[GoldSrc] Method of displaying fake players in server browser bypassing Master server

[Splatt581]

This is a new way of displaying fake players that Romanian hackers started using about a month ago. It uses a bug in steamclient.dll / ServerBrowser.dll on the client side, which allows displaying fake player counts from game servers bypassing player count information from the Master server.

So, if you now try to open the 'Spectate' tab in the Counter-Strike server browser, you will see a lot of fake servers:

As you may have noticed, all the fake servers have a large number of players, but if we try to get information about any of these fake servers from the master server via webapi, we will see that only one client is authorized on them:

<gameport>27037</gameport>
<specport>27037</specport>
<name>RESPAWN.XTREMECS.RO [RENEWED 2024]</name>
<appid>10</appid>
<gamedir>cstrike</gamedir>
<version>1.1.2.7</version>
<product>cstrike</product>
<region>-1</region>
<players>1</players>              <-----------------------
<max_players>255</max_players>
<bots>0</bots>
<map>de_alejandro</map>
<secure>false</secure>
<dedicated>true</dedicated>

How to reproduce the bug/exploit:

1. At least one game client (steam account) must be authorized on the fake server;
2. In the A2S_INFO response packet (https://developer.valvesoftware.com/wiki/Server_queries#Response_Format), the fake server must send the fields NumPlayers = MaxPlayers, as if the server is full.

This is enough for the client browser server to start displaying information about the number of players from an unreliable source (fake game server), instead of a reliable one (from the master server).

3. Optionally add bots to the field of the A2S_INFO response packet so that NumPlayers != MaxPlayers, since NumBots is subtracted from NumPlayers. You can also see this in the screenshot.

Let me remind you that I believe the bug is somewhere in steamclient.dll / ServerBrowser.dll. Hopefully this vulnerability will be fixed.

[that-is-not-great]

what you describe is nothing new, it has always worked.

what they are using is in the Internet tab and does not require full server nor require bots:

{
        "addr": "77.83.246.123:27015",
        "gameport": 27015,
        "steamid": "90201303529526284",
        "name": "Develop Server",
        "appid": 10,
        "gamedir": "cstrike",
        "version": "1.1.2.7/Stdio",
        "product": "cstrike",
        "region": 255,
        "players": 31,
        "max_players": 32,
        "bots": 0,
        "map": "de_dust2",
        "secure": false,
        "dedicated": true,
        "os": "l"
      }

[Splatt581]

Replying to https://github.com/ValveSoftware/halflife/issues/3805#issuecomment-2313636371

These fake servers use completely different methods of deceiving players.

The fakes from your post (with name: Develop Server) appeared back in 2023 and they do not use bugs - they really use a farm of steam accounts that are authorized on fake servers, so even the Master server counts them. I described this in this post - https://github.com/ValveSoftware/halflife/issues/2064#issuecomment-1889229163. The fakes from my post use a bug in which only one steam account is enough.

[metita]

@shawns-valve this is worth to check for a fix in a future release.

[Gawnz1]

Devs, if you don't want to fix them, at least move them and some of other important things to upcoming release, so new devs or old ones when want to work, to see whats in the lists for fixing. Also, kisak points to open issues and closing duplicates, but no one cares and moves the important ones to future updates/release.... https://github.com/ValveSoftware/halflife/milestones

[lexzor]

Hello,

Actually you need to send 32/32 and 1 bot via UDP packets, in this way, the client will show 31/32 and 1 bot.

If you refresh the list you can see some of the fake servers are showing 0/32 or 1/32 players, this is because the client see the fake server as full, so if you click on the fake server you may receive a server full message. They made a workaround for this and some of the queries are with 0/32.

[Maxi605]

Devs, if you don't want to fix them, at least move them and some of other important things to upcoming release, so new devs or old ones when want to work, to see whats in the lists for fixing. Also, kisak points to open issues and closing duplicates, but no one cares and moves the important ones to future updates/release.... https://github.com/ValveSoftware/halflife/milestones

Kisak (afaik) is not part of the dev team working on GoldSource, so he can't really choose what gets done and what doesn't for future releases.

[Gawnz1]

Devs, if you don't want to fix them, at least move them and some of other important things to upcoming release, so new devs or old ones when want to work, to see whats in the lists for fixing. Also, kisak points to open issues and closing duplicates, but no one cares and moves the important ones to future updates/release.... https://github.com/ValveSoftware/halflife/milestones

Kisak (afaik) is not part of the dev team working on GoldSource, so he can't really choose what gets done and what doesn't for future releases.

Read this part of my comment again, but no one cares and moves the important ones to future updates/release. I told only that kisak points to open ones and closes duplicates.

@shawns-valve Is the only hope now as I see, if he wants to work on some things, to move the most important ones for CS 1.6, such as this one, hitbox fixes, deleting game files (particlemans, smokes, all kind of stuff, cheats), making the smoke server-side or at least to not dissapear when client reconnects, blocking cheat-like commands, fixing spectator camera smoothness, which is allowing players to see through walls when fast switching and so on...

[alexkn262]

I've posted the source code of this: https://github.com/ValveSoftware/halflife/issues/3859

[lexzor]

I've posted the source code of this: #3859

it's invalid, the fake server won't register in valve masterserver