A group of security researchers known as the Secret Club took to Twitter to report a remote code execution bug in the Source 3D game engine developed by Valve and used for building games with tens of millions of unique players.
A vulnerability in the game engine propagates to products built with it. In this case, multiple game titles built with Source are affected and require a patch to eliminate the risk to users.
- Hey guys, in this video i show you how you can download Counter Strike GO on PC from Steam.Counter Strike Global Offensive is now free on Steam and the video.
- You can find csgo.exe in C:Program Files (x86)SteamsteamappscommonCounter-Strike Global Offensive Strandner Autofixer (Windows 10) It's a great one-click tool for deactivating unneccessary windows background tasks like Superfetch, XBOX DVR and more through windows registry.
One of the researchers in the group says that they disclosed the vulnerability to Valve about two years ago, yet it continues to affect the latest release of Counter Strike: Global Offensive (CS:GO).
Some of the games that utilize Valve's Source engine include Counter-Strike, Half-Life, Half-Life 2, Garry's Mod, Team Fortress, Left 4 Dead, and Portal.
Steam Support Home Games and Applications Counter-Strike: Global Offensive Sign in to your Steam account to review purchases, account status, and get personalized help.
What irks the group is that after all this time they cannot publish the technical details about the bug because the bug is still affecting some games.
Bounty paid, bug still active
Florian, a student passionate about reverse engineering, reported the remote code execution (RCE) flaw two years ago through Valve’s bug bounty program on HackerOne.
He told BleepingComputer that the vulnerability is a memory corruption in the Source engine code, so it’s present in multiple game titles. Exceptions are games built with Source 2 or those that run a modified version of the Source engine, like Titanfall.
However, among the games affected is CS:GO, whose latest update was on March 31. Last month, the game counted close to 27 million unique players, according to stats on the game’s page.
In a conversation with BleepingComputer, Florian said that CS:GO still had the vulnerable Source code on April 10th and the bug could be exploited to run arbitrary code on a machine running the game.
He made a demo video showing how an attacker could exploit the vulnerability and execute code on a target computer by simply sending a Steam game invitation to the victim.
The last Florian heard from Valve was about six months ago, when Valve paid him a bounty and said that it was in the process of fixing the problem, and that it had addressed it in one specific game using the Source engine.
The researcher did not disclose which game received the fix but told us that he was able to confirm Valve’s actions.
“We intentionally did not mention that because we do not want people to search for the patch in the game binaries as this would greatly reduce the effort to rebuild the exploit for all the other unpatched games” - Florian
Florian is a member of the Secret Club, a non-profit group of reverse engineers who complained on Twitter over Valve taking so long to address the issue in all games.
Some bug bounty programs on HackerOne have a policy that allows researchers to disclose exploits or vulnerabilities if a fix is not available after a reasonable period like 90 or 180 days. Valve is not among them.
While Valve does not actively prevent Florian from sharing the details, the researcher has strong ethical principles and knows that full disclosure would put millions of users at risk.
Researchers claim Valve ignores reports
Carl Schou, a leading member of the Secret Club, told BleepingComputer that an attacker could leverage this RCE vulnerability to steal sensitive information like credentials or banking information.
Secret Club has published multiple videos showcasing exploits of RCE bugs in CS:GO from multiple researchers claiming that Valve ignored them for long periods, from five months to a year.
The one below - from Brymko, Carl Smith, and Simon Scannell - shows an exploit of a Source engine RCE flaw when joining a malicious community server.
Steam Cs Go Free
Here's another one where RCE is also achieved after connecting to a malicious server. Software engineer Bien Pham says that they reported it to Valve last year on April 2 and the company ignored them.
It is unclear if all the videos show demonstration of the same remote code execution bug.
BleepingComputer reached out to Valve earlier today for comment about Florian’s vulnerability disclosure through HackerOne but has not heard from the company by publishing time. We will update the article when a statement from Valve becomes available.
Related Articles:
CS: GO Launch Options
Counter-Strike Global Offensive offers you the opportunity to make your gameplay much more exciting and improved with cs: go launch options. Launch options enable the user to set some settings to improve the gameplay and overall experience before launching it. In simple language, commands for launching the game in your desired settings.
Below, we’ll break down all the best CS:GO console commands, set launch options, and even recommend which commands to be used to get the most significant advantage possible with your CS:GO Account.
What is CS: GO Launch option?
Players can use game launch options to change game settings before running the game. Launch options allow the user to supersede the inner settings of the game. That is an effective manner to recover from incompatible video settings and troubleshooting a wide range of issues.
(It is a must if you are using a 144hz monitor or have an eight-core CPU.)
How to Set CS: GO Launch option?
- Right-click on the game title under the Library in Steam and select Properties.
- Under the General tab, click the Set launch options button.
- Enter the launch options you wish to apply (be sure to separate each code with space) and click OK.
- Close the game’s Properties window and launch the game.
CS:GO Launch Options & Explanations
-console
Setting this launch option will open the console automatically when opening the game. There is no real need to set this launch option in cs: go because you can just put a toggle key in your in-game options or your auto exec, and, unlike cs:s, the toggle key works. Some people still like to set this launch option to see echos they put in their auto exec and know that CSGO executed the auto exec correctly.
-novid
Starting the game with this launch option will remove the valve intro that plays typically at the beginning. A must-have launch option, in my opinion, because I find that intro is annoying as hell.
-tickrate 128
If you create an offline game with bots without this launch options set, the designed server will run at tick rate 64. If this launch option is set, the offline servers will always run at tick rate 128.
-refresh <rate> / –refreshrate <rate> / -freq <rate>
You can force your monitor to run at a specific refresh rate with this launch option. Setting up refresh rate will make sense if your monitor’s maximum refresh rate is higher than 60. If it isn’t and you set this launch option to 120, you can seriously damage your monitor.
-high
Launching in high mode will start the game in a high-priority way. This launch option can help players with lower-end computers to get less lag and a few more fps, but it is not a guarantee. Test this launch option. If you don’t notice any improvement performance-wise, remove this launch option again.
-threads <number of cores/threads>
So far, I could not find definitive information about the maximum number of threads that CSGO uses and if this launch option makes any sense. If you have a CPU with four or more cores, you can try to set -threads to the number of cores (or the number of threads if you own a CPU with two threads/core) you have, but right now, I can not guarantee that your performance will improve. Test it. If you don’t notice any difference or your performance is worse than before, remove the launch option again.
-full / -fullscreen
This launch option forces the game to run in full-screen mode. The game will ignore this launch option, if -windowed / -window / -SW / -start windowed option is also set.
-windowed / -window / -sw / -startwindowed
This option will force the game to run in windowed mode. Should not be set without -w and -h also being specified. The game will ignore this launch option if the -full / -fullscreen option is also set.
-w <width> / -width <width>
-h <height> / -height <height>
This option forces the game to start with the resolution you specified, e.g., w 1920 -h 1080.
-noborder
Using this launch option will remove the border that Windows puts around the window when it is run in windowed mode.
-x <position> – horizontal
-y <position> – vertical
When the game is run with no border, you can’t move the window around, and it is stuck to the center of your screen. You can define the position of the window with these two launch options. <position> is the space in pixels that you want the game to be “away” from the screen’s left and topside.
-lv
Ok, this isn’t a practical launch option, but if you’re bored, just set it, play a bit and have a good laugh. The -lv launch option turns the game into a low violence version. The previous counter-strike games had to be low violence versions over here in Germany. At the same time, CSGO doesn’t, but the animations are still there. There’s no blood, and models lie down with their hands behind their heads.
-language English
language, you can use this launch option. You can also right-click CSGO in your game library, go to properties and set the in-game language there, but that doesn’t work for some people. Other languages should work too for this launch option. Still, I did not test that. Here are some launch options that either does not work or that really shouldn’t be used in CS GO (many people still use them and falsely recommend them):
-heapsize <kilobytes>
You should not use this launch option! Steam removed this command in cs:s, tf2 and dod:s in 2010; I’m not 100% sure if it exists in CSGO. Here’s what valve said in 2010: “this command made sense in half-life 1’s memory manager. The current engine manages memory in a way that doesn’t need it specified. Under some circumstances, specifying a non-optimal causes crashes and reduced performance.”
+exec autoexec
There has been a CSGO problem since the release that the configs are loaded in the wrong order. The easiest way to avoid that problem is to add host_write config at the end of your Autoexec and make sure that your config isn’t set to read-only. The command overwrites any cvars in the config.Cfg with the ones in the Autoexec. Cfg when the Autoexec is executed. Do not set a launch option +exec Autoexec.Cfg, regardless, the Autoexec is loaded. Right now, this seems to be the only method to make your Autoexec work.
+cl_forcepreload 1
Increase fps by preloading maps (not necessarily faster, that depends on your pc)
-nod3d9ex
Makes alt+tab faster
-nojoy
Removes joystick support
Cs Go Steamdb
What are the best CSGO launch options?
Cs Go Steam Inventory Calculator
-novid -tickrate 128 -high -threads 6 +fps_max 0 +cl_interp 0 +cl_interp_ratio 1 +rate 128000 +cl_updaterate 128 +cl_cmdrate 128 +mat_queue_mode 2 -freq 144 -refresh 144 -d3d9ex -nojoy
Cs Go Steam Key
Apart from these Launch options, we suggest using CSGO Prime Accounts to avoid cheaters and have better matchmaking.