- Joined
- Jul 30, 2012
- Messages
- 156
The exploit is CONFIRMED! Patch 1.27 is vulnerable to arbitrary code execution!!!
So, I just found a way to typecast values again in the Patch 1.26. With this trick I can perform a I2C and execute raw JASS bytecode, which in turn allows me to read and write memory from the game process, allowing me to execute arbitrary machine code from inside a map!
I thought the release of patch 1.27 only about 3 weeks after I discovered the exploit, was an indication that they were going to fix it. But they didn't, they didn't modify anything in the JASS VM from patch 1.26. I didn't have to change anything in my code, I just ran it in the new patch, and it worked.
This thread discusses not only the exploit, but also the possibility of developing an unofficial community-driven custom patch for Warcraft. This patch would not only fix the security issue, but could also introduce many new features into the game. With time, we could even implement everything in the [thread=257163]1.27 wish list[/thread] by ourselves.
Now, before saying that such a thing would be impossible, impractical, or would not work in Battle.net, please read all posts under this thread, especially my [post=2792981]latest post[/post]. Here follows my original post, before I had finished the exploit:
A brief history of Warcraft
In the pre-historic days of pre-1.20 Warcraft, some unknown guy found the marvelous "Return Bug" thing - the ability to typecast values from one type into another with no restrictions.
Quickly everyone learned about it, and started using it to store things at gamecache. This gave origin to a whole new generation of map making - modders were able to do things that were never thought to be possible.
By that time, everything was wonderful. Every big map started using this thing, everyone was happy, and so was Blizzard - after all, it's not every day that a major bug in your product becomes it's most valuable feature.
Then around the time of 1.23 patch, the Warcraft community was stunned by some (russian?) guy, that found a very dangerous exploit: through the use of I2C, that guy managed to execute arbitrary machine code from inside a map.
Suddenly the world came down in an instant. This thing violates every known principle of computer security. By that time the Warcraft community was much bigger than it is now. People were used to join battle.net and play custom maps they never seen before. So, hackers started to make maps that infect the player's computers with viruses as soon as they join the game. Adding to the fact that most users run Warcraft as Administrator, this allowed them to easily take control of their machines.
So, things couldn't stay as they were. Blizzard was forced to do something as quick as possible. But this exploit was based on the famous "Return Bug", the most valuable thing they have. Every popular map was using it, DotA was using it, so how could they solve this security problem without breaking every map?
As we all know, they came out with a very clever solution. They removed the ability to typecast values, and gave us Hashtables in exchange. Map makers quickly adapted, and everything was good again.
Until now...
The present state of Warcraft III
- Warcraft III is now an ancient game. People don't play it anymore - the size of its community now is exponentially smaller than it has been some day.
- Blizzard doesn't seem to support the game anymore. The last patch was released 5 years ago. Blizzard's main source of profit is Starcraft II - they don't make money from Warcraft anymore.
- There are rumors that they could release a new patch. To be honest, I'm very skeptical about this. Some guy pointed that their site is anouncing job positions for development of "classic games", where WC3 is included. One can assume that no development is being made on WC3 while those job positions are still vacant.
As you can see, things have changed. They are not as they used to be in the times of 1.23. By that time they were able to quickly fix the major security issue. But will they do it now?
What if I told you that I just found a way to do I2C in the 1.26 patch?
The future, and the possibilities
Ok, so what happens if people with intentions not as good as mine become aware of this thing? Either Blizzard will release a quick fix. Or they will simply not care! And what happens if they choose to do that? Will the game definitely die?
I've been thinking, why do we need Blizzard to do everything for us? Just look at the amount of things that people are requesting in the [thread=257163]1.27 wish list[/thread]. I'm pretty sure many people in the community are capable of implementing some of those things by themselves, so what do we need Blizzard for?
We could easiliy create a community-driven unofficial patch for warcraft. To add all the features we have always dreamed about. It could be made open-source, so that everyone could contribute. And look, we already have Sharpcraft as a start point.
But no one uses Sharpcraft natives in map making. Why? I know, it's because it requires the end user to install custom stuff in their computer, as opposed to just join a map in b.net and have it automatically downloaded.
But what if every Warcraft player in the world had Sharpcraft installed? What if it was so popular, that nobody would install one without the other? Think about Firefox and Greasemonkey. Browser scripts have become so popular, that it's no crime if they require Greasemonkey to be installed.
Of course, Sharpcraft doesn't have that much popularity. The average Warcraft player doesn't even know that it exists. But I see a way that this could change: if the game is now unsafe, and hackers start to put viruses on maps, people will start looking for a solution.
And if Blizzard doesn't provide that solution, we can. I could easily fix that bug myself, and then Sharpcraft (or w/e the community custom patch would be called) will become very popular. Every "newbie tutorial" you find in the internet, teaching noobs how to "download and install Warcraft", will also teach them how to install the custom patch, to "make the game safer".
Obviously this patch will do much more than just a security fix. With time, we could implement everything in the 1.27 wish list, without waiting for Blizzard's good will. We will end up with a very powerful game engine, that will have complete support for all the existent resources, but will be also completely free from the current Warcraft III limitations.
If I succeed in executing arbirary code,
What do you think? A custom community-driven patch for Warcraft is viable?
Last edited: