As a moderately sophisticated user, I wouldn't have expected the function RemoveExtraSpaces to immediately enable a RCE attack. It sounds pretty innocuous.
I don't think RemoveExtraSpaces has any RCE, but it is overwriteable. The "hack" is tricking the user into overwriting it with a different function called RunScript.
Any add-on added by the user is already executing in the client's space and has zero need for a vulnerability like this.
It's like saying that any program running on my computer could exploit a remote code execution bug... I mean, yes, it could. But why would it, when it already has local execution rights?
Because if the add-on just opens up a backdoor, the author can do more specifically targeted things at their whim rather than blasting everyone who installed it? Harder to get caught.
I mean it was already maliciously exploited in a highly used addon. It was a lot easier to slip in a short one liner than some highly suspicious "hack the user" blob of code. It was also extremely flexible. They could then do different things to each person instead of one fixed attack.
Addons are sandboxed. They can affect game interface (in a limited ways) and other addons, but not other software or files. And it's kind of hard to require further sandboxing, because that would limit addon power and one of the reasons people like WoW exactly because addon allow very deep interface customization.
That's why I'm thinking you'd naturally involve a simple permissions model [let script access chat?], just to avoid surprising behavior. Or more specifically, in-game I/O operations (eg trading, sending, etc). The latter would really protect you from everything malicious I can think of, outside of deleting your inventory kind of attacks
There're protection mechanisms for many actions in the game. You can't use spells with addons, you can't move your character, etc. Many actions require hardware event, e.g. you can't just buy something, you need to press button for that. If you're sending mail with gold, you need to confirm that you really want to send that gold and addon can't override that confirmation (so malicious addon can't invisibly send your gold to someone). There wasn't protection for trade window, so malicious attacker could steal your gold and/or items, but Blizzard added that protection very quickly after that exploit was found.
It's just a game, so they don't take it very seriously, I guess. They could just revert transaction using their moderator powers if something bad happens.
The issue is that Lua treats functions as "first-class," meaning that they are stored in variables like other data. This is how named functions are created within the language, and function syntax is sugar for initializing a variable and stuffing a function into it.
This works with API functions also, which is why this works.
most people who play wow don't know what a script is. they just click mobs and do raids. it's not obvious atall to a lot of people, just like phone scams, people who go door to door to scam, or even spam emails. Its for a good reason these things still go on: they are still effecive against people who aren't developers or IT enthousiasts, which most gamers aren't. they like games, not scripting engines and LUA interpreters or w/e
This attack would be pretty easy to mitigate. Why does WoW allow you to run scripts in your chat window? Who needs that functionality?
Yes, don't run untrusted code as a user, but also developers should be practicing defense in depth[0]. This isn't like pasting something into a web browser's dev console or a Bash prompt, WoW has the ability to just outright turn this behavior off.
Look at something like the Signal source code, they flat out turn off webviews entirely[1]. So an entire class of phishing attacks just vanishes, regardless of what they're doing to block XSS or malicious links.
WoW should do the same thing - your chat window should not have access to its host environment, if it even needs the ability to run scripts in the first place.
> Why does WoW allow you to run scripts in your chat window? Who needs that functionality?
The "chat" window in WoW is more like a shell interface/CLI than a pure chat window and it's been that way since the inception of WoW. The mod system is loosely dropped on top of it: basically add-ons in WoW amount to bash scripts.
It's a pretty hacky system that seems like it was made to add modding capability as quickly as possible during development. The fact that such an integral system has never been rewritten isn't hard to believe.
I can buy that -- but wouldn't they still at some point want to make the main chat window for the game into some kind of safer wrapper around the bash prompt?
This is coming from someone who doesn't play WoW; is it common for a mod to expose custom commands in chat or something? Or are mods maybe using it as a buffer to send commands?
I guess if they're detecting and popping up a warning prompt, but they're not willing to get rid of the prompt and just always escape the input, there must be some stuff out there that utterly depends on players clicking "allow". That's baffling to me, but I am often baffled.
> is it common for a mod to expose custom commands in chat or something?
Yes, it's quite common for mods to expose custom commands, although these are not raw Lua functions but rather "slash commands", e.g. /foo
Other than for messaging/chat, the chat box can also be used for various commands for actions your character should perform, e.g. /wave, /target, /sleep and the game also has a built-in macro system that lets you combine several of these into a "macro" that you can then execute by pressing a single button. But these are all "safe", i.e. they don't eval raw Lua code.
There are some WoW quest-tracking websites that will sometimes give you little snippets of Lua to execute via /run that will e.g. query the game about whether you completed the given quest, but in general normal users shouldn't need to use /run, it's more of a feature for mod developers.
I really have no idea why it allows you to run scripts in chat window, LoL. It's useful for me, because I sometimes write addons and use it as kind of REPL, but surely this could be hidden behind "developer mode" in some Config.wtf file. I think that nobody really thought about it too much just like browsers allowed javascript: URLs in the past. Nowadays if you're pasting /run stuff into chat window, WoW asks confirmation whether you really want to execute it, so they took some measures to limit it. Also there are tons of useful `/run` scripts that some people probably use and that experience probably important enough to preserve that functionality.
The vast majority of players won't realize that they can run untrusted code just by typing a few characters into a chat window. To be fair, most chat windows don't work that way.
Nothing new here.