Thread: Censorship
View Single Post
07/31/17, 07:51 AM   #10
Sordrak
 
Sordrak's Avatar
AddOn Author - Click to view addons
Join Date: May 2017
Posts: 52
Originally Posted by Dolby View Post
You did, however I missed that comment. I have reached out to cyxui for more details on this matter. Thanks for pointing that out.



I agree this is a bit concerning. I am also going over all the posts that were deleted.


Correct, what is in the exe is the most important and you are correct we don't decompile every release, we spot check. We do however always scan via virustotal always however that will only catch known signatures.



I don't see it being able to download and execute an exe, it writes lua. When I look at an exe I look more on how it could remote execute something like installing a key logger, etc. You're saying the author could re-write his AddOn and do something to users in game via said AddOn. That is also bad since we are not able to review the lua that is sent down. I think maybe he needs to change it so lua isn't written, it writes to some txt file and the AddOn reads the data from it?
-A lot of things are very concerning. That is exactly my point. It might be legit, it might not. But simply ignoring the risks is wrong. And it should be mentioned at the addon's download page or at least in the comments (as mentioned earlier, it would be buried after too many comments and no one would read it). Yet, that won't happen as the other will delete such posts.

-Which means he just needs to be lucky to get some arbitrary binary (not build from the source) running on esoui users' PCs. I know that the effort to check all of this is high, too high indead. But i still consider this a security risk. And as you've said, AV software looks for a signature. It is easy to bypass an AV signature. (I won't repeat myself here, you should find more regarding this issue in at least the official eso forum thread)

-It only writes lua as far as i can tell (i actually only took a short peak at one of the .cs files, so no guarantees here from my side). I'm saying that currently the author is capable of running arbitrary lua code on the clients, yes. And yes, this is bad. He could run different code on different clients (e.g. depending on IP Or account name) and he could overwrite the same lua code afterwards and you wouldn't notice. In my opinion this is nothing an addon should be capable of. Your suggestion likely won't work. He uses the manipulated lua files as a "proxy" between the game and the exe. The game itself wouldn't be capable of reading .txt files, therefore he uses the lua files (incl. /reloadui) to transfer the data back from the exe to the client. Yet, he has full control over all the lua code. I currently do not see a solution to this issue.

edit: typos
Last edited by Sordrak : 07/31/17 at 07:53 AM.
  Reply With Quote