Owning Virtual Worlds For Fun and Profit

Trailrunner7 writes "Threatpost has a guest column by security researcher Charlie Miller on the ways in which attackers can easily take advantage of vulnerabilities in virtual worlds and perhaps online games to get control of other players' characters and avatars and even cash out their real-world bank accounts. From the article: 'It turns out that Second Life uses QuickTime Player to process its multimedia. When I started looking into virtual world exploits, with the help of Dino Dai Zovi, there was a stack buffer overflow in QuickTime Player that had been discovered by Krystian Kloskowski but had not yet been patched. In Second Life it is possible to embed images and video onto objects. We embedded a vulnerable file onto a small pink cube and placed it onto a [tract] of land we owned. No matter where the cube was, if a victim walked onto the land and had multimedia enabled (recommended but not required), they would be exploited. The cube could be inside a building, hovering in the air, or even under the ground, and the result was the same.'"

Heh...

[Anonymous Coward]

You're thinking too small and short term...

The skys the limit once you gain a foothold on the users machine.

You can do ALOT if you don't do anything too noticable or damaging or too much at once.

And many people play games from their work machines. Or from the inside of their 'secure network'.

what about the IRS and profit? IP rights are one t

[Joe The Dragon]

what about the IRS and profit? IP rights are one thing but you still own the tax on them.

Re:So...

[Rei]

I once coded for a free MMO and discovered a vulnerability in how they handled web autolinking -- you know, when you say something and it turns the text into a clickable link that will open in your web browser. At least for the unix client, they were handling it with popen (I forget how they did it for windows). Just the straight, raw, unmodified string. Talk about a huge freaking command injection target. :P But the people who ran the game were so hesitant to allow any security fixes out of fear that they might break something (yeah, I know... it drove me crazy). They just wanted me to keep coding the special effects system and not say a word of the flaw. It took me writing an exploit for it that would remove all of the files in the user's home directory (or the whole system if they ran the game as root) before they reluctantly agreed to let me patch it. And the exploit was so simple -- all you had to do was to say a particular malformed URL, it'd appear as an innocent link, and anyone who clicked it would be wiped.

They *wouldn't* let me patch lesser security issues, such as those that would actually verify that data being sent back and forth was from who it said it was, to avoid a man-in-the-middle attack. They were purely reliant on the TCP stream; that was their only "security". And they did nothing to maintain a secure channel to prevent sniffing.

Be careful with what you run on your system. :P

Much more innocently, the first thing I ever did along these lines was back in the mid/late '90s and had to do with the MUD client zMud. It had an obscure feature that would let muds embed sound effects; if the mud output a particular string, it'd interpret part of it as a path to a sound file. So I had fun SHOUTing those commands with the path to windows system sounds included and making everyone's computer who used zMud start making noise ;) That was, until I got scolded by a wizard...

Another Solution to This Problem??

[NOPerative]

Personally, I think a heck of a lot more vulnerabilities like this could be found and/or located if there were a decent, free (as in beer) disassembler out there. You would think that the industry giants would be more than willing to donate funds to such a project, yet I have yet to see anything such as this out there. Now, some of you might say, "Well, just jump on the IDA Pro bandwagon." My answer: "Easier said than done." The IDA folks _require_ you to be associated with a business when purchasing the program, where they can track your every move, mainly because they are paranoid that the might "accidentally" sell their software to a software cracker. The funny thing about this is that most crackers wouldn't even bother purchasing the program and just bittorrent the thing to begin with for free. Anywho, my solution is this: start an open-source-disassembler project, which will hopefully attract industry donations, and then offer users of the software incentives for locating vulnerabilities, such as cash rewards (based on severity), free commercial software/hardware, etc., and maybe we might just be instrumental in creating more security experts in the not-too-distant future.

Re:Another Solution to This Problem??

[Anonymous Coward]

A clone of IDA Pro (as in interactive disassembly) with a somewhat intuitive interface would be a good start, although I'm not really sure one would ever say any interactive-disassembler could be intuitive :D. As far as HIEW or any other hex editor goes, I'll just say that u can only go "so far" with a hex editor or something like Olly. We'd need something that could auto-disassemble known text and data segments (such as code generated via Visual Studio and known link libraries), leaving us with unknown areas to tackle. We also need to be able to save the file and possibly re-assemble the code, with this ability mainly being used to make sure that we have a correct disassembly of the code and haven't overlooked something. This would also allow us to share dis-assemblies and work as a collective and group via forums, etc.

The main problem I have with IDA Pro and the like is that the program isn't cheap, and that means that not a whole heck of a lot of otherwise knowledgeable folks are going to be using the program. That is, we need numbers here to turn the tide, and a free, open-source project with incentives might just get enough people interested so that patches can be generated in a quick, timely fashion. In other words, with numbers and good social interaction, we'll locate and "fix" threats quickly, or at least we'll be able to help manufacturers with detailed dis-assemblies that will help them to zoom in on the problem in a timely fashion. With expensive, close-sourced solutions, there just isn't "enough of em" out there to make a difference, so zero-day attacks will be destined to rule the roost for the foreseeable future.

Best Regards....

Shades of Neil Stephenson's Snow Crash...

[pidge-nz]

[Victim] Oh! Shiny!

*Victim is now a drooling idiot*

Second Life is irrelevant

[gweihir]

A small, insignificant niche game that practically nobody plays. For some reason, the press loves it though.

Very easy to crash windows quicktime with images

[braddeicide]

We get this a lot, there's many images out there that'll make quicktime crash. We have an image board for showing things we're talking about, when we hit a "bad" image all the windows users disappear (crash) at the same time. A responsible Linux or Mac user then removes the image so they can return ;)

Re:Malicious file embedded inside a virtual world?

[Anonymous Coward]

Keep in mind that Obi-Wan said "you will never find a more wretched hive of scum an villany." That implies that there is more than one such hive.

The GP called Second Life the Mos Eisley of Gaming. You will never find a game world that is a more wretched hive yada yada. That doesn't preclude 4chan being the Mos Eisley of the Whole Damned Internet.