Crash steam server via nonsteam client ?

seba · **Joined:** 08 Sep 2007 18:55 **Posts:** 22

Hi all (and Luigi ;) ). Yesterday I saw text "new bug - steam servers can be crashed by nonsteam client". Anyone can explain me?

aluigi · **Posted:** 04 Nov 2008 13:55

where have you read it?
anyway I don't have a steam server for testing and in reality I don't test actively Half-life from years

seba · **Joined:** 08 Sep 2007 18:55 **Posts:** 22

Quote:

where have you read it?

In polish forum, but i really cant ask author.

Code:

jest fajny bug do crashowania serwero steamowych
przez klienta non-steamowego.....
zg??oszone do valve, na dniach powinien by?? fix ;)

in english

Code:

one nice bug exist to crash steam servers
via nonsteam client
reported to valve, fix will be relased

aluigi · **Posted:** 04 Nov 2008 14:29

probably it exists and it's very good that valve will fix it but the words there make it impossible for the following reasons:
"via nonsteam client" means that this is an in-game vulnerability which means that (for example) HL 4.1.1.0 can join a steam HL server which is not possible because it's kicked immediately, so if you can't join the server you can't test the bug and that's why I say it's not possible (not possible with that description and default clients).

in short I mean that the description is wrong.

Sethioz · **Posted:** 05 Nov 2008 09:22

i think its a bug that crashes the steam server upon a join attempt or something like that.
or some command you send into server thru console.
Think its referred to an external crash, using the nonsteam client.
but it does sound a lil bit suspecious.

redskull · **Joined:** 02 Feb 2009 06:29 **Posts:** 13

its still not fixed, what it is. is a rcon overflow exploit

aluigi · **Posted:** 02 Feb 2009 13:54

uhmmm the old HL x.1.1.1e has been never vulnerable to rcon overflows, all the rcon packets in fact with a size major of (plus or less) 512 bytes are just dropped and there are no overflow in the password or in the command or in the number of arguments.

I don't have Steam HL and so I can't verify what you say but in any case why Valve should have introduced a similar critical vulnerability?
I mean, why touching that part of the code?
it would be not the first time of a similar thing (watch IW with call of duty and the va() overflow) but looks strange

redskull · **Joined:** 02 Feb 2009 06:29 **Posts:** 13

HL2 Engine based games are vulnerable to these attacks

aluigi · **Posted:** 10 Feb 2009 18:53

just for curiosity I was watching the documentation made by Valve about the rcon protocol in the Source engine:

http://developer.valvesoftware.com/wiki ... N_Protocol

if that protocol is the same used in HL2 it's logical that it's bugged or simply just more prone to vulnerabilities.

Sethioz · **Posted:** 12 Feb 2009 04:23

Luigi didnt you test this few days ago and found no bugs ?!

aluigi · **Posted:** 13 Feb 2009 01:35

yeah, versus the latest version of the server anyway was only a basic test, nothing more

Luigi Auriemma

Crash steam server via nonsteam client ?