Full Report
Massive Multiplayer Online video games are still huge. One of those, made in South Korea, is AION and is the focus of this post. In the game, a player could purchase and customize a house. The Butler, who managed your house, allowed users to write custom scripts to play sounds and automate actions. Neat! The scripting engine under the hood is some version of Lua. It has in a sandbox with many functions stripped out. After some debugging, they were able to find out all of the available functions defined in _G. After reviewing the list, they found several that were useful for code execution. load() and loadstring() are two easy ones. Using these functions, it's possible to load in Lua bytecode that can bypass the bytecode verifier to cause memory corruption. Luckily enough, io wasn't disabled which can be used to open arbitrary processes very easily. io.popen("calc.exe"); is enough to do this, for instance. There are several mechanisms to make this "no-click" besides entering the house. OnInit() will run whenever somebody enters the house. Interestingly enough, this gives you code execution on the users client and not the game server. Still pretty neat!
Analysis Summary
# Vulnerability: Arbitrary Code Execution in AION Client via Housing Scripting Engine
## CVE Details
- CVE ID: Not specified in the provided context.
- CVSS Score: Not specified in the provided context.
- CWE: CWE-94 (Improper Control of Generation of Code ('Code Injection')) and potentially CWE-119 (Improper Limitation of a Pathname to a Restricted Directory or Component) due to `io.popen`.
## Affected Systems
- Products: AION MMO Client (Housing System scripting engine)
- Versions: Versions starting from 3.0 up to at least 4.8 (Private Servers are confirmed vulnerable). The Retail version status is uncertain regarding patch effectiveness.
- Configurations: Any standard AION client configuration utilizing the in-game Housing System and its Butler scripting functionality.
## Vulnerability Description
The vulnerability resides in the AION client's in-game scripting engine used within the player housing system, which is based on a sandboxed version of Lua. Researchers discovered that several functions, including `load()` and `loadstring()`, were available within the global execution scope (`_G`). These functions can be used to load untrusted Lua bytecode, potentially bypassing the system's bytecode verifier and leading to memory corruption. Furthermore, the `io` library, specifically `io.popen`, was not disabled, allowing an attacker to execute arbitrary operating system commands (e.g., `io.popen("calc.exe")`). Execution is triggered client-side when a player enters a house containing a malicious script, specifically via the `OnInit()` function, which executes automatically upon script initialization/entry into the house.
## Exploitation
- Status: PoC available (demonstrated via `io.popen("calc.exe")`).
- Complexity: Low (Requires placing a malicious script in a house that the target user visits; execution is automatic via `OnInit()`).
- Attack Vector: Adjacent (The victim must enter the compromised player housing area).
## Impact
- Confidentiality: High (Arbitrary code execution can lead to data theft from the compromised client).
- Integrity: High (Arbitrary code execution allows complete client manipulation).
- Availability: Medium (Can lead to client crashes/denial of service for the affected user).
## Remediation
### Patches
- No specific CVE-related patch version numbers are provided in the context. The vulnerability is noted to potentially be fixed in the latest Retail version, but private/older servers remain vulnerable.
### Workarounds
- Players should avoid visiting houses controlled by untrusted users, especially on older or private server versions (3.0 - 4.8).
## Detection
- Indicators of Compromise: Unexpected execution of arbitrary OS commands from the game client process (e.g., `calc.exe` launching).
- Detection methods and tools: Monitoring outbound network connections or process creation initiated by the AION client process that deviate from expected game activity. Analyzing loaded Lua scripts within the game environment might reveal anomalous bytecode loading attempts.
## References
- Vendor advisories: None provided.
- Relevant links - defanged: `appsec.space/posts/aion-housing-exploit/`