Talv/NOTES.md

## NOTES.md

      
    Raw
  

              NOTES.md
            
          
    UPDATE 29-03-2024: Bug described below was addressed in 5.0.13.92028 released on 26th March. However not long since this event, a new exploit is now being used in similar manner - publishing malformed map, then hosting such map publicly, will trigger a game client crash.
This new variant is harmless - cannot be exploited to distribute malware or anything of this sort. More info about it on the SC2 Forum.
The sad part is that it requires an engine-level fix, or a server-side validation of published maps. Not something we - as a community without access to the code - can help in anyway, it's up to Blizzard now.

StarCraft 2 Custom Games list freeze - technical explanation [2024/03]

I'm making this post in response to recently discovered bug in the SC2 that has been actively used within the last week(s). There's a lot of miss-information surrounding it, some failed assumptions etc. I'll attempt to shred some light - for users and Blizzard.
About the bug

It abuses a flaw in the Text Tags / Format Tags (something ala bbcode/mini-html but specific to SC2 engine). By embedding the <img path="//example.org/resource> within the name of published map file they trigger a remote request.
//example.org/resource is an UNC-like path to a remote resource. Under default settings Windows will attempt to resolve the hostname - which will involve local resolver, DNS request, ICMP ping, and ultimately a HTTP request using WebDav.
Due to the fact that all of this takes places in the rendering thread of SC2 it results in complete stall of the game, until all resources are retrieved or timeout is reached.
All of that generally invisible in the game client, thus it's hard to understand what's happening when navigating to the custom games list in SC2 (it's not the only view that's affected by this, but the one that's being most actively ab-used by the "attacker".
This is how it looks like when viewed from the https://sc2arcade.com/open-lobbies

Every <img> is being resolved synchronously (while the rendering is stalled), all this spam with //e.io/_ etc. is simply there to prolong it. Where it can even take up to 10 minutes for SC2 to unfreeze - but it never crashes, which is something I'd like to highlight. The fact that it never crashes by itself, is IMO a contributing factor why this issue was neglected by Blizzard (they don't receive automated reports about it).
https://sc2arcade.com/profile/1/1/20809909/maps

The "attacker" claims they're compromising machines, is it true?

No, it's FUD. They're only able to collect IP addresses. By abusing EICAR test files for AV software they're able to trigger some false-positives in AV software.
About EICAR test file: https://en.wikipedia.org/wiki/EICAR_test_file

❯ curl -s https://web.archive.org/web/20240317095648id_/https://smithparasite.ddns.net/eicar.com | hexyl
┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐
│00000000│ 58 35 4f 21 50 25 40 41 ┊ 50 5b 34 5c 50 5a 58 35 │X5O!P%@A┊P[4\PZX5│
│00000010│ 34 28 50 5e 29 37 43 43 ┊ 29 37 7d 24 45 49 43 41 │4(P^)7CC┊)7}$EICA│
│00000020│ 52 2d 53 54 41 4e 44 41 ┊ 52 44 2d 41 4e 54 49 56 │R-STANDA┊RD-ANTIV│
│00000030│ 49 52 55 53 2d 54 45 53 ┊ 54 2d 46 49 4c 45 21 24 │IRUS-TES┊T-FILE!$│
│00000040│ 48 2b 48 2a             ┊                         │H+H*    ┊        │
└────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘
btw. I've not actually confirmed whether it triggers some AV (as I'm more of a Linux guy, and use the Windows only in VM). But by design it should trigger some proactive AV, as they monitor background activity.
Can I get hacked with this?

Technically, maybe, but no known exploit exists, and the actor behind these "attacks" is more a of script-kiddie. So while technically this vulnerability might have some RCE potential, no known exploit exists, and the person behind this lacks technical expertise to push it to something
Most importantly: keep your Windows updated. This bug could be exploited from 2 angles:

By finding a vulnerability in the native WebDav Client of Windows which is highly unlikely given how core it is to the system. Last one reported I was able to find is from 2005 (https://learn.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-028#workarounds-for-web-client-vulnerability---can-2005-1207). Obviously there might be not disclosed 0-days, but that is not something one should be concerned about it, because it's a whole different level - something you can expect from government agencies not a random script-kiddie.
By finding a vulnerability in the SC2 in regards to how it handles received resource from a remote device.. to my knowledge, SC2 will first check the magic header of a file, and will only deal with DDS, TGA, JPEG, PNG image formats. Thus in order to exploit it further, an "attacker" would have to find a flaw in how SC2 parses these, and then actuall find a way to turn it into an RCE.. and then get through the protections like ASLR, DEP, etc. Basically not an easy task. Something even a profoessional security researcher would need to spent many days on.

Thus while technically it's maybe possible to turn it into RCE, it's just highly unlikely. It's something I'd expect from goverment agencies with many 0-days on their hand, and groups who work for them - not a script-kiddie.
How to protect myself further

Disable WebDav Client Redirector Driver

Launch Windows Terminal with admin privileges, then use following commands:
sc config MRxDAV start=disabled
sc stop MRxDAV
Further technical information: https://revertservice.com/10/mrxdav/
Disable WebClient service

sc config WebClient start=disabled
sc stop WebClient
Further technical information: https://revertservice.com/10/webclient/

Above will prevent Windows from establishing connection with a remote machine. However, from the quick tests I've done it'll still attempt to resolve the hostname and possibly trigger ICMP ping - so unfortunately won't help with game stalls.
Is it safe to disable these Windows features?

Yes, completely. Unless you're using WebDAV (if you don't know the word, it means you're not using it).
These features are deprecated anyway, and are planned to be removed from future versions of Windows 11 and 10 (AFAIK).
For official info see: https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features

The Webclient (WebDAV) service is deprecated. The Webclient service isn't started by default in Windows. For more information on WebDAV, see WebDAV - Win32 apps.
November 2023


Appendix

I'm working on a .SC2Layout patch that can sanitize and supress these format tags within the GlueUI (that's how Blizzard/SC2 teams refers to in-game menus), that I intend to submit to Harstem / Ahli / whoever else is in contact with the "intern".
However I'd urge Blizzard to raise priority on this ticket, and get someone to actually fix in the code. Because I'm not sure if "intern" will accept my path, and ultimately it won't really fix the root issue, which will still be present in the game client and possible to abuse within custom-mods/arcade maps etc.

I might later add more info to this thread, just wanted get the information outhere relatively quickly.