[For players] How to prevent online event dangers

[minmay]

Update: The post below is mistaken about a few things and is mainly for historical interest.
1. This is NOT fixed in 1.6. The physfs library can still be used to read/write files anywhere you want, because you're allowed to reset and remount it to wherever you like.
2. There are actually two places where arbitrary code is downloaded and run. One is in the C engine as this post covers, the other one is in the Lua side (check out the profile-thread folder). You would need to eliminate both to be safe.




Update: Access to the io library in non-dev builds has been removed in trunk, which should eliminate the ability to read/write arbitrary files. However there is still the possibility of other ways to read/write arbitrary files, and the 1.5.5 executables downloadable on te4.org still have this problem, so I'm leaving the post up for now.
In particular, the socket library is still available, so online events, addons, and modules can make any Web connections they like. This includes, for example, mining cryptocurrency for someone else.



One of the nice things about t-engine being open source is that you can compile it yourself to be fairly certain that it's not malware. However...

https://git.net-core.org/tome/t-engine4 ... ab7c2f6640 added the ability for t-engine to run an arbitrary Lua string from the server, presumably for the purpose of online events like vorpal bunnification, Bearscape, etc.
This means that if you're connected in-game, darkgod or anyone else who has access to the server - or successfully impersonates it - can write and erase any files you have access to, and can even use the socket library to send those files back to themselves. Perfect for harvesting passwords, credit card numbers, etc.

If you've let any 1.2.0+ launcher version connect to the Internet, you've been exposed to this risk. Turning off online events in the game options does absolutely nothing to mitigate the risk.

"But I want to play ToME4 with an Internet connection!"
Fortunately, you can fix this and still enjoy *most* of the online content. You'll miss events like Bearscape, but you can still use the chat, games will still be validated, wins will still appear on your winner's table and in the character vault, and so on.
The culprit code is in src/web.c:

Code: Select all

                case TE4_WEB_EVENT_RUN_LUA:
                        if (!luaL_loadstring(he_L, event->data.run_lua.code)) {
                                docall(he_L, 0, 0);
                        } else {
                                printf("[WEBCORE] Failed to run lua code:\n%s\n ==>> Error: %s\n", event->data.run_lua.code, lua_tostring(he_L, -1));
                                lua_pop(he_L, 1);
                        }
                        break;

I changed this to:

Code: Select all

                case TE4_WEB_EVENT_RUN_LUA:
                        printf("[WEBCORE] Ignoring attempted online event:\n%s", event->data.run_lua.code);
                        break;

and recompiled TEngine. Since this is only a change to the executable you don't need to pack the Lua engine/module; you only need to replace your t-engine executable. This will not invalidate your online games.

"But I don't want to miss online events!"
In my opinion, the security of your files is more important than some randboss bears.
But if you REALLY want them, you do have the option of "sandboxing" the game: run it with a user account that doesn't have access to any files you care about (but make sure it has access to the game's own data of course, you want to be able to read modules/addons and read and write savegames and configuration!). This is too annoying for me to bother with, personally.

"Can modules and addons also read/write/upload my files?"
Yes. You have to download those yourself though, so they're not nearly as worrying. (The Richard Stallman thing to do would be to disable automatic updates for this reason.)

"Any other notable vulnerabilties?"
Someone with access to the server could manipulate items in your items vault and add a function to one that does bad things. You can avoid that risk by not using the items vault in-game.
There are probably other issues that I don't know about, but, well, I don't know about them. I mostly only looked for loadstring/dostring calls.

"I don't want to compile the game myself, can you fix this in pre-init.lua?"
No. Sandboxing Lua from Lua is not practically possible (there's a treatise on this that I wrote in the past) and you'd need to change tons of engine code anyway.

"But I trust the server admins!"
I don't care if it's Ellen Page herself running te4.org, it could still fall into the hands of someone untrustworthy in the future. Also, man-in-the-middle attacks.



(I stared at this post for like an hour so if something in it is flagrantly wrong, I'll be very embarrassed)

[0player]

You know, far as I'm aware filesystem routines aren't enabled in T-Engine (and it sees a virtual filesystem), so... you're being scaredy for little reason.

MiTM attacks are extremely hard to execute against an SSL-enabled connection, too.

[minmay]

You know, far as I'm aware filesystem routines aren't enabled in T-Engine (and it sees a virtual filesystem), so...

Not true. I've tested this. Online event code (and addons and modules and everything else) has access to the Lua io library which lets you read and write anywhere the user can.
However, this is no longer true in trunk so up-to-date trunk T-engine binaries are ostensibly safe. The 1.5.5 executable is not - luckily a trunk executable works fine for running module/engine versions 1.5.5.

[0player]

So, you've tested that Lua filesystem library is enabled in T-Engine and has access to any readable file on the computer, correct?
Because last time I was involved, there was a vrtual filesystem in place for FS library.

[minmay]

Yes. I am fully aware that T-Engine has a virtual filesystem, but it also allows access to the real filesystem via the Lua io library. This is trivial to verify by yourself, if you do still not believe me.