ToME: the Tales of Maj'Eyal

Everything about ToME
It is currently Tue Oct 24, 2017 3:54 am

All times are UTC




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Sun Oct 01, 2017 4:23 am 
Offline
Thalore

Joined: Fri Sep 07, 2012 1:34 am
Posts: 150
Update: Access to the io library in non-dev builds has been removed in trunk, which should eliminate the ability to read/write arbitrary files. However there is still the possibility of other ways to read/write arbitrary files, and the 1.5.5 executables downloadable on te4.org still have this problem, so I'm leaving the post up for now.
In particular, the socket library is still available, so online events, addons, and modules can make any Web connections they like.



One of the nice things about t-engine being open source is that you can compile it yourself to be fairly certain that it's not malware. However...

https://git.net-core.org/tome/t-engine4/commit/0e17e9a2e2c28c81f03cf0303240e6ab7c2f6640 added the ability for t-engine to run an arbitrary Lua string from the server, presumably for the purpose of online events like vorpal bunnification, Bearscape, etc.
This means that if you're connected in-game, darkgod or anyone else who has access to the server - or successfully impersonates it - can write and erase any files you have access to, and can even use the socket library to send those files back to themselves. Perfect for harvesting passwords, credit card numbers, etc.

If you've let any 1.2.0+ launcher version connect to the Internet, you've been exposed to this risk. Turning off online events in the game options does absolutely nothing to mitigate the risk.

"But I want to play ToME4 with an Internet connection!"
Fortunately, you can fix this and still enjoy *most* of the online content. You'll miss events like Bearscape, but you can still use the chat, games will still be validated, wins will still appear on your winner's table and in the character vault, and so on.
The culprit code is in src/web.c:
Code:
                case TE4_WEB_EVENT_RUN_LUA:
                        if (!luaL_loadstring(he_L, event->data.run_lua.code)) {
                                docall(he_L, 0, 0);
                        } else {
                                printf("[WEBCORE] Failed to run lua code:\n%s\n ==>> Error: %s\n", event->data.run_lua.code, lua_tostring(he_L, -1));
                                lua_pop(he_L, 1);
                        }
                        break;

I changed this to:
Code:
                case TE4_WEB_EVENT_RUN_LUA:
                        printf("[WEBCORE] Ignoring attempted online event:\n%s", event->data.run_lua.code);
                        break;

and recompiled TEngine. Since this is only a change to the executable you don't need to pack the Lua engine/module; you only need to replace your t-engine executable. This will not invalidate your online games.

"But I don't want to miss online events!"
In my opinion, the security of your files is more important than some randboss bears.
But if you REALLY want them, you do have the option of "sandboxing" the game: run it with a user account that doesn't have access to any files you care about (but make sure it has access to the game's own data of course, you want to be able to read modules/addons and read and write savegames and configuration!). This is too annoying for me to bother with, personally.

"Can modules and addons also read/write/upload my files?"
Yes. You have to download those yourself though, so they're not nearly as worrying. (The Richard Stallman thing to do would be to disable automatic updates for this reason.)

"Any other notable vulnerabilties?"
Someone with access to the server could manipulate items in your items vault and add a function to one that does bad things. You can avoid that risk by not using the items vault in-game.
There are probably other issues that I don't know about, but, well, I don't know about them. I mostly only looked for loadstring/dostring calls.

"I don't want to compile the game myself, can you fix this in pre-init.lua?"
No. Sandboxing Lua from Lua is not practically possible (there's a treatise on this that I wrote in the past) and you'd need to change tons of engine code anyway.

"But I trust the server admins!"
I don't care if it's Ellen Page herself running te4.org, it could still fall into the hands of someone untrustworthy in the future. Also, man-in-the-middle attacks.



(I stared at this post for like an hour so if something in it is flagrantly wrong, I'll be very embarrassed)


Last edited by minmay on Wed Oct 04, 2017 8:40 pm, edited 3 times in total.

Top
 Profile  
 
PostPosted: Tue Oct 03, 2017 9:50 pm 
Offline
Uruivellas

Joined: Fri May 24, 2013 4:27 pm
Posts: 712
You know, far as I'm aware filesystem routines aren't enabled in T-Engine (and it sees a virtual filesystem), so... you're being scaredy for little reason.

MiTM attacks are extremely hard to execute against an SSL-enabled connection, too.


Top
 Profile  
 
PostPosted: Wed Oct 04, 2017 5:19 pm 
Offline
Thalore

Joined: Fri Sep 07, 2012 1:34 am
Posts: 150
0player wrote:
You know, far as I'm aware filesystem routines aren't enabled in T-Engine (and it sees a virtual filesystem), so...
Not true. I've tested this. Online event code (and addons and modules and everything else) has access to the Lua io library which lets you read and write anywhere the user can.
However, this is no longer true in trunk so up-to-date trunk T-engine binaries are ostensibly safe. The 1.5.5 executable is not - luckily a trunk executable works fine for running module/engine versions 1.5.5.


Top
 Profile  
 
PostPosted: Fri Oct 06, 2017 2:46 pm 
Offline
Uruivellas

Joined: Fri May 24, 2013 4:27 pm
Posts: 712
So, you've tested that Lua filesystem library is enabled in T-Engine and has access to any readable file on the computer, correct?
Because last time I was involved, there was a vrtual filesystem in place for FS library.


Top
 Profile  
 
PostPosted: Fri Oct 06, 2017 7:31 pm 
Offline
Thalore

Joined: Fri Sep 07, 2012 1:34 am
Posts: 150
Yes. I am fully aware that T-Engine has a virtual filesystem, but it also allows access to the real filesystem via the Lua io library. This is trivial to verify by yourself, if you do still not believe me.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group