Using Terraria for Arbitrary Code Execution

18-05-2025
4 min read
#exploit#terraria#games#software

The Amazing World of Terraria!

Terraria is one of those games that's SUPER hard not to love — with a steady 35-40k active players on Steam and a massive, passionate modding community :3 I've personally spent wayyy too many hours building cool bases and fighting bosses (the Empress of Light is still my fav!). At the heart of the modding community is tModLoader, this super powerful and actively maintained framework that makes customising Terraria a total breeze!

I've used it myself for AGES and, honestly, it works really well. The UI is clean, installing mods is stupid easy, and I've never had issues with crashes or anything serious. But there's one major security issue with it that I think everyone should be aware of... and it's kinda scary when you think about it?!

Terraria's Awesome Multiplayer

Let's first acknowledge the fact that Terraria has amazing multiplayer, and I believe it works great :3 You're able to host your own server, join others easily via Steam, and sooo much more. My friends and I have spent countless nights building massive bases together & it's always been a blast!

Plus, playing modded Terraria in multiplayer works just fine! The community has done a fantastic job making sure mods don't break the multiplayer experience. Like, you can have Calamity, Thorium, and a bunch of QOL mods all running together without everything exploding, which is pretty impressive tbh.

The Modding Experience

When using tModLoader, you're able to install mods locally from the Steam Workshop etc, and writing mods isn't exactly difficult. Like Terraria & tModLoader, they're written in C#, and you aren't really limited in what you're able to do using mods, which I believe is prretty cool :P

I've even written a few simple mods myself (nothing fancy, just some new items & a boss or 2 :3). The documentation is pretty good & there's a ton of examples to learn from!

The DANGEROUS Vulnerability!!

Here's where things get scary... When joining someone's Terraria world, usually via Steam or a Server, as long as it's modded, if you do not have the provided mods installed, they will be automatically downloaded from the client/server onto your computer!!!

Which I believe is extremely dangerous or even stupid, as it's not like it retrieves mod IDs and attempts to find them on the Steam Workshop (which would be at least a bit safer). Instead, it downloads ANY type of mod, including ones that are stored locally on the host's computer!

Realistically, anyone can create a mod, meaning a malicious person could technically place dangerous code within a mod, ask you to join their Terraria server/world, and as you're joining the world, the mods from their world are downloaded onto your computer then loaded, no matter the source of the mods, no matter what they contain! :O

Like, imagine if someone you barely know from Discord was like "hey wanna join my modded world?" and suddenly you're downloading potentially harmful code without even knowing it? It's kinda terrifying when you think about it! I believe this is also SUPER common primarily because of the Terraria's discord L2P channel :P

Have you ever thought about what might be in those mods you're auto-downloading? Probably not, cuz most of us just wanna play the game with our friends!

Staying Safe While Playing Modded?

Apart from them providing a setting to disallow mods from being downloaded from servers (which is on by default??) you can't really do too much, and I don't believe this setting even applies when joining others via Steam 😭

tModLoader Setting

On a UNIX based system you're likely able to sandbox it via Flatpaks & more, although apart from that on Windows you're quite limited..

Overall, best advice is just not to join random people on Terraria, best to play it within your friend groups :3

Proof of Concept

Lets say, this is our Mod, all it does is run the "calc.exe" once it's loaded. 

using System.Diagnostics;
using Terraria.ModLoader;

namespace owo
{
    public class owo : Mod
    {
        public override void Load()
        {
            Process.Start("calc.exe");
        }
    }
}

When lets say, a friend of mine joins my Terraria world via Steam,

https://youtu.be/fw1H7NqMKuw

Their calculator will be opened, as shown in this video here.

:3

Thank you for reading, I'm not trying to fearmonger or anything, I just think it should be talked about more, as it doesn't really seem to be known about at all?

Comments

Loading comments...

← Back to all posts