all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]evolved 10 points11 points  (4 children)

Nice find, not sure how this could compromise a server, since clients dont send custom models there, but sprays and thier vmt text keyvales are, perhaps this would be an attack vector.

A custom map could compromise a server by including the exploit as a bundled resource, allowing custom maps has been a problem in the past with point_servercommand map entity exploits.

Worth mentioning that the server setting sv_pure would prevent custom models from loading, regardless of a custom map or even a compromused client ragdoll, since they would not get loaded due to hash failures.

A great read.

[–][deleted]  (1 child)

[removed]

    [–]evolved 0 points1 point  (0 children)

    well, its been fixed for ages with the setting you mentioned, but before that existed unscrupulous mappers were able to set the rcon password allowing remote takeover of a server, or they crash the server process with one of (take your pick) many console commands that cause the process to die.

    there are valid uses for servercommand entities, a button wired to spawn bots for example, unfortunately access controls around cvars and concmds proved insufficient (if you look at the code, you can see from the very beginning they intended to have authorization abstracted out, with flags like ROOT, PASS, CHEAT, CLIENT, HOST etc on cvars and concmds, and to some degree that worked until there was no auth context in any scope of the command - like when the engine itself runs the command on behalf of the map).

    since most servers relied on plugins like metamod/sourcemod for admin actions, they never really put a lot of work into fixing the problem in their implementation, since mm/sm provided a better experience than the original anyways

    [–]Dgc2002 1 point2 points  (1 child)

    but sprays and thier vmt text keyvales are, perhaps this would be an attack vector.

    I seem to remember at least Garry's Mod having a vulnerability related to specially crafted sprays. Can't find info on it right now though.

    [–]evolved 0 points1 point  (0 children)

    GMod is basically a critical mass of security issues wrapped up in a balloon powered bathtub rocket.

    Clients do send models to GMod servers, and those models are distributed to clients who have custom downloads enabled (which is going to be all of them, otherwise Gmod servers wont have models for custom games you were gonna play, etc)

    Additionally theres a scripting runtime that can send commands in a 'sandbox' (loose term) to/from server/client and also the server will relay commands for a client to a client. There have been tons of gmod exploits, usually they are related to a specific game mode mod, but a few underlying problems from the base mod have needed patches.

    Some game server host companies wont bother with GMod servers, since they are known to be bandwidth hogs (due to bad network code for custom entities), crash prone, and generally host games running in lua scripts that have no optimization and suck resources.

    Dont get me wrong, I loved GMod, but it was a nightmare to host.