StarCraft 2 Custom Games list freeze - technical explanation [2024/03]

NOTES.md

UPDATE 29-03-2024: Bug described below was addressed in 5.0.13.92028 released on 26th March. However not long since this event, a new exploit is now being used in similar manner - publishing malformed map, then hosting such map publicly, will trigger a game client crash.

This new variant is harmless - cannot be exploited to distribute malware or anything of this sort. More info about it on the SC2 Forum.

The sad part is that it requires an engine-level fix, or a server-side validation of published maps. Not something we - as a community without access to the code - can help in anyway, it's up to Blizzard now.

---

StarCraft 2 Custom Games list freeze - technical explanation [2024/03]

I'm making this post in response to recently discovered bug in the SC2 that has been actively used within the last week(s). There's a lot of miss-information surrounding it, some failed assumptions etc. I'll attempt to shred some light - for users and Blizzard.

About the bug

It abuses a flaw in the Text Tags / Format Tags (something ala bbcode/mini-html but specific to SC2 engine). By embedding the <img path="//example.org/resource> within the name of published map file they trigger a remote request.

//example.org/resource is an UNC-like path to a remote resource. Under default settings Windows will attempt to resolve the hostname - which will involve local resolver, DNS request, ICMP ping, and ultimately a HTTP request using WebDav.

Due to the fact that all of this takes places in the rendering thread of SC2 it results in complete stall of the game, until all resources are retrieved or timeout is reached.

All of that generally invisible in the game client, thus it's hard to understand what's happening when navigating to the custom games list in SC2 (it's not the only view that's affected by this, but the one that's being most actively ab-used by the "attacker".

This is how it looks like when viewed from the https://sc2arcade.com/open-lobbies

Every <img> is being resolved synchronously (while the rendering is stalled), all this spam with //e.io/_ etc. is simply there to prolong it. Where it can even take up to 10 minutes for SC2 to unfreeze - but it never crashes, which is something I'd like to highlight. The fact that it never crashes by itself, is IMO a contributing factor why this issue was neglected by Blizzard (they don't receive automated reports about it).

https://sc2arcade.com/profile/1/1/20809909/maps

The "attacker" claims they're compromising machines, is it true?

No, it's FUD. They're only able to collect IP addresses. By abusing EICAR test files for AV software they're able to trigger some false-positives in AV software.

About EICAR test file: https://en.wikipedia.org/wiki/EICAR_test_file

❯ curl -s https://web.archive.org/web/20240317095648id_/https://smithparasite.ddns.net/eicar.com | hexyl
┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐
│00000000│ 58 35 4f 21 50 25 40 41 ┊ 50 5b 34 5c 50 5a 58 35 │X5O!P%@A┊P[4\PZX5│
│00000010│ 34 28 50 5e 29 37 43 43 ┊ 29 37 7d 24 45 49 43 41 │4(P^)7CC┊)7}$EICA│
│00000020│ 52 2d 53 54 41 4e 44 41 ┊ 52 44 2d 41 4e 54 49 56 │R-STANDA┊RD-ANTIV│
│00000030│ 49 52 55 53 2d 54 45 53 ┊ 54 2d 46 49 4c 45 21 24 │IRUS-TES┊T-FILE!$│
│00000040│ 48 2b 48 2a             ┊                         │H+H*    ┊        │
└────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘

btw. I've not actually confirmed whether it triggers some AV (as I'm more of a Linux guy, and use the Windows only in VM). But by design it should trigger some proactive AV, as they monitor background activity.

Can I get hacked with this?

Technically, maybe, but no known exploit exists, and the actor behind these "attacks" is more a of script-kiddie. So while technically this vulnerability might have some RCE potential, no known exploit exists, and the person behind this lacks technical expertise to push it to something

Most importantly: keep your Windows updated. This bug could be exploited from 2 angles:

1. By finding a vulnerability in the native WebDav Client of Windows which is highly unlikely given how core it is to the system. Last one reported I was able to find is from 2005 (https://learn.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-028#workarounds-for-web-client-vulnerability---can-2005-1207). Obviously there might be not disclosed 0-days, but that is not something one should be concerned about it, because it's a whole different level - something you can expect from government agencies not a random script-kiddie.
2. By finding a vulnerability in the SC2 in regards to how it handles received resource from a remote device.. to my knowledge, SC2 will first check the magic header of a file, and will only deal with DDS, TGA, JPEG, PNG image formats. Thus in order to exploit it further, an "attacker" would have to find a flaw in how SC2 parses these, and then actuall find a way to turn it into an RCE.. and then get through the protections like ASLR, DEP, etc. Basically not an easy task. Something even a profoessional security researcher would need to spent many days on.

Thus while technically it's maybe possible to turn it into RCE, it's just highly unlikely. It's something I'd expect from goverment agencies with many 0-days on their hand, and groups who work for them - not a script-kiddie.

How to protect myself further

Disable WebDav Client Redirector Driver

Launch Windows Terminal with admin privileges, then use following commands:

sc config MRxDAV start=disabled
sc stop MRxDAV

Further technical information: https://revertservice.com/10/mrxdav/

Disable WebClient service

sc config WebClient start=disabled
sc stop WebClient

Further technical information: https://revertservice.com/10/webclient/

---

Above will prevent Windows from establishing connection with a remote machine. However, from the quick tests I've done it'll still attempt to resolve the hostname and possibly trigger ICMP ping - so unfortunately won't help with game stalls.

Is it safe to disable these Windows features?

Yes, completely. Unless you're using WebDAV (if you don't know the word, it means you're not using it).

These features are deprecated anyway, and are planned to be removed from future versions of Windows 11 and 10 (AFAIK).

For official info see: https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features

The Webclient (WebDAV) service is deprecated. The Webclient service isn't started by default in Windows. For more information on WebDAV, see WebDAV - Win32 apps. November 2023

---

Appendix

I'm working on a .SC2Layout patch that can sanitize and supress these format tags within the GlueUI (that's how Blizzard/SC2 teams refers to in-game menus), that I intend to submit to Harstem / Ahli / whoever else is in contact with the "intern".

However I'd urge Blizzard to raise priority on this ticket, and get someone to actually fix in the code. Because I'm not sure if "intern" will accept my path, and ultimately it won't really fix the root issue, which will still be present in the game client and possible to abuse within custom-mods/arcade maps etc.

---

I might later add more info to this thread, just wanted get the information outhere relatively quickly.

That means that it is a windows only bug, or at least SC2's MacOS version is unaffected.

I was attempting to dig a bit on this. I was running WPA and trying to trace/scan/log the crash. I found during this that I was able to then go to customs after adjusting to windowed mode.

Steps to reproduce:
Start WPA also check the "Network" box. Then hit start
Login to sc2.
Change into windowed mode
Click on "Customs".
you should not crash here.
Note- clicking on lobbies from this point does trigger the crash.

This tells us a few things:

• Resource Allocation and Priority Changes: When WPR is running, it may have altered the way system resources are allocated or changed priorities of certain processes. This could've possibly resolved the deadlock

• Heisenbug Phenomenon: Quite possibly the steps taken to route around the crash was completely luck.

• Differences in System Load: the extra load from WPR could alter timings enough to avoid the crash condition.

I don't have much experience with such low level analysis and concepts. So I am just hoping this info can help. I am attempting to read the etl but every time i make one they end up corrupted somehow.

Here is the hosts file, which blocks all domains used by the attacker. Made on March 17, by djrvywfbjr.
https://pastebin.com/FKKf2Wt2

Usage:
Open any text file editor (no Word) in admin mode, then use it to open C:\Windows\System32\drivers\etc\hosts.
Append the content to your hosts file, and save.
Then these suspicious lobbies will not freeze your game, unless the attacker adds new domain that the list does not include.

UPDATE on March 21: updated the list to include new domains from attack maps on Asia server (only affects Chinese clients though).
UPDATE on March 24: updated the list for new domains on NA server.

Nice write up! To the point and easy to understand. The other guy's hosts file patch works well for now.

"Can I get hacked with this?

Technically, maybe, but no known exploit exists, and the actor behind these "attacks" is more a of script-kiddie"

Don't you think it's a bit premature to call this person a script kiddie when they came up with a method that specifically did not crash the game (hence it not getting picked up by Blizzard's automated thing)?

@VladP00

Don't you think it's a bit premature to call this person a script kiddie when they came up with a method that specifically did not crash the game (hence it not getting picked up by Blizzard's automated thing)?

No, I do not. It's merely a coincidence, don't you see that? If it was an actual attack then the effort at making it look dumb is quite admirable. I've been monitoring this guy's activities (a bit of an overstatement - I kept a look at it from time to time, due to the work that involves maintaining sc2arcade.com site - I'm the owner). So I've seen some of their past attempts, and based on that I did build an idea of what they're capable.

SC2 arcade community generally knows who's behind, and it's not this guy's first rodeo when it comes to SC2 and the way they're abusing certain bugs. I just try to kept the article strictly technical.

That said - if someone with actual expertise tried to exploit it, I'd take it more serious. But currently it's just a DoS with a potential to collect IP addresses... the effort of doing that is laughable - and what will they do with these IP addresses even, lol? Nowadays CGNAT is common, and any competent ISP ships a router with a built-in firewall etc. ; not to mention dynamic IP addresses that are as common as CGNAT.

FWIW, when it comes to workarounds I do recommend following @ybw0014 comment, as it'll help to avoid game stalls, if this incident was to repeat again in following days.

I put the host file edits into a ps1 script if anyone wants to disperse it. I had to upload it LINK TO SCRIPT HERE No zips or .ps1 allowed to be shared here. Once downloaded double click it and it will edit their hosts files for them then pause to allow them to read whats going on.

I'm working on a .SC2Layout patch that can sanitize and supress these format tags within the GlueUI (that's how Blizzard/SC2 teams refers to in-game menus), that I intend to submit to Harstem / Ahli / whoever else is in contact with the "intern".

@Ahli
Here it goes: SC2Mapster/SC2GameData#1

While I appreciate the community's efforts to address this issue, I believe a more permanent solution is necessary to ensure the security of Starcraft 2 players. Specifically, I urge Blizzard to block remote connections from img tags altogether. This unintended feature creates an unnecessary attack surface subject to vulnerabilities associated with the now-deprecated WebDAV protocol and is not present in Mac clients.

Furthermore, patching the client code (also known as "glue" code) does not fully resolve the root cause of this issue. Any arcade map developer could potentially craft a map that silently connects to a remote server and download remote resources unbeknownst to the user, thereby exposing users to the same security risks associated with this vulnerability.

right, but were working with what we got here. We are limited and ultimately the most ideal fix would have to come from blizzard. That fact doesnt negate our attempts. Were all aware these are just band aid fixes with clear holes.

It appears that Blizzard has implemented a fix with today's patch. There are a handful of bugged lobbies open per SC2arcade, but the client is working fine over here.

Can someone else confirm whether this is the case for everyone?

The img tag is disabled entirely in the patch.
Those lobbies will not stall the game any more.

UPDATE 29-03-2024: Bug described in original post was addressed in 5.0.13.92028 released on 26th March. However not long since this event, a new exploit is now being used in similar manner - publishing malformed map, then hosting such map publicly, will trigger a game client crash.

This new variant is harmless - cannot be exploited to distribute malware or anything of this sort. More info about it on the SC2 Forum.

The sad part is that it requires an engine-level fix, or a server-side validation of published maps. Not something we - as a community without access to the code - can help in anyway, it's up to Blizzard now.

For research purposes, below is an example of malformed map file document, that has been published on Battle.net server (US region), and used to trigger game crashes.

{
  "authorToonHandle": {
    "app": "S2",
    "profileId": 13289903,
    "realmId": 1,
    "regionId": 1
  },
  "authorToonName": {
    "app": "S2",
    "battleTag": "Smith#1619",
    "realmId": 1,
    "regionId": 1
  },
  "clusterChildren": [],
  "clusterParent": 0,
  "createdTime": 0,
  "firstPublicPublishTime": 1711661504,
  "header": {
    "id": 357932,
    "version": 65536
  },
  "headerCacheHandle": {
    "hash": "8033fe0c63f73ff09fac885c1bba40fce2d191145541fa32eea62015b710e800",
    "region": "us",
    "type": "s2mh"
  },
  "isCluster": false,
  "isExtensionMod": false,
  "isHiddenLobby": false,
  "isLatestVersion": true,
  "isLinked": true,
  "isLocked": false,
  "isMelee": false,
  "isMod": false,
  "isPrivate": false,
  "isSkipInitialDownload": false,
  "labels": [],
  "lastPublishTime": 1711661504,
  "mainLocale": "enUS",
  "mapSize": 403629,
  "name": "nnnnnnnnnasfas",
  "transitionId": 0,
  "uploadTime": 1711661504
}

• s2mh: https://us-s2-depot.classic.blizzard.com/8033fe0c63f73ff09fac885c1bba40fce2d191145541fa32eea62015b710e800.s2mh / https://pastie.io/oxlwao.json
• s2ml: https://us-s2-depot.classic.blizzard.com/ec1b391db8d50525973ebf95c22afbb2e0ac5253577a7f7d4fd4eeec38270fe3.s2ml / https://pastie.io/wfxnjh.xml

It appears that Blizzard has implemented a fix with today's patch. There are a handful of bugged lobbies open per SC2arcade, but the client is working fine over here.

Can someone else confirm whether this is the case for everyone?

As of today, clicking Custom in Starcraft II crashes the app on my Apple Silicon Mac.

I want to dispel the myth that this problem doesn't affect MacOS clients. It absolutely does. I've been crashing for the last 2-3 weeks every time I click Custom and the lobbies start populating. Occasionally, like last night, I was able to load the lobby list and click over into Melee which is where I spend 99% of my time anyway.

The current exploit (that was used for the first on 27th March 2024) definitely does affect all platforms. Including Wine compatibility layer for Linux.

That wasn't the case for original bug described in the article - which wouldn't affect Wine, due to the fact that it wouldn't implement the functionality the exploit relied on. As far as MacOS goes, I don't really know, but people who used that platform didn't report any issues before, but started now. Which seems to indicate that MacOS originally wasn't affected, so I'm not sure how true is this statement:

I've been crashing for the last 2-3 weeks

It shouldn't be the case prior to 27th March. But it is definitely the case now.

It's been affecting me for a couple weeks now. Only occasionally at first, though I didn't realize what the issue was at the time. Obviously, it only affected me with a jacked entry was in the lobby. The more popular the bug has gotten, the more prevalent the people taking advantage of it. Personally, I would perma ban anyone found in the lobby using the bug. No exceptions.