Forgot your password?
typodupeerror
Security IT Games

Owning Virtual Worlds For Fun and Profit 82

Posted by samzenpus
from the cash-for-gold dept.
Trailrunner7 writes "Threatpost has a guest column by security researcher Charlie Miller on the ways in which attackers can easily take advantage of vulnerabilities in virtual worlds and perhaps online games to get control of other players' characters and avatars and even cash out their real-world bank accounts. From the article: 'It turns out that Second Life uses QuickTime Player to process its multimedia. When I started looking into virtual world exploits, with the help of Dino Dai Zovi, there was a stack buffer overflow in QuickTime Player that had been discovered by Krystian Kloskowski but had not yet been patched. In Second Life it is possible to embed images and video onto objects. We embedded a vulnerable file onto a small pink cube and placed it onto a [tract] of land we owned. No matter where the cube was, if a victim walked onto the land and had multimedia enabled (recommended but not required), they would be exploited. The cube could be inside a building, hovering in the air, or even under the ground, and the result was the same.'"
This discussion has been archived. No new comments can be posted.

Owning Virtual Worlds For Fun and Profit

Comments Filter:
  • So... (Score:3, Informative)

    by Jorl17 (1716772) on Wednesday August 18, 2010 @06:31PM (#33295468)
    So...we were just told that with every new application comes a new series of security flaws?

    That's what keeps the industry running!
    • by TarMil (1623915)

      So...we were just told that with every new application comes a new series of security flaws? That's what keeps the industry running!

      Yup, and that's what keeps /. talking.

    • Re:So... (Score:5, Funny)

      by Securityemo (1407943) on Wednesday August 18, 2010 @06:37PM (#33295524) Journal
      Shhh! Don't tell anyone!
      • by Ihmhi (1206036)

        Aw crap guys, you got the Security Emo all depressed. Now's he gonna try to cut his wrists with a rusty Zip Disk.

        Bad Internet! Bad!

    • Re:So... (Score:5, Interesting)

      by Rei (128717) on Wednesday August 18, 2010 @07:17PM (#33295846) Homepage

      I once coded for a free MMO and discovered a vulnerability in how they handled web autolinking -- you know, when you say something and it turns the text into a clickable link that will open in your web browser. At least for the unix client, they were handling it with popen (I forget how they did it for windows). Just the straight, raw, unmodified string. Talk about a huge freaking command injection target. :P But the people who ran the game were so hesitant to allow any security fixes out of fear that they might break something (yeah, I know... it drove me crazy). They just wanted me to keep coding the special effects system and not say a word of the flaw. It took me writing an exploit for it that would remove all of the files in the user's home directory (or the whole system if they ran the game as root) before they reluctantly agreed to let me patch it. And the exploit was so simple -- all you had to do was to say a particular malformed URL, it'd appear as an innocent link, and anyone who clicked it would be wiped.

      They *wouldn't* let me patch lesser security issues, such as those that would actually verify that data being sent back and forth was from who it said it was, to avoid a man-in-the-middle attack. They were purely reliant on the TCP stream; that was their only "security". And they did nothing to maintain a secure channel to prevent sniffing.

      Be careful with what you run on your system. :P

      Much more innocently, the first thing I ever did along these lines was back in the mid/late '90s and had to do with the MUD client zMud. It had an obscure feature that would let muds embed sound effects; if the mud output a particular string, it'd interpret part of it as a path to a sound file. So I had fun SHOUTing those commands with the path to windows system sounds included and making everyone's computer who used zMud start making noise ;) That was, until I got scolded by a wizard...

      • Re: (Score:3, Funny)

        by Sockatume (732728)

        I love technology. You made people's computers burst into noise thousands of miles away, and were repremanded by a sorceror. What a great time to be alive.

      • by Vegar (1181915)

        I once coded for a free MMO

        This wouldn't happen to be the MMO wherein there is a lot of Entropy, if you know what I mean?

        • by Rei (128717)

          Bingo. ;)

          P.S. -- Some of the best special effects I coded were never used. :P But they're still sitting around in the code base, supported by the client -- they just never got added to any maps. For example, blowing 3d leaves that accumulate around objects, then swirl away.

  • by Securityemo (1407943) on Wednesday August 18, 2010 @06:32PM (#33295472) Journal
    A program that interacts with a virtual world in this manner is no different from a browser or other client. And clients have historically been a huge source of attack vectors. Now, what would be useful and unique - stealing the user's stuff by infecting the client or MITMing the connection at the client machine (between the client software and the network card.) The admins could easily pick up on this and trace the trail the simoleons/swords/whatever takes - but by then, they could already have been sold for real money to some poor guy who though he got a great deal. Especially in Second Life, where it seems like transactions like that can take place very rapidly.
    • I'm an idiot who does't read articles - he did construct shellcode to puppeteer the client's avatar from inside the client program. And it's goddamn awesome.
      • by quanticle (843097)

        He doesn't really explain, but he says that he used the shell access that the QuickTime exploit gave him to inject code into the main event loop of the Second Life client. I too would be really interested in knowing how he managed to patch the binary on the fly.

        • You "just" intercept function calls using DLL injection; it's a very useful and basic technique. Another thing you can do with that is process migration from the shellcode, allowing you to hold a system until it's rebooted without creating a separate process, and without touching disk. Take a look at the meterpreter payload from the metasploit project if you want to see a nice example.
    • by makomk (752139)

      Now, what would be useful and unique - stealing the user's stuff by infecting the client or MITMing the connection at the client machine (between the client software and the network card.)

      Was doable once upon a time, if you had the ability to fake source IP addresses on packets and a bit of patience (or alternatively knew a clever trick to make the server treat you as a trusted part of the Second Life grid). Both issues have now been fixed, but there may be others. Didn't even need to compromise the client.

  • by clone53421 (1310749) on Wednesday August 18, 2010 @06:32PM (#33295476) Journal

    SecondLife didn’t balk when they embedded a malformed QuickTime media file on their pink cube?

    Even 4chan scans .jpeg files for embedded RAR archives... how hard is it to figure out that a QuickTime file’s structure is invalid?

    • by Jarik C-Bol (894741) on Wednesday August 18, 2010 @06:35PM (#33295506)
      its second life, do you really expect anything positive from it? its the mos eisley spaceport of gaming.
      • Yeah. I almost self-replied to that effect, but I figured somebody else would. Thanks...

      • A wretched hive of scum and villainy!

      • Wait... did you just reply to a post about 4chan by saying that something *else* is a hive of scum and villainy?
        • Re: (Score:1, Interesting)

          by Anonymous Coward

          Keep in mind that Obi-Wan said "you will never find a more wretched hive of scum an villany." That implies that there is more than one such hive.

          The GP called Second Life the Mos Eisley of Gaming. You will never find a game world that is a more wretched hive yada yada. That doesn't preclude 4chan being the Mos Eisley of the Whole Damned Internet.

        • Yes, but to put the credit where the credit belongs, I directly implied it before he explicitly stated it.

    • Because that's not how it works. Why would you verify an entire file structure instead of just checking that the header looks right? In some cases, this might not be enough as the vulnerable code might be parsing a very odd condition of the file format's contents that didn't show up in testing - in that case, the file will look completely valid, or at least can be made to using poly/metamorphic shellcode that's been split up to cram it inside structures that can fit it. But we're talking a few hundred bytes
      • Why would you verify an entire file structure instead of just checking that the header looks right?

        Transcoding perhaps? Every video site I’ve ever uploaded to transcoded the video...

        • Yeah, but in such a case the discussion would be moot; it would probably be extremely unlikely to be able to create a file that, when transcoded, turns into a file that triggers the exploitable condition.
    • Even 4chan scans .jpeg files for embedded RAR archives... how hard is it to figure out that a QuickTime file’s structure is invalid?

      Well fine, but that is a specific check for a known attack. How to you scan for all the unknown attacks?

    • by sstamps (39313) on Wednesday August 18, 2010 @07:25PM (#33295916) Homepage

      It is just a URL that you enter into a field in the in-world parcel data. The simulator hands it to the viewer (client/browser) and tells it to play that and put it onto a texture that is drawn on a 3D surface. The viewer hands the URL to Quickslime, which then plays it. SL's backend never sees the video file/data, as it is directly downloaded from the target host specified in the URL.

      I supposed you could argue why don't they run some kind of scanner on the URL before allowing it to be posted. Of course, that is pointless for any number of reasons, including:

      1) There is no scanner to check all possible video formats that Quickslime plays, nor one which is foolproof in terms of detecting vulnerabilities.
      2) Since the file/data is not hosted by Linden Lab, a single scan would be useless, as an attacker could put up a valid file, run the scan, then replace the file with a malicious one anytime afterwards.

      • by quanticle (843097)

        As long as the data is being transferred from one client to another without any intermediation on the part of Linden Labs, vulnerabilities like this will continue to exist. The solution is to have all data exchange pass through Linden Labs' servers. Of course, whether this is feasible in terms of bandwidth is an entirely different matter.

        • by sstamps (39313)

          It isn't feasible, and it isn't the direction or intention of Linden Lab to host such content going forward.

          For many years now, they have been approaching their viewer design as a "browser", potentially adding the ability to pull assets (textures, sounds, animations, etc) via http from any source. That's sort of what their newest feature "html-on-a-prim" or "media-on-a-prim" is all about; the beginning of a move towards that. It is a good idea, as it allows for the same decentralization of asset services wh

  • Heh... (Score:1, Interesting)

    by Anonymous Coward

    You're thinking too small and short term...

    The skys the limit once you gain a foothold on the users machine.

    You can do ALOT if you don't do anything too noticable or damaging or too much at once.

    And many people play games from their work machines. Or from the inside of their 'secure network'.

  • by Sycraft-fu (314770) on Wednesday August 18, 2010 @06:47PM (#33295584)

    Seriously, the media seems to have a massive hard on for Second Life because they think it is the way the Internet ought to go. In reality Second Life is a pretty sub standard MMO with very few players. Why the hell do the fluff stories about it make Slashdot front page news?

    Goes double since it sounds like this problem is fairly unique to SL. If you start seeing this in WoW and Aeon and EVE and so on then that's a story. However this is just a case of a poor excuse for an MMO having poor security. This would be the same as posting "Hey, Cadence SBP 16.3 have a security vulnerability and you need to upgrade to 16.3.014!" Nobody gives a shit, at least not enough people for it to be worth front page Slashdot. I understand if there's a security issue in a major OS, or an app that is widely used but in SL? Who cares? Not enough people to make it /. worthy I'd think.

    • Not only that the exploit is 2 years old.. There is no mention of anything thats recent in the article.. Quite the pointless article.

    • You must have been in jail or on a space mission the past few years. Welcome back to Slashdot! Second Life is widely regarded as no longer relevant nowadays.
    • by Issarlk (1429361)
      Secondlife is not a MMO. That's why you see it as sub standard.

      Think of SL as an awesome 3D chatroom with complete creative power given to its user.
    • by elrous0 (869638) *
      Second Life has put a *lot* of of effort and resources into PR over the years (many developers could learn a thing or two from them in this regard). As a result, their place in pop culture and the media is massively exaggerated. Too many developers neglect promotion in the same way that they neglect good documentation, good design/UI, etc. And that's why Second Life is on "The Office" and no one in the mainstream media has even heard of Linux.
    • by kilanash (1114181)

      Seriously, the media seems to have a massive hard on for Second Life...

      So does the entire populous of Second Life as well, from what I am told.

    • by tlhIngan (30335)

      Seriously, the media seems to have a massive hard on for Second Life because they think it is the way the Internet ought to go. In reality Second Life is a pretty sub standard MMO with very few players. Why the hell do the fluff stories about it make Slashdot front page news?

      Uh... Second Life is mostly dead these days. Everyone's moved to Facebook. Even companies which were racing to setup SL storefronts are abandoning them in droves after it turns out ROI isn't there and it's just costing money. When the r

    • by RJFerret (1279530)

      Who would care about the games you mentioned? (Although you can play games in SL, the majority of the worldwide users are not "players".) I generate hundreds of dollars annually from my activities in SL, I know others who earn their entire salaries there.

      I've never even seen the games you listed, and if there were similar problems with them, I bet a fraction of the people would be affected compared to Second Life.

      That being said, I don't presume that similar information shouldn't be shared--in an informat

  • by seeker_1us (1203072) on Wednesday August 18, 2010 @06:51PM (#33295634)
    No quicktime for Linux :p
  • by pedantic bore (740196) on Wednesday August 18, 2010 @07:03PM (#33295740)

    I thought we already knew that.

  • by Anonymous Coward on Wednesday August 18, 2010 @08:21PM (#33296264)

    Here's what happened in one of Linden Lab's internal IRC channel today...

    [16:42] [Linden001] hey, we made slashdot: http://it.slashdot.org/story/10/08/18/2154207/Owning-Virtual-Worlds-For-Fun-and-Profit [slashdot.org]
    [16:45] [Linden002] fascinating.
    [17:11] [Linden003] besides, we enforced the patched version of QuickTime to close this exploit.
    [17:12] [Linden003] there is no mention of that in the article either.
    [17:14] [Linden003] he's writing about ancient history here (2007) -- it must be slow in the internet security guru business.

    • of course thanks to the new SL 2.0 feature of Media On A Prim there can be a huge new set of exploits
      (unless they lock down the builtin browser (webkit based))

    • by makomk (752139)

      Of course, the QuickTime exploit was one of the few Second Life exploits that was actually made public. For example, I had a T-Shirt that would open a remotely-accessible command shell on the wearer's PC in older Second Life client versions (that are no longer in use anywhere). Quietly patched in a new release that was made mandatory a few days later.

    • [17:14] [Linden003] he's writing about ancient history here (2007) -- it must be slow in the internet security guru business.

      Windows users can easily be crashed using this still, but I don't know if it can be used to execute code etc.

    • by Joe Snipe (224958)

      You know had the Author of TFA used an unpatched exploit as an example there would have been all sorts of clamor about not giving Linden Labs time to patch it. The article itself was on the subject of this attack vector, not this specific vulnerability. Let's not turn Slashdot into a bashing competition, shall we?

  • by NOPerative (1011343) on Wednesday August 18, 2010 @08:25PM (#33296284) Journal
    Personally, I think a heck of a lot more vulnerabilities like this could be found and/or located if there were a decent, free (as in beer) disassembler out there. You would think that the industry giants would be more than willing to donate funds to such a project, yet I have yet to see anything such as this out there. Now, some of you might say, "Well, just jump on the IDA Pro bandwagon." My answer: "Easier said than done." The IDA folks _require_ you to be associated with a business when purchasing the program, where they can track your every move, mainly because they are paranoid that the might "accidentally" sell their software to a software cracker. The funny thing about this is that most crackers wouldn't even bother purchasing the program and just bittorrent the thing to begin with for free. Anywho, my solution is this: start an open-source-disassembler project, which will hopefully attract industry donations, and then offer users of the software incentives for locating vulnerabilities, such as cash rewards (based on severity), free commercial software/hardware, etc., and maybe we might just be instrumental in creating more security experts in the not-too-distant future.
    • > if there were a decent, free (as in beer) disassembler out there.

      Define decent? :-) You mean interactive?

      Hiew or something here doesn't fit the bill ?
      http://www.thefreecountry.com/programming/disassemblers.shtml [thefreecountry.com]

      (Granted, hiew isn't open-source, and technically a hex editor, but it is good.)

      Why not clone IDA Pro and OllyDbg ?

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        A clone of IDA Pro (as in interactive disassembly) with a somewhat intuitive interface would be a good start, although I'm not really sure one would ever say any interactive-disassembler could be intuitive :D. As far as HIEW or any other hex editor goes, I'll just say that u can only go "so far" with a hex editor or something like Olly. We'd need something that could auto-disassemble known text and data segments (such as code generated via Visual Studio and known link libraries), leaving us with unknown are

    • Just out of curiosity, what does IDA Pro do that free dissassemblers don't do, and why would it make any difference at all if software crackers can already get IDA Pro from bittorrent?
  • [Victim] Oh! Shiny!

    *Victim is now a drooling idiot*

    • First Snow Crash reference is waaaay down the page. This is bloody shameful, Slashdot! >:(

      I think the exact same attack could work in SL, except you're pwning the client machine instead of the user's brain.

      Well I guess you could try to crash the user's brain once you have control of their machine, by running a high-speed horror slideshow of shock images in fullscreen.

  • by gweihir (88907) on Thursday August 19, 2010 @05:08AM (#33299136)

    A small, insignificant niche game that practically nobody plays. For some reason, the press loves it though.

  • We get this a lot, there's many images out there that'll make quicktime crash. We have an image board for showing things we're talking about, when we hit a "bad" image all the windows users disappear (crash) at the same time. A responsible Linux or Mac user then removes the image so they can return ;)
  • This exploit they are talking about has been in this game and known about for nearly 5 years.

The world is no nursery. - Sigmund Freud

Working...