Severe Source SDK 2013 Multiplayer exploit found, can be used to hijack steam accounts

This just in from the HLDS Mailing list

:snip: nevermind I’m talking about the wrong exploit

i don’t think this is anything new. i remember reading about this a long time ago. unless it’s a new exploit that also uses sprays

doesn’t surprise me that they fixed it in their games but didn’t bother updating the sdk

[editline]3rd September 2015[/editline]

it’s funny that third-party source mods on steam are vulnerable though

Why is this here? Is GMod confirmed to be affected?

-snip- Always forget older has least patched things

The fact that it runs on an older version of the engine hardly proves anything.

GMod servers are affected by the spray exploit - a wave of awareness over this exploit went out… I want to say 6-12 months ago, but no hardcoded fix was ever developed. I don’t think it was ever reported properly, though.

cough

Don’t think being the key there. I only heard it vicariously through my coder when I was running my server at the time, when he fixed it himself.

Apologies.

well boy oh boy that sure is wonderful news huh
Would this be avoidable on the client side by disabling sprays or does it not work that way?

I’m pretty sure this isn’t just about sprays.
Sure, someone could spread a spray through the server… but the server could also just directly send a material to the client instead.

You guys might be able to get in contact with the developers of that source mod and ask for more information to determine if you are vulnerable. If you are, this could easily be leveraged to make a self-propogating payload.