    You may not post new threads
    You may not post replies
    You may not post attachments
    You may not edit your posts

    BB code is On
    Smilies are On
    [IMG] code is On
    HTML code is Off

    Forum Jump


    All times are GMT -4. The time now is 05:39.


    Powered by vBulletin®
    Copyright ©2000 - 2024, vBulletin Solutions, Inc.
    Theme made by Freecode