
World of Warcraft: one simple line of code can cost you dearly - minimaxir
https://blog.gdatasoftware.com/2016/07/28809-world-of-warcraft-one-simple-line-of-code-can-cost-you-dearly
======
niftich
What's happening here is the 'RemoveExtraSpaces' function (ie. basically a
trim) is called by the game engine every time a chat message is received. But
apparently, you can rebind this name and point it to any other function,
including 'RunScript', which is an eval.

When this was revealed, Blizzard quickly patched in a warning dialog that
warns against running scripts from untrusted sources, including being social-
engineered to enter stuff yourself (which is what's happening here). That
attitude seems prudent, but isn't entirely helpful, as many players in fact
use Lua in their chatbox to do complex actions or calculations.

Like this one that prints your current position in 'map coordinates':

    
    
      /script x,y = GetPlayerMapPosition("player");
      map=GetZoneText();
      c1=x*100;c2=y*100;
      print(string.format("%s: %.2f, %.2f", map, c1, c2));
    

or the 'CTC macro' that was used to calculate a value that raid tanks must
have attained:

    
    
      /run DEFAULT_CHAT_FRAME:AddMessage("Need 102.4 combat table coverage. Currently at:"
      ..string.format("%.2f", GetDodgeChance()+GetBlockChance()+GetParryChance() +5))
    

It's true that users shouldn't run _untrusted_ code, but realistically,
they'll probably click through most warnings to run legitimate functions like
this. A better fix is to prevent rebinding the 'RunScript' function to some
other name, and to prevent rebinding the 'RemoveExtraSpaces' function by
anything else.

~~~
niftich
Another contributing factor in this vulnerability is that the 'chat compose
input' and the 'script console' are one and the same.

While this was done to simplify UX, it's really not a good idea in retrospect.

Even as something simple as a different chat frame that only allowed script
commands, into which only local script output can go, would also serve as an
effective mitigation.

~~~
eridius
I'm not sure how that would solve anything, the attacker would just convince
the victim to type that line of code into the script console instead of the
chat console.

~~~
alistairSH
Sure, the rebinding could still happen. But, the remote execution is prevented
(right now, after rebinding the trim function, the attacker can enter script
in the chat window to be executed - this part goes away with a separate
console).

~~~
TheCoelacanth
I don't think so.

The attacker is executing script through the RemoveExtraSpaces function that
gets run on every chat message, not by executing it with either player's chat
console.

~~~
niftich
The assumption is that a proper mitigation would result in the script console
being in a separate execution context; such that variables that are
(re-)declared in the script console would not affect the chat console's
context, or its 'RemoveExtraSpaces' function, nor the global context. I
should've been more clear.

~~~
eridius
That assumption wouldn't work. If the script console is a separate Lua
environment, it's completely useless. As long as it's the same environment
that the rest of the game/addons use (which it must be), then there's no
"mitigation" that can be done like you're hoping for.

------
shabble
reminds me of people writing IRC bots doing something like:

    
    
        if $line =~ m/!calc (.*)$/ {
            return eval $1;
        }
    

which is about the worst possible way you can easily write a calculator :P

In fact, irc bot/script writing is a great place to learn about security and
generally distrust of the rest of humanity.

Even things like the pathological regex backtracking DoS from the other day
turn up fairly regularly with popular bots.

~~~
MaulingMonkey
In some programming IRC channels I've seen similar done intentionally. On the
plus side, they were sandboxed. On the minus side, the sandbox didn't prevent
playing sounds on their locally hosted machine... needless to say, there was a
lot of beeping.

------
morganvachon
I'm sure the method was different, but way back in the day when I was playing
Phantasy Star Online on the Sega Dreamcast, "digital mugging" was a common
occurrence. The attacker would walk up the the victim, ask them to trade, and
the victim's interface would lock up causing them to have to reboot the
console. When they logged back in, all of their gear and money was gone. If
the player hadn't been to the bank to make a deposit recently, they were
screwed out of potentially hours of game-time work.

I never did learn how this was accomplished; it happened to me only once,
after that I ignored any player I didn't know in real life, which cut out the
MMO part of the game for me.

~~~
Hortinstein
hahah this brings me back. I can shed some light...at least a little, there
were exploits that crashed peoples consoles, this didnt give the thief any
items, but cleared inventory or even saves for some players.

[http://dcemulation.org/phpBB/viewtopic.php?f=36&t=11941](http://dcemulation.org/phpBB/viewtopic.php?f=36&t=11941)

great game would love to see a rerelease of the original or even PSO2 in
america

~~~
brokenmachine
Sounds like a fun game. :-P

------
castratikron
Pretty cool that they allow players to run their own scripts, and in a full
Lua environment no less. I imagine that could be useful in a game with a lot
of repetitive tasks.

~~~
minimaxir
The ability to run Lua scripts has been a WoW feature since its release in
2004-2005.

To prevent the game from being easily being botted to death, there's not much
you can script aside from automating UI interactions. This was a killer
feature for the Master Plan mod last expansion, which automated clicking
through poorly-designed menus for a poorly-designed mechanic, and it single-
handedly broke the economy.

~~~
rhaps0dy
> and it single-handedly broke the economy.

Could you get money by clicking menus? I'm curious

~~~
Rovanion
From what I understand they essentially made a part of the expansion which
worked like farmville where you through a UI sent out your followers on
missions which would finish in a certain amount of real world time later.

------
kalleboo
Ahh... allowing users to run code they don't understand. The same reason
Facebook tried to kill the Chrome Dev Tools[0] and Apple more recently killed
the javascript: URL scheme in the address bar

[0]
[https://news.ycombinator.com/item?id=7222129](https://news.ycombinator.com/item?id=7222129)

~~~
pmarreck
> and Apple more recently killed the javascript: URL scheme in the address bar

wait, WHAT? This isn't good! This raises the barrier of entry for new
programmers to play with Javascript! I had no idea this was done!

~~~
Nadya
And for those of us who use Bookmarklets - it has made Safari a non-choice of
browser.

~~~
kalleboo
Bookmarklets still work for me (and as andrethegiant said, you can re-enable
it in the Develop menu)

~~~
Nadya
So what is the point of trashing the Javascript URI? People with malicious
intent will just have the person make the code into a bookmarklet and run it.
Which is actually easier than explaining how the URL bar works.

Or does it do what Chrome does and you can't copy/paste Javascript: until the
URL bar you have to type "Javascript:"?

------
diziet
I did quite a bit of Lua WoW programming back when I was playing in WoW
tournaments. The community really wanted to change a lot of the UI / UX of the
default interface to be more friendly for high level play. Tournament rules
did not allow usage of addons that pre-packaged such changes, but the admins
of the tournaments did have permission to allow usage of light UI changing
scripts. Some people took it really far and used automated cooldown trackers
etc from macros that you would paste one line at a time, but the admins in
tournaments would not allow that.

There's still somewhat of an active community:
[http://www.arenajunkies.com/topic/222642-default-ui-
scripts/](http://www.arenajunkies.com/topic/222642-default-ui-scripts/)

------
j_s
Here is an idea of what the actual Lua code would look like, a bit de-
obfuscated:

[https://gist.github.com/Sharparam/11a3cddeaa51aa11dde69b4690...](https://gist.github.com/Sharparam/11a3cddeaa51aa11dde69b46908bccd7)

------
gourneau
Slightly off topic. Are any of y'all going to be playing the next expansion? I
am looking to join a very casual guild :)

------
tomc1985
Unbelievable. Why give players the ability to override arbitrary functions
like that?

~~~
ajkjk
Why are you.. outraged? Clearly allowing this attack was a mistake. Overriding
functions is a language feature, so you'd have to think of the risk to think
to block it.

~~~
tomc1985
Outraged? C'mon now. Shocked with disbelief maybe?

Because that is such an obvious attack vector that it is hard to believe Bnet
allowed it. It's very hard to enforce language-level restrictions (like which
functions may run when) when they can be circumvented with reflection.

Besides, Bnet's WoW client code has been known to be janky, and their entire
security setup seems to only care about protecting the business, and not
users. Bnet is the only online gaming service where I have had multiple
accounts hacked that I could not trace to any specific doxing/pw dump event...
forcing me to conclude that their security infrastructure is absolute garbage

------
jomclaughlin
It's Lua not LUA.

------
Raphmedia
Who figured it would be a good idea to allow received chats to be interpreted
as code?! That's a pretty big security fail if you ask me.

~~~
keketi
Read the article. Received chats are executed only after the victim has run
the script provided by the attacker. The real question is "why does the
scripting system allow overriding functions like that?".

~~~
speeder
Lua was created to be a configuration file system that was turing complete, to
be used by a oil mining company.

Lua was never intended to be used for games, UI, etc... It just proved useful
to be used like that.

Because of Lua "real" intentions, it was made in a way that you can assign
"everything" to "everything", and you don't need () to refer or call
functions. (in fact, many of the stuff that make Lua look like a "normal"
programming language, like dot syntax, () and whatnot, are "synctatic sugar")

~~~
wruza
Please do not spread false misbeliefs. Wow's Lua is 5.1-flavoured afaik, and
that's completely different language from 5.0, 4.x or what you describe.

This entire thread mentions fatality of function substitution in Lua, but that
is easily prevented (by setting proxy metatable on global table and system
libraries, even any lua-noob knows that, blizzard devs are just losers). But
even that missing protection is not what breaks security. In dynamic languages
like lua or javascript you control the dynamicity via localization of global
values at eval-time ('eval' as in repl). 'local trim = path.to.sys.lib.trim'.
So, once trim function is localized in console code, you can assign anything
to original location and that will not interfere with console logic. Lua is
just too hot to handle for wow-devs, and python, perl, javascript have the
same issue more or less the same way.

