[TF2] sv_cheats bypass using workshop publishing menu with wallhack exploit example

[Yrgez]

Steps to repeat the bug:

1. Go to any server
2. Enable and press console button in menu
3. Bind any button to this command, for an example bind p "r_drawothermodels 2"
4. Press workshop button in menu
5. Press publish new item
6. Press cosmetics button and binded one with our command
7. Close menu with pressing console button
8. Press binded button with our command If you did all corectly, wallhacks will appear.

My video proof: https://www.youtube.com/watch?v=ZiA8-7uGP7s And image:

[JoriKos]

Can confirm this works on my end in Casual servers, see image below

[NULLYUKI]

This issue is bigger then some might think. I tested a bunch of commands which are normally locked behind sv_cheats 1 in a casual match. (Not tested every possible command)

These are the commands which were working for me:

r_drawbrushmodels 2
r_drawstaticprops 2
r_drawrenderboxes 1
r_skybox 0
thirdperson
CreateHairball
mat_fullbright 1
mat_wireframe 1
net_fakelag 500
net_droppackets 50
net_showevents 2
prop_crosshair (Crashed my game)
r_drawentities 0
cl_ent_bbox
cl_ignorepackets 1
vcollide_wireframe 1

[mastercoms]

I don't think tutorializing exploits on a public issue tracker is the way to go.

[BIOS1207]

I was also able to replicate the exploit, not only with "r_drawothermodels 2", but "r_drawrenderboxes 1", "r_drawentities 0" and "thirdperson". I hope this gets patched ASAP, since is really broken.

"r_drawothermodels 2"

"r_drawentities 0"

"r_drawrenderboxes 1"

"thirdperson"

[Touhou2006]

Theres a bug where chat doesnt work with this bug, it softlocks your view for some reason

[Yrgez]

I don't think tutorializing exploits on a public issue tracker is the way to go.

What should I have done? This is my first experience.

[NULLYUKI]

I don't think tutorializing exploits on a public issue tracker is the way to go. What should I have done? This is my first experience.

You can send this information to the TF2 Dev Team via this form. https://www.valvesoftware.com/en/contact?recipient=TF+Team

[JoriKos]

You can send this information to the TF2 Dev Team via this form. https://www.valvesoftware.com/en/contact?recipient=TF+Team

The issue is that it's not guaranteed to be seen there, either from the Valve devs not seeing it, or the aggressive spam filter catching it. The whole point of this repo is to report bugs and exploits like this.

[NULLYUKI]

You can send this information to the TF2 Dev Team via this form. https://www.valvesoftware.com/en/contact?recipient=TF+Team

The issue is that it's not guaranteed to be seen there, either from the Valve devs not seeing it, or the aggressive spam filter catching it. The whole point of this repo is to report bugs and exploits like this.

Yeah, I still just wanted to give out that information to the user. And due to the impact this issue has, I believe that this should get quickly fixed or soon.

[JoriKos]

Yeah, I still just wanted to give out that information to the user. And due to the impact this issue has, I believe that this should get quickly fixed or soon.

Fair enough. I do get the concern of others that this shouldn't be public, but I also don't think e-mails are entirely the best way to go here.

[jh34ghu43gu]

More apt title would be something like "sv_cheats bypass using workshop publishing menu".

De ja vu to #3734

[Yrgez]

More apt title would be something like "sv_cheats bypass using workshop publishing menu".

De ja vu to #3734

Thank you all for your contributions! I'll correct the title.

[strubium]

I was not able to replicate this exploit with thirdperson, i was kicked.

[NULLYUKI]

I was not able to replicate this exploit with thirdperson, i was kicked.

I was still able to execute the r_drawothermodels 2 and thirdperson command during a official casual match.

[Ashetf2]

I was not able to replicate this exploit with thirdperson, i was kicked.

Casual or community server? Some servers have protection against this

[strubium]

I was not able to replicate this exploit with thirdperson, i was kicked.

Casual or community server? Some servers have protection against this

Casual Nevermind, got it to work.

[LedariYT]

I released a video showing how to perform and abuse this exploit: https://youtu.be/C74pPRMbozs I did this to raise awareness and stress the urgency of this particular exploit so that it gets patched more quickly.

[viyzen]

I released a video showing how to perform and abuse this exploit: https://youtu.be/C74pPRMbozs I did this to raise awareness and stress the urgency of this particular exploit so that it gets patched more quickly.

*You did this to financially gain from the views, and meanwhile cause more people to be aware of and be able to perform this exploit and cause much more disruption than what would have occurred had you not published the video, meanwhile not helping speed up the process of this exploit being patched. Stop pretending you are helping. This issue has been up for <24 hours and you immediately bring an unbelievable amount of attention to it without giving any time for it to be fixed.

[Kacey2k]

I released a video showing how to perform and abuse this exploit: https://youtu.be/C74pPRMbozs I did this to raise awareness and stress the urgency of this particular exploit so that it gets patched more quickly.

*You did this to financially gain from the views, and meanwhile cause more people to be aware of and be able to perform this exploit and cause much more disruption than what would have occurred had you not published the video, meanwhile not helping speed up the process of this exploit being patched. Stop pretending you are helping. This issue has been up for <24 hours and you immediately bring an unbelievable amount of attention to it without giving any time for it to be fixed.

Can confirm, was not aware this was back until I saw the video in my feed.

Will bring more exploiters to lobbies without a difference in patch-time, as we've seen previously the severity of the exploit tends to be the factor for how fast it gets patched, not whether many people know about it or not.

Also, hi viyzen! :)

[JoriKos]

Replying to https://github.com/ValveSoftware/Source-1-Games/issues/6142#issuecomment-2233948893

This may be the absolute worst thing to do, and just serves to bring attention to your channel instead of actually helping. It's the same case with Delfy: pretend to help the game while ruining it for the time it would take to get fixed.

I don't want to derail this into a hate thread but, even if the intend is good, the Summer update is quite soon. Bringing attention to this either ruins the game for the time we have left until it drops (which could be weeks, or could be tomorrow, either way it's a gamble) or it's just a way to have them rush out the update and possibly leave in a whole bunch of bugs and such.

The best move now is to private the video (not unlisted, since people can still watch it) and put it back online once the exploit has been fixed.

[viyzen]

Ignored the near immediate warning that posting a tutorial on github about how to reproduce this issue was a bad idea and decided to do the same thing x10 by publishing it to youtube.

[KaelaSavia]

I released a video showing how to perform and abuse this exploit: https://youtu.be/C74pPRMbozs I did this to raise awareness and stress the urgency of this particular exploit so that it gets patched more quickly.

Suggestion to Vallve to start game banning users monetizing breaking their game/damaging game's playability just like this guy

Since we had bot ban wave, why not also have one for people who try to ruin game on purpose

[JoriKos]

Suggestion to Vallve to start game banning users monetizing breaking their game/damaging game's playability just like this guy

Since we had bot ban wave, why not also have one for people who try to ruin game on purpose

This is excessive and beyond the scope of this issue. I would argue it's fair for someone who does is systematically and consistently (Delfy), but in this case it's not warranted.

[Yrgez]

I don't understand the criticism of my choice to submit a bug report here. Everyone who criticizes and does not offer a normal solution, what are you thinking? I asked above what I should have done. The user to whom this was addressed ignored me. What's the point in continuing with your statement that the publication was a bad idea in the place it was originally created for. I had the best intentions, and I continue to consider my choice to be correct, having no sane analogues. I am an ordinary user and player of our beloved TF2, I do not have a personal number from Gabe Newell and Valve employees to privately convey this report to them so that others do not take advantage of the vulnerability. Peace for everyone.

[JoriKos]

The user to whom this was addressed ignored me.

The only other option is e-mail, which are all public and even on the TF website. I still think you made the right call here, the point of this github is to have people report bugs. If they're big vulnerabilities in security or the economy then I think it would be the right call for an e-mail/other contact method, but I think this is fine here.

[viyzen]

I don't understand the criticism of my choice to submit a bug report here.

Posting details of the problem is fine, reproducing the problem with exact instructions / easy to follow tutorial may have the unintended consequence of people abusing it easily. Its a lose lose to some extent, but the criticism is mostly pointed towards republishers of the info making it even easier to abuse.

[KaelaSavia]

Suggestion to Vallve to start game banning users monetizing breaking their game/damaging game's playability just like this guy Since we had bot ban wave, why not also have one for people who try to ruin game on purpose

This is excessive and beyond the scope of this issue. I would argue it's fair for someone who does is systematically and consistently (Delfy), but in this case it's not warranted.

Thats what I was refering to. Or just make game ban temporary as a warning if there's bunch of dumbasses who make youtube videos how to break game.

[theanine3D]

I'm thankful to Yrgez for making this public as that will add urgency to the issue. If he had just emailed Valve, I honestly doubt the email would have ever been read or acted upon. Valve employees are busy and emails can easily get lost in an inbox being flooded with dozens of emails every day.

[JoriKos]

Valve employees are busy and emails can easily get lost in an inbox being flooded with dozens of emails every day.

According to an interview with Eric Smith, he does read every e-mail that gets through. The only issue is the spam filter, which can be very aggressive. There is a small chance it won't be read, but a reasonable one that it could be stopped by a spam filter.

[ArtKitCat]

Just an FYI, don't use this with the thirdperson command in Community Servers, seems like certain plugins are detecting this "bypass" already. Which can lead to server bans. Learned that out the hard way LOL.

[coredesu]

this exploit is mostly client cheats. its not that game breaking and only gives wallhack.

[Shigbeard]

Most community servers that run STAC/SMAC/LILAC will detect this as they verify that certain client convars are set to a value permissible by the server's settings.

Obviously Casual servers, as they are valve operated and use a different branch of tf2 dedicated server, do not benefit from this. EDIT They also dont use sourcemod.

[pauche-arg]

I don't understand the criticism of my choice to submit a bug report here.

Posting details of the problem is fine, reproducing the problem with exact instructions / easy to follow tutorial may have the unintended consequence of people abusing it easily. Its a lose lose to some extent, but the criticism is mostly pointed towards republishers of the info making it even easier to abuse.

Seriously, have some of you guys never seen a bug report before? The OP wasn't tutoralizing how to run the exploit for anyone to use, he's supposed to provide the step by step on how to replicate it so that Valve can do the same on their end and verify it's veracity. He has to provide a concrete and verifiable way to reproduce it, which could also provide clues on how to fix it. That's what a bug report consists of. Was Yrgez supposed to post a screenshot and just say "oh yeah I found this exploit good luck finding out how I made it work".

[JoriKos]

Seriously, have some of you guys never seen a bug report before?

Most people who frequent this place are more than experienced with this stuff, they are just convinced a different contact option that's less public should've been taken, that's something completely different than what you're suggesting they want.

[Platina6978]

I released a video showing how to perform and abuse this exploit: https://youtu.be/C74pPRMbozs I did this to raise awareness and stress the urgency of this particular exploit so that it gets patched more quickly.

We only just got to enjoy a TF2 that is free of bots, bot hosters and relatively free of cheaters again after how many years this has been going on and you do this just to get views for your youtube channel.

Absolute shame on you.

[KaelaSavia]

I'm thankful to Yrgez for making this public as that will add urgency to the issue. If he had just emailed Valve, I honestly doubt the email would have ever been read or acted upon. Valve employees are busy and emails can easily get lost in an inbox being flooded with dozens of emails every day.

That is factually false.

I submitted over 50+ critical/minor exploits to TF Team over course of years and around 80% of them got fixed. Only minor ones were left unfixed.

Just because you don't hear about those fixes does not mean they weren't done.

Just like nobody abused being able to walk up to any building as pyro and crashing casual/competitive/community servers because I've submitted bug report through proper channels and it was fixed in appropriate amount of time (less than two weeks) rather than having e-celeb like delfy parade exploit around like usually he does when something like this is publicized.

You can confirm such bug existed by going onto jungle inferno version of local srcds, spawning dispenser, holding flamethrower flame over it, then pressing disconnect bind.

[JoriKos]

I've submitted bug report through proper channels and it was fixed in appropriate amount of time (less than two weeks) rather than having e-celeb like delfy parade exploit around like usually he does when something like this is publicized.

I don't think it's entirely fair to blame the OP for someone else making a video on it, though. This is one of the proper channels to report bugs in, even bigger ones like this.

[JoriKos]

https://www.teamfortress.com/post.php?id=223066 Mentioned fix here, @kisak-valve needs retest

[NULLYUKI]

This exploit seems to be fixed now. Following two commands were now not able to be executed.

r_drawothermodels 2 Console response:

Can't change replicated ConVar sv_cheats from console of client, only server operator can change its value
Can't use cheat cvar r_drawothermodels in multiplayer, unless the server has sv_cheats set to 1.

thirdperson Console response:

Can't change replicated ConVar sv_cheats from console of client, only server operator can change its value
Can't use cheat command thirdperson in multiplayer, unless the server has sv_cheats set to 1.

[Yrgez]

Okay, guys! I'm happy to close this issue. I'm very glad that the glitch was fixed in a timely manner. And now we can safely enjoy the game! Peace for everyone and have fun!