PLEASE READ: Exploit (WARCE): Remote Code Execution through WA

Discuss the games (no level solutions or off-topic, please).

Moderators: ~xpr'd~, tyteen4a03, Stinky, Emerald141, Qloof234, jdl

Post Reply
User avatar
nasko222
Rainbow Master
Posts: 589
Joined: Sat Jul 07, 2018 1:22 pm

PLEASE READ: Exploit (WARCE): Remote Code Execution through WA

Post by nasko222 » Mon Apr 10, 2023 8:47 pm

Hello Everyone. Sorry to ruin your day/evening but I've discovered a dangerous exploit in every WA game, including OpenWA. The exploit takes place in the .wa2/wa3 files that you all share on the internet to share your adventures with. The way these files are compressed allows you to store any file in it, and apply that file to any specific location. The problem comes if you want your file to be player.exe or wg.exe it can potentially overwrite the game files with arbitrary exe file from the sender of the adventure. You can also replace any file on the computer that the game has access to by simply making the packed file name ..\..\ (Two times to exit the adventure folder location) and then (In the examples below) I did Users\Nasko\Desktop\important.txt.

It's different in OpenWA, there if a file is unknown type it tries to unpack it in the root directory of the game, so it's even much easier to replace player.exe because it's in the same directory.

I've attached 3 videos below, one of them is OpenWA, the second one is WA3 editor, and the third one is WA3 editor, replacing any file on the computer

https://cdn.discordapp.com/attachments/ ... -05-59.mp4
https://cdn.discordapp.com/attachments/ ... -23-54.mp4
https://cdn.discordapp.com/attachments/ ... -30-25.mp4


The code analysis is simple.

v11=ReadDir(globaldirname+"\adventures\current\"+v2$)
Repeat
v12$=NextFile(v11)
If (v12$<>"" And (FileType(globaldirname+"\adventures\current\"+v2$+"\"+v12$)=1)) Then
DeleteFile globaldirname+"\adventures\current\"+v2$+"\"+v12$
End If

Without getting too much into it, this snippet deletes file that already exist and replaces them with the new one
The fix should be simple, and the game should check for EXE, DLL and any other potentially dangerous files.

Stay safe everyone...
Last edited by nasko222 on Thu Jun 22, 2023 12:33 am, edited 1 time in total.
User avatar
nasko222
Rainbow Master
Posts: 589
Joined: Sat Jul 07, 2018 1:22 pm

Re: PLEASE READ: Exploit: Remote Code Execution through WA

Post by nasko222 » Mon Apr 10, 2023 8:51 pm

Here's the OpenWA player.exe inject example proof of concept. It will replace player.exe after you launch the game with my exe that just gives message box error.


Edit: Few people messaged me that it's not working. This is for OpenWA, its different for every editor because of directory differences. I think I don't need to release POC for every editor.
Attachments
nasko222#is this level empty.wa3
(96.93 KiB) Downloaded 116 times
User avatar
cloudrac3r
Rainbow Master
Posts: 558
Joined: Fri Nov 13, 2015 7:03 am
Location: New Zealand
Contact:

Further Details

Post by cloudrac3r » Tue Apr 11, 2023 4:20 am

To provide more specific details:
  • This issue only affects the .wa3 file format when it's loaded by the WAE Player.
  • This issue is very similar to the "zip directory traversal attack" (look it up).
  • It can theoretically replace any file on your computer, but the person who created the exploit has to know your computer's username as well as the location where you put your WAE folder.
  • Creating exploits like these can't be done through the standard editor tools, they have to be edited into the .wa3 files by hand.
  • To avoid this issue, the standard "good internet habits" apply: do not download any files that seem suspicious.
  • OpenWA can easily patch this out by changing the Player code so that it refuses to extract any filenames containing "../" or "..\" from a .wa3 file.
User avatar
nasko222
Rainbow Master
Posts: 589
Joined: Sat Jul 07, 2018 1:22 pm

Re: PLEASE READ: Exploit: Remote Code Execution through WA

Post by nasko222 » Tue Apr 11, 2023 4:35 am

For obvious reasons I am not gonna say how I make these files, Also I will refrain from using .wa2 or .wa3 files and will provide wlv and master files for my future adventures
User avatar
nasko222
Rainbow Master
Posts: 589
Joined: Sat Jul 07, 2018 1:22 pm

Re: PLEASE READ: Exploit: Remote Code Execution through WA

Post by nasko222 » Tue Apr 11, 2023 4:38 am

"Editing any file on the computer" can still be done with the first example, AKA, replacing the exe with the fake exe and telling that exe to find particular directory path for example %appdata%
User avatar
cloudrac3r
Rainbow Master
Posts: 558
Joined: Fri Nov 13, 2015 7:03 am
Location: New Zealand
Contact:

File Checker

Post by cloudrac3r » Tue Apr 11, 2023 5:02 am

I made a quick web page that lets you test .wa3 files to see if they are safe or malicious. I don't expect anybody will need it, but better safe than sorry! https://tracks.cadence.moe/wa3-safety
User avatar
nasko222
Rainbow Master
Posts: 589
Joined: Sat Jul 07, 2018 1:22 pm

Re: PLEASE READ: Exploit: Remote Code Execution through WA

Post by nasko222 » Tue Apr 11, 2023 8:32 am

I made new wa3 file that doesnt use "unknown format" but causes havoc, It infects all .savefile.wav and I call it Save corruptor
User avatar
nasko222
Rainbow Master
Posts: 589
Joined: Sat Jul 07, 2018 1:22 pm

Re: PLEASE READ: Exploit: Remote Code Execution through WA

Post by nasko222 » Tue Apr 11, 2023 9:42 am

Damn cadence. I was trying my level where I use the dialogue "Welcome to reality.exe" , I was wondering if your tool will catch ".exe" but it didn't. Good job!
User avatar
nasko222
Rainbow Master
Posts: 589
Joined: Sat Jul 07, 2018 1:22 pm

Re: PLEASE READ: Exploit: Remote Code Execution through WA

Post by nasko222 » Tue Apr 11, 2023 1:39 pm

Just wanted to say one final thing about WARCE (Yes this is how I decided to call this exploit, really primitive I know) before I move on. Originally I was just trying to exploit the level format of the game to include a file called "the_truth.txt" My plan was to make a scavanger hunt outside the game files going to a youtube video then to a discord server and few other places until coming back to the game. I'd never thought I'd discover exe replacing exploit, Scary...

I was also originally afraid to talk about it and I only shared this with one person In my discord DMs, The reason why I was afraid was that I was thinking that people might be afraid to download my levels after I reveal this exploit.

With that I am moving on, I am sure it will get patched by OpenWA, I am not going to patch it in BetterEditor because the .wabe format was never added to the forum and people can just share wlv and dia files on a zip file. And about the old/beta editors, Not many people use it, I'll be cautious from now on.

Sorry if I panicked someone, but at the end of the day it was good that I discovered this and shared the news before anyone with malicious intent did it. I know there are these random accounts that spam on the forums and I am still not sure what's with that but I'm assuming theyre hacked accounts from pwned/weak passwords

That's about it
Last edited by nasko222 on Wed Apr 12, 2023 4:32 am, edited 1 time in total.
User avatar
Jutomi
Rainbow AllStar
Posts: 4364
Joined: Tue Oct 15, 2013 8:42 pm

Re: PLEASE READ: Exploit: Remote Code Execution through WA

Post by Jutomi » Tue Apr 11, 2023 6:17 pm

Aye. I thank you very much for your work in finding this Nasko, and I'm glad that in the end it's nothing game-breaking - just a helpful reminder to all of us that we should be cautious anywhere on the internet. :)

Also, I wouldn't be worried at all about folks being scared to download your content. If you were at all malicious you'd probably have virused some or all of us ages ago. :lol:

Also, thank you very much Cadence for this file checker. I'm not at all too concerned given how tight-nit our community is, but it's fantastic for those of us who do want to play it safe. Many thanks :mrgreen:
Your only little stinker that's absolutely NOT a z-bot by this name,
Jutomi~ :mrgreen:

Also, if you want to see my level list, here it is! :D
(Also: List of Hubs, WA Manual)
Oh, and my YT wonderland channel. Forgot about that.
User avatar
Wonderman109
Rainbow MegaStar
Posts: 3530
Joined: Thu Jun 28, 2012 11:25 pm

Re: PLEASE READ: Exploit: Remote Code Execution through WA

Post by Wonderman109 » Fri Apr 14, 2023 12:59 am

This is just the reality of using 20 year old software. MS couldn't have foreseen these issues at the time, and while you can argue about how his code needs refactoring now, from a contextual perspective it was perfectly fine back when it was made, but it isn't anymore.
garirry
Rainbow Star
Posts: 1665
Joined: Sat Mar 21, 2009 6:18 pm
Location: Canada
Contact:

Re: PLEASE READ: Exploit: Remote Code Execution through WA

Post by garirry » Sun Apr 16, 2023 4:02 pm

Couldn't this also be used in a positive way, to bundle all sorts of custom content without having to get the player to be able to download a single wa3 file instead of multiple separate zip files?
User avatar
Jutomi
Rainbow AllStar
Posts: 4364
Joined: Tue Oct 15, 2013 8:42 pm

Re: PLEASE READ: Exploit: Remote Code Execution through WA

Post by Jutomi » Mon Apr 17, 2023 12:51 pm

To be fair, most recent custom content has been done using a single zip file. The only exception is some users like to link music separately, due to their being in the "Data" folder instead of "Userdata", but I personally chuck those into a single folder as well.

There certainly could be some amusing things you could do with it, and even though I'm personally glad to see this getting amended in OpenWA, one absolutely could still pull something goofy off in the vanilla editor. :P
Your only little stinker that's absolutely NOT a z-bot by this name,
Jutomi~ :mrgreen:

Also, if you want to see my level list, here it is! :D
(Also: List of Hubs, WA Manual)
Oh, and my YT wonderland channel. Forgot about that.
User avatar
cloudrac3r
Rainbow Master
Posts: 558
Joined: Fri Nov 13, 2015 7:03 am
Location: New Zealand
Contact:

Re: PLEASE READ: Exploit: Remote Code Execution through WA

Post by cloudrac3r » Fri Apr 21, 2023 9:55 pm

garirry wrote:
Sun Apr 16, 2023 4:02 pm
Couldn't this also be used in a positive way, to bundle all sorts of custom content without having to get the player to be able to download a single wa3 file instead of multiple separate zip files?
Yes, it can. Hold C and click "compile & exit" in the OpenWA editor (not MNIKEditor). Or it might be Ctrl+Click, I forgot the hotkeys. Any custom content gets packed into the .wa3 file.

This custom content feature hopefully won't be blocked entirely when this issue is patched!
User avatar
Wonderman109
Rainbow MegaStar
Posts: 3530
Joined: Thu Jun 28, 2012 11:25 pm

Re: PLEASE READ: Exploit: Remote Code Execution through WA

Post by Wonderman109 » Thu May 25, 2023 5:04 pm

cloudrac3r wrote:
Fri Apr 21, 2023 9:55 pm
garirry wrote:
Sun Apr 16, 2023 4:02 pm
Couldn't this also be used in a positive way, to bundle all sorts of custom content without having to get the player to be able to download a single wa3 file instead of multiple separate zip files?
Yes, it can. Hold C and click "compile & exit" in the OpenWA editor (not MNIKEditor). Or it might be Ctrl+Click, I forgot the hotkeys. Any custom content gets packed into the .wa3 file.

This custom content feature hopefully won't be blocked entirely when this issue is patched!
So that's one reason to want to use openWA over MNIKE after all.

Wait though, but if you installed MNIKE on OpenWa this should still work right?
User avatar
nasko222
Rainbow Master
Posts: 589
Joined: Sat Jul 07, 2018 1:22 pm

Re: PLEASE READ: Exploit: Remote Code Execution through WA

Post by nasko222 » Thu May 25, 2023 5:08 pm

bro, MNIK Editor is the editor, that ones not affected (at least I havent found out whether if it is wink)
User avatar
Wonderman109
Rainbow MegaStar
Posts: 3530
Joined: Thu Jun 28, 2012 11:25 pm

Re: PLEASE READ: Exploit: Remote Code Execution through WA

Post by Wonderman109 » Fri May 26, 2023 4:25 pm

nasko222 wrote:
Thu May 25, 2023 5:08 pm
bro, MNIK Editor is the editor, that ones not affected (at least I havent found out whether if it is wink)
Okay, I'm not sure I understand.
garirry wrote:
Sun Apr 16, 2023 4:02 pm
Couldn't this also be used in a positive way, to bundle all sorts of custom content without having to get the player to be able to download a single wa3 file instead of multiple separate zip files?
cloudrac3r wrote:
Fri Apr 21, 2023 9:55 pm
garirry wrote:
Sun Apr 16, 2023 4:02 pm
Couldn't this also be used in a positive way, to bundle all sorts of custom content without having to get the player to be able to download a single wa3 file instead of multiple separate zip files?
Yes, it can. Hold C and click "compile & exit" in the OpenWA editor (not MNIKEditor). Or it might be Ctrl+Click, I forgot the hotkeys. Any custom content gets packed into the .wa3 file.

This custom content feature hopefully won't be blocked entirely when this issue is patched!
So is this positive thing caused by the exploit or not?
And which versions does it work in?
As I understand open WA replaces WAE3 while MNIKE just overlays on existing editors, but I'm not a programming whiz like you guys.
Post Reply