#DLL networking utility

when the server operator doesn't like you so he drops a rat on you

on the client?

or does the server download and send to the client

okay

and b2m is a repo server, holding these dlls

nice

when the random service operator doesn't like you so he drops a rat on you 🧌

its still got the same security issues, just that this time its a service operator that controls the source and not the server you're connecting to

its a cool idea, but you have to see how insanely abusable this is especially given that you're brand new seemingly with 0 reputation (as far as i can tell)

is b2m not you?

you're literally just saying "don't worry, the server you're connecting to doesn't control the dlls instead we the random service operators do"

why are you guys more trustworthy than the server the player is trying to connect to

im not saying the creator could do something bad

im saying you could

physgun does this, but they have a reputation

yeah

you're new, is what we're saying

b2m is new

it's not trustworthy (yet)

you have essentially created a service where you have free control to distrubute arbitary dlls to random players without the server operators even knowing

id personally argue that your service is even more dangerous than if just a server operator did it

since if your service is deployed across multiple servers it'd already have way more coverage

it's a good idea
we're not saying that it's not

no man

we both know that means nothing, you can serve whatever you want to players

people have source but can build different DLLs

its kinda sus that you're not understanding this

no hahaha

build respect and reputation, these concerns will fade

Idk, immediately getting hostile to people who bring up valid concerns? Not a good way to build trust

you could look into reproducible builds to provide some trust on the build process ?

could just serve malicious source and build it though

My main concern would be do I know his distribution platform won't get rooted, even if he doesn't do it himself

you may think of yourself as trustworthy, and im sure you are. but try to view it from the other prespective. you want to basically be able to send and run any dll to any player connecting to these servers

if you wanted to, you could very easily switch out the dll provided by the dev for a malicious one and that'd be it

or as Phatso rightly mentioned, even if you don't do anything bad personally if your distribution servers are hacked then theres the same issue

also not to be that guy but isnt this banned by the server operator rules anyway?

I don't mean to pile on but wouldn't rubat hate/disallow this? He's specifically spoke against this

sure if all the checksums are static on the client, but then you'd have to redistribute a new version of the loader for every update

and if you have updating checksums then you might aswell not have them atall

yes this could be interpreted as Asking players to install 3rd party software (a security risk for the player)

its a cool idea, but sadly its just way too dangerous to actually do in the real world

This one

I wonder if someone here can translate for you. I don't want you to feel like we're bullying you or something

yeah same. i dont wanna come across as dogpiling either here, i just think there are legitimate concerns

It's cool tech, but like morg was saying there are genuine concerns that I don't think you can fix right now

i wish that a system like this would be officially implemented (whitelisted maybe?), the idea is great

I can admire the idea of a world where we can extend client capabilities like we can with server, I just don't know if it's possible to ever do it safely

let's ask rubat for $2000 gmod code sigining certificates 🤡
||cf https://www.globalsign.com/en/code-signing-certificate/microsoft-authenticode||

the only true trusted source would be facepunch as wow said, but that'd literally never ever happen

would be nice to get websockets back on the client though 😮‍💨

That one still stings. He even removed SSE

I think the game is safer for it but it inconveniences me personally so I don't like it

@restive cosmos looks like theres an sql vuln in the b2m remove command also

im not about to run the code to verify it but it looks like it

actually looks like every sql query is vulnerable really, the remove one would just be the easiest to trigger

(not to devalue your work, but this is also part of the issue. if there are relatively obvious security issues in just the lua loader part then it doesnt bode well for the code we can't see really)

its cool that you open sourced the loader but that still doesn't remove/address any of the issues raised here since the actual dll distribution api is closed source

(to add to this, even if you did opensource the distribution api it'd still be trivial for you to swap out the running code on the production servers. ultimately your system relies entirely on trust which can't really just be created from nowhere)

nah, i'd trust

that wasnt my point, posting the webserver source wont do anything really

the way the tool is designed I don't think there is anything you can really do to make it more trustworthy honestly

its just inherently unsafe really

(hence why its banned)

hello i have a rat how do i kill it

yes, it is
with careful module inspection and a whitelist

a whitelist that can be revoked

well... you can sign the dlls

and for revocation - blacklist signatures or hashes in a request made to gmod servers at the start of the game

i think you are missing the actual issue here though

ultimately its still a thirdparty controlling the actual distribution

im not talking about b2m, its dogshit obviously

that'd solve basically nothing either other than prove who made it??

fuck you talking about, fp would sign them lol

that'd literally never happen though

i know

also just kinda impractical

wym

getting resigned for every update and stuff

its hell on earth already with the windows application signing and they already charge a heafty premium for it

well true, would require tight cooperation with fp

you dont have to use that

we just simply need to establish a gmod council and have them run all the trusted services 🧌

omw to ```lua
b2m.Remove "/../../../hl2.exe:"

also dangerous injections (no sanity checks) in download_dll
and this is just a fucking joke:

i guess you are doing LuaMenu as the pathid here so it might not index shit sent by the server but still... what the fuck?

mad yeah there just is a dir traversal by the looks of it

https://github.com/autumncommunity/b2m_binary/blob/11d8d93e0f1eb045026dd9c63dd9f2c99de2df2b/src/dll.rs#L14
https://github.com/autumncommunity/b2m_binary/blob/11d8d93e0f1eb045026dd9c63dd9f2c99de2df2b/src/dll.rs#L46

unless im super mistaken you could just call download_dll with some valid package name for their api, but give it a traversal path as real_name and it'll use that when deleting the target file

real name is deducted from the package name using gm prefix + name + platform + .dll, so not exactly, but might be possible via http url param injection

oh nvm it'd have to be an invalid path coming from their api

there might be more issues if the http library they are using is extra vulnerable to injections

oh yeah i didnt even consider url param overloading good point

aka i.e. if they host of cloudflare you can:
version = " HTTP 1.1(or whatever, i dont remember)\n(\r\n?)Host: your-host.co.uk.io.gov\nContent-Length: 0\r\nhi"

even tls would work because thats yk cloudflare lol

Real