Owning Virtual Worlds For Fun and Profit 82
Trailrunner7 writes "Threatpost has a guest column by security researcher Charlie Miller on the ways in which attackers can easily take advantage of vulnerabilities in virtual worlds and perhaps online games to get control of other players' characters and avatars and even cash out their real-world bank accounts. From the article: 'It turns out that Second Life uses QuickTime Player to process its multimedia. When I started looking into virtual world exploits, with the help of Dino Dai Zovi, there was a stack buffer overflow in QuickTime Player that had been discovered by Krystian Kloskowski but had not yet been patched. In Second Life it is possible to embed images and video onto objects. We embedded a vulnerable file onto a small pink cube and placed it onto a [tract] of land we owned. No matter where the cube was, if a victim walked onto the land and had multimedia enabled (recommended but not required), they would be exploited. The cube could be inside a building, hovering in the air, or even under the ground, and the result was the same.'"
Heh... (Score:1, Interesting)
You're thinking too small and short term...
The skys the limit once you gain a foothold on the users machine.
You can do ALOT if you don't do anything too noticable or damaging or too much at once.
And many people play games from their work machines. Or from the inside of their 'secure network'.
what about the IRS and profit? IP rights are one t (Score:3, Interesting)
what about the IRS and profit? IP rights are one thing but you still own the tax on them.
Re:So... (Score:5, Interesting)
I once coded for a free MMO and discovered a vulnerability in how they handled web autolinking -- you know, when you say something and it turns the text into a clickable link that will open in your web browser. At least for the unix client, they were handling it with popen (I forget how they did it for windows). Just the straight, raw, unmodified string. Talk about a huge freaking command injection target. :P But the people who ran the game were so hesitant to allow any security fixes out of fear that they might break something (yeah, I know... it drove me crazy). They just wanted me to keep coding the special effects system and not say a word of the flaw. It took me writing an exploit for it that would remove all of the files in the user's home directory (or the whole system if they ran the game as root) before they reluctantly agreed to let me patch it. And the exploit was so simple -- all you had to do was to say a particular malformed URL, it'd appear as an innocent link, and anyone who clicked it would be wiped.
They *wouldn't* let me patch lesser security issues, such as those that would actually verify that data being sent back and forth was from who it said it was, to avoid a man-in-the-middle attack. They were purely reliant on the TCP stream; that was their only "security". And they did nothing to maintain a secure channel to prevent sniffing.
Be careful with what you run on your system. :P
Much more innocently, the first thing I ever did along these lines was back in the mid/late '90s and had to do with the MUD client zMud. It had an obscure feature that would let muds embed sound effects; if the mud output a particular string, it'd interpret part of it as a path to a sound file. So I had fun SHOUTing those commands with the path to windows system sounds included and making everyone's computer who used zMud start making noise ;) That was, until I got scolded by a wizard...
Another Solution to This Problem?? (Score:3, Interesting)
Re:Another Solution to This Problem?? (Score:1, Interesting)
A clone of IDA Pro (as in interactive disassembly) with a somewhat intuitive interface would be a good start, although I'm not really sure one would ever say any interactive-disassembler could be intuitive :D. As far as HIEW or any other hex editor goes, I'll just say that u can only go "so far" with a hex editor or something like Olly. We'd need something that could auto-disassemble known text and data segments (such as code generated via Visual Studio and known link libraries), leaving us with unknown areas to tackle. We also need to be able to save the file and possibly re-assemble the code, with this ability mainly being used to make sure that we have a correct disassembly of the code and haven't overlooked something. This would also allow us to share dis-assemblies and work as a collective and group via forums, etc.
The main problem I have with IDA Pro and the like is that the program isn't cheap, and that means that not a whole heck of a lot of otherwise knowledgeable folks are going to be using the program. That is, we need numbers here to turn the tide, and a free, open-source project with incentives might just get enough people interested so that patches can be generated in a quick, timely fashion. In other words, with numbers and good social interaction, we'll locate and "fix" threats quickly, or at least we'll be able to help manufacturers with detailed dis-assemblies that will help them to zoom in on the problem in a timely fashion. With expensive, close-sourced solutions, there just isn't "enough of em" out there to make a difference, so zero-day attacks will be destined to rule the roost for the foreseeable future.
Best Regards....
Shades of Neil Stephenson's Snow Crash... (Score:2, Interesting)
[Victim] Oh! Shiny!
*Victim is now a drooling idiot*
Second Life is irrelevant (Score:3, Interesting)
A small, insignificant niche game that practically nobody plays. For some reason, the press loves it though.
Very easy to crash windows quicktime with images (Score:2, Interesting)
Re:Malicious file embedded inside a virtual world? (Score:1, Interesting)
Keep in mind that Obi-Wan said "you will never find a more wretched hive of scum an villany." That implies that there is more than one such hive.
The GP called Second Life the Mos Eisley of Gaming. You will never find a game world that is a more wretched hive yada yada. That doesn't preclude 4chan being the Mos Eisley of the Whole Damned Internet.