• 🏆 Texturing Contest #33 is OPEN! Contestants must re-texture a SD unit model found in-game (Warcraft 3 Classic), recreating the unit into a peaceful NPC version. 🔗Click here to enter!

New Warcraft III security exploit...

Status
Not open for further replies.

Vercas

Vercas

Vercas

Level 21
Joined
Dec 9, 2007
Messages
3,096
Yes, it will run outside of the Startup folder if the proper registry key is added or changed.
The script itself can run the downloaded file as well.

Files in the startup folder are opened after the desktop is shown.
Files registered in the proper registry are run while the Windows user's settings load.
 

Togra_blah

Togra_blah

Togra_blah

Level 4
Joined
Apr 30, 2008
Messages
32
Will it be fixed in 1.25, or not?

Look. Quite frankly, i do not presume myself to be sufficiently knowledgeable to pass Great Judgement on exactly what the exploit can or cannot do.

Thusly, i'm not going to debate it - i will leave that to those who are more versed in such things, should they have the desire to do so.

Elfian, i see you have passed your own personal judgement on the exploit's capabilities, and i will respect that.

However, regardless of the precise nature of this threat, i'm not keen to expose myself to it.

My only interest in the matter at this point is whether or not the exploit will be removed with 1.25.

En_Fuego indicated it would be, and i was just hoping for some details/confirmation.
 

elfian

elfian

elfian

Level 8
Joined
Jun 28, 2008
Messages
356
Vercas said:
Yes, it will run outside of the Startup folder if the proper registry key is added or changed.
The script itself can run the downloaded file as well.

Files in the startup folder are opened after the desktop is shown.
Files registered in the proper registry are run while the Windows user's settings load.
Click to expand...

Technically yes, but as far as I'm concerned the Preload Exploit thing can't write to the registry, can it?
 

mooman219

mooman219

mooman219

Level 1
Joined
Feb 28, 2009
Messages
4
We could use this to make a text file that stores information. So instead of copying down a save code, the warcraft map could read and write to the text file.

Honestly i am trying to not look at the bad side of this "hack".

Jesus4Lyf said...
"Hey, at least with this, you can download an executable to set the local files flag in WC3. So you can download 100mb model packs to people's computers which can then be used in WC3 maps! Whilst you're at it, you can modify WC3 executables to add additional natives like RtC, all without the map player ever knowing! In fact, you can format their whole hard disk! I think you're right, Blizzard needs to give us more power!! MOAR!!."
 

Thyrael

Thyrael

Thyrael

Level 11
Joined
Apr 28, 2008
Messages
696
Tested it myself, the textfile was created during the runtime of wc3 and could be read in the same game it was saved.
 

elfian

elfian

elfian

Level 8
Joined
Jun 28, 2008
Messages
356
OK, I understand how this works and I managed to make a "file i/o" system. Too bad the synchronization methods tend to fail 50% of the time, so this... sucks. I give up on mapmaking. Blizzard sucks. **** this ****
 

Weep

Weep

Weep

Level 10
Joined
Jul 12, 2009
Messages
318
1.25b is live, supposedly, and has essentially broken Battle.net play for Mac users. Also, I've not actually been able to successfully have the auto-update apply itself on WinXP32 (and I'm not the only one, looking at the Blizzard forums), and there's not yet a stand-alone patcher. :thumbs_up::thumbs_up::thumbs_up::thumbs_down:
[edit] Reinstalling and patching directly from the older version worked!

Anyone know if it actually fixes the exploit?
 
Last edited:

Vercas

Vercas

Vercas

Level 21
Joined
Dec 9, 2007
Messages
3,096
Ironside said:
Also, I forgot to mention, even if you add to startup via registry or any other way, you can view it in msconfig (start > run > msconfig), so as said, there's nothing dangerous about this exploit.
Click to expand...

Yes and no.
There is another registry path that auto-starts programs. For the sake of security, I am not going to mention it. BTW, explorer.exe is started by the same way.
 

obama5493

obama5493

obama5493

Level 1
Joined
Mar 14, 2011
Messages
1
Anachron said:
YEah, J4L is a freak when it comes to hacking ;D
Click to expand...

Combining the two would give you an instant exploit like this. However I do congratulate him over this due to the amount of time that it takes to find this sort of thing (reverse engineering and creating an example map is not the easiest things to do).
 

elfian

elfian

elfian

Level 8
Joined
Jun 28, 2008
Messages
356
tooltiperror said:
Why would we? This is potentially useful.
Click to expand...

Actually it isn't:

1. You need to synchronize and SyncStoredX is a fail.
2. You need to make the user edit his registry (at best you can "Preload"-Write a .reg file and tell the user to double click it).

I tried lots of times to develop something with it. Considering the second point is not so important, the first one just ruins all your hopes. I found a 100% working way to synchronize up to 12-bits of data, but it's slow as hell, as it uses selections. :( I'd rather have someone complain to Blizzard to fix the two points above.
 

elfian

elfian

elfian

Level 8
Joined
Jun 28, 2008
Messages
356
*cought* I'll just leave that here... *cought*

*shamelessly introducing his own shit again*

http://www.hiveworkshop.com/forums/triggers-scripts-269/12-bit-integer-synchronization-190586/

The system supports up to 4096 different values per "packet", which means we can send two letters at once (2x 6 bit data).
6-bit data means 64 combinations, which allows us a-z, A-Z, 0-9 + 2 more characters of our own choice.
Experimenting with the system each "packet" takes about 0,1 - 0,2 seconds of time, which means that a save/load encrypted string of 50 characters would send in about 2,5 to 5,0 seconds.

AAAAABBBBBAAAAABBBBBAAAAABBBBBAAAAABBBBBAAAAABBBBB

Any other/better ideas?
 
Last edited:

Newuser

Newuser

Newuser

Level 6
Joined
Jun 14, 2008
Messages
176
Newuser said:
Can someone post on the official battle.net forums (Warcraft 3 section) on the exploit and try to get attention to it ?

The forums are here:
http://forums.battle.net/board.html?forumId=12012

I would but I can't login to the forums for some reason :(.

Thanks in advance to anyone that does post it.
Click to expand...

No really can anyone help >.> ? While this exploit can be used to make interesting maps, it can also cause a lot of harm.
 

Togra_blah

Togra_blah

Togra_blah

Level 4
Joined
Apr 30, 2008
Messages
32
Regarding checking Startup Folder...

When, exactly, is stuff downloaded using the Exploit?

My understanding is that the bogus download initiates @ the map loading screen within Wc3 - is that correct?

IE if i check my startup folder after each time i play the game, am i good to go for ppl using the Startup Folder method?

Also, how many restarts later untill malicious code would be executed, using the Startup Folder method?

I think i read that it was the 2nd restart after the bogus download - is this information accurate?

I ask only b/c if it's the *1st* restart after the bogus download, a BSOD or any other unforseen complication that caused a restart would make the whole checking of Startup Folder method useless.

Basically, i'm trying to grasp the order of operations - from when the initial map code fires to when the resulting download can cause malicious code execution (when using the Startup Folder method).

For the record, i still think a sufficiently skilled person could find a way to cause malicious code execution without going thru the Startup Folder (c:\autoexec.bat is one thing i've seen mentioned), and anyone could trigger large file downloads to waste Hard Disk space and Bandwidth (both of the site being downloaded from, and the user(s) downloading).

Therefore, while i recognize that checking one's Startup Folder can counter some uses of the Exploit, it is not a "fix-all guarentee".

But, then, i guess few things are in situations like this.

Also, Newuser, the Wc3 Forums have rules regarding posting about cheats/hacks/exploits/etc, so one would have to be rather..... careful.

I e-mailed the details of the exploit to [email protected] , called Blizzard and reported it via that venue also, and carefully posted on the Wc3 Forums, so, hopefully, something is in the works....
 

elfian

elfian

elfian

Level 8
Joined
Jun 28, 2008
Messages
356
Togra_blah said:
When, exactly, is stuff downloaded using the Exploit?

My understanding is that the bogus download initiates @ the map loading screen within Wc3 - is that correct?

IE if i check my startup folder after each time i play the game, am i good to go for ppl using the Startup Folder method?

Also, how many restarts later untill malicious code would be executed, using the Startup Folder method?

I think i read that it was the 2nd restart after the bogus download - is this information accurate?

I ask only b/c if it's the *1st* restart after the bogus download, a BSOD or any other unforseen complication that caused a restart would make the whole checking of Startup Folder method useless.

Basically, i'm trying to grasp the order of operations - from when the initial map code fires to when the resulting download can cause malicious code execution (when using the Startup Folder method).

For the record, i still think a sufficiently skilled person could find a way to cause malicious code execution without going thru the Startup Folder (c:\autoexec.bat is one thing i've seen mentioned), and anyone could trigger large file downloads to waste Hard Disk space and Bandwidth (both of the site being downloaded from, and the user(s) downloading).

Therefore, while i recognize that checking one's Startup Folder can counter some uses of the Exploit, it is not a "fix-all guarentee".

But, then, i guess few things are in situations like this.

Also, Newuser, the Wc3 Forums have rules regarding posting about cheats/hacks/exploits/etc, so one would have to be rather..... careful.

I e-mailed the details of the exploit to [email protected] , called Blizzard and reported it via that venue also, and carefully posted on the Wc3 Forums, so, hopefully, something is in the works....
Click to expand...

Goddamn it. The last few lines just make me wanna grab you by your neck and strangle you.

The map CAN create a file to any location in your computer.
The map CANNOT download a file.
The map CANNOT execute the file.
The map CANNOT run any malicious code.
The map CANNOT read any file UNLESS the user allowed that in the registry manually.

The startup folder executes the files it contains when you log in your account. In other words, AFTER REBOOTING YOUR WHOLE SYSTEM.

The created file CAN download another file.
The created file CAN execute another file.
The created file CAN run malicious code.

With this said, the Tools you download off hiveworkshop are hundreds of times potentially more dangerous than all the maps that exist taken together.

razor21 said:
Does this mean we can create an online ranking system? Like high scores on wc3? Awesome!
Click to expand...

Hardly, but achievable. And would require a manual intervention of the regular player to allow you to read local files.
 

Ironside

Ironside

Ironside

Level 22
Joined
Feb 3, 2009
Messages
3,292
elfian said:
Goddamn it. The last few lines just make me wanna grab you by your neck and strangle you.

The map CAN create a file to any location in your computer.
The map CANNOT download a file.
The map CANNOT execute the file.
The map CANNOT run any malicious code.

The startup folder executes the files it contains when you log in your account. In other words, AFTER REBOOTING YOUR WHOLE SYSTEM.

The created file CAN download another file.
The created file CAN execute another file.
The created file CAN run malicious code.

With this said, the Tools your download off hiveworkshop are hundreds of times potentially more dangerous than all the maps that exist taken together.
Click to expand...

Couldn't have explained it better myself, anyway I'm sure they won't patch it, so we don't have to worry (I hope).
 

Togra_blah

Togra_blah

Togra_blah

Level 4
Joined
Apr 30, 2008
Messages
32
J4L mentioned autoexec.bat ...

http://www.thehelper.net/forums/sho...o-virus-in-Warcraft-III?p=1307753#post1307753

"This means either the Startup folder in the start menu for Windows XP, or something like C:\autoexec.bat"

I better grasp the functionality now tho, thank you elfian.

By the looks of it, it is indeed the 2nd restart after you play the map that anything malicious could actually be ready to run.

http://www.thehelper.net/forums/sho...o-virus-in-Warcraft-III?p=1301291#post1301291

I guess untill it's tested and confirmated that something other than the Startup Folder method is viable, checking it does indeed offer a solid solution.

I wish i'd never found out about this - then ppl who want it to stay wouldn't butt heads with me, and i'd've saved myself worry aplenty.

"Ignorance is bliss" after all, but, "What's done is done."
 

Gekigengar

Gekigengar

Gekigengar

Level 16
Joined
Aug 20, 2009
Messages
1,552
Quote:
Originally Posted by razor21
Does this mean we can create an online ranking system? Like high scores on wc3? Awesome!
Click to expand...
Hardly, but achievable. And would require a manual intervention of the regular player to allow you to read local files.
Click to expand...

Then someone should start trying to make an online high score system! it might be very usefull for the growth of Wc3 mapping ! :D
 
Status
Not open for further replies.

Similar threads

PurplePoot
  • Locked
New Hosted Project--Diablo III Warcraft
Replies
18
Views
3K
povivval
povivval
TriggerHappy
  • Locked
Warcraft III - Patch 1.31 PTR
8 9 10
Replies
462
Views
121K
Dr Super Good
Dr Super Good
StoPCampinGn00b
  • Locked
Warcraft III Anniversary Week
2
Replies
77
Views
18K
Archian
Archian
Archian
  • Locked
Warcraft III: Reforged PTR – Version 1.33.0
2
Replies
82
Views
12K
The Nightmare Book
The Nightmare Book
Archian
  • Locked
The new Diablo III community site is now live!
Replies
16
Views
3K
Miss_Foxy
Miss_Foxy
Top