×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Owning Virtual Worlds For Fun and Profit

samzenpus posted more than 3 years ago | from the cash-for-gold dept.

Security 82

Trailrunner7 writes "Threatpost has a guest column by security researcher Charlie Miller on the ways in which attackers can easily take advantage of vulnerabilities in virtual worlds and perhaps online games to get control of other players' characters and avatars and even cash out their real-world bank accounts. From the article: 'It turns out that Second Life uses QuickTime Player to process its multimedia. When I started looking into virtual world exploits, with the help of Dino Dai Zovi, there was a stack buffer overflow in QuickTime Player that had been discovered by Krystian Kloskowski but had not yet been patched. In Second Life it is possible to embed images and video onto objects. We embedded a vulnerable file onto a small pink cube and placed it onto a [tract] of land we owned. No matter where the cube was, if a victim walked onto the land and had multimedia enabled (recommended but not required), they would be exploited. The cube could be inside a building, hovering in the air, or even under the ground, and the result was the same.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

82 comments

Radio Freq Fingerprinting (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33295432)

forums.qrz.com
Google: XMIT "fm fingerprinting" software
Google: "specific emitter identification"

first post? maybe not, but better than this story!

this fris7 pso7 fur die GNAA (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33295448)

nig nig nig nig nig

Hello 911!!!!! (0)

Anonymous Coward | more than 3 years ago | (#33295452)

Someone virtually stole all my virtual money!

  "Yes sir, we'll send some one right over. They will be wearing the white suits."

Re:Hello 911!!!!! (2, Informative)

shadowfaxcrx (1736978) | more than 3 years ago | (#33295606)

funny, but unlike a normal MMO, Second Life's virtual money is purchased with real money by design. And there have already been property-rights lawsuits over virtual land and items within second life.

what about the IRS and profit? IP rights are one t (2, Interesting)

Joe The Dragon (967727) | more than 3 years ago | (#33295778)

what about the IRS and profit? IP rights are one thing but you still own the tax on them.

Re:what about the IRS and profit? IP rights are on (2, Insightful)

blair1q (305137) | more than 3 years ago | (#33296040)

They don't care what you bought and sold, they want to know you did it and how much you made from it.

Then they want you to add that to your AGI and pay tax on it.

If you buy a virtual item for real money, then sell it for more real money, you are legally required to report the difference as income to the IRS.

Bartering virtual items (gold, swords, etc.) for each other is no different. You take the value you got for it, subtract the value you originally paid for it, and that's your income from the trade, which you have to report (in dollars, not quatloos) on a 1099-B for the year you made the trade. The tricky part is defining the value of something you've never seen traded for real items.

Re:what about the IRS and profit? (0)

Anonymous Coward | more than 3 years ago | (#33296060)

I think the IRS or other relevant tax collection agencies (depending on the country) has yet to pounce on the players of SL's virtual revenues, or we'd have read about it in the conventional dead tree tabloids as a scandalous tax dodge or money laundering scheme by now. Going to be interesting to see what happens if or when they do.

Re:what about the IRS and profit? (1)

shadowfaxcrx (1736978) | more than 3 years ago | (#33296196)

to expand on what I said above, I don't think that's going to happen. What is the point of going after taxes on purchases which most likely average a couple bucks or less? The government would spend much more tracking and prosecuting people "evading" taxes than they would take in.

Re:what about the IRS and profit? (1)

g0bshiTe (596213) | more than 3 years ago | (#33301686)

Just 2 short years ago, I knew a several players that were generating some decent income from a game. 1 guy was pulling in $1000 USD per month. 2 women I knew built hair, between them they were pulling in nearly $4000 USD a month, they ended up pulling in enough per month to lease their own entire sim.

Re:what about the IRS and profit? (1)

shadowfaxcrx (1736978) | more than 3 years ago | (#33305512)

Just two short years ago, "the fundamentals of the economy" were "strong," the housing market was on the rise and, according to bankers, would never stop rising, and people actually had money to spend (even if it was borrowed from Visa). I'd be surprise if the 2 women you're talking about are still selling $4,000 worth of hair drawings per month.

Re:what about the IRS and profit? IP rights are on (1)

shadowfaxcrx (1736978) | more than 3 years ago | (#33296176)

As far as I know (disclaimer: I am not on second life) the tax is rolled into the currency exchange.

If you then buy stuff in game with it, you've already paid sales tax on it by buying the virtual currency, just as you don't have to pay some sort of value-acquisition tax when you get a new sword in WoW because that's part of the game that you paid (and were taxed) for with the monthly subscription fee.

My guess is that the few people making a profit off of selling things in second life (and I doubt there are very many at all, especially in this economy, and especially since if I recall, anything over $100 game dollars is considered crazy expensive, and the exchange rate is something like 1 real dollar to 1,000 game dollars) do owe taxes, and they probably haven't paid because the law is always very slow to adapt to new technology. That's why you can still buy stuff on the internet without paying taxes on it. You're supposed to, but the government hasn't implemented a system to track when you buy something online.

Re:what about the IRS and profit? IP rights are on (0)

Anonymous Coward | more than 3 years ago | (#33303338)

As far as I know (disclaimer: I am not on second life) the tax is rolled into the currency exchange.

...... anything over $100 game dollars is considered crazy expensive, .....

erm.. wrong... i am on second life and 100 lindens don't get you much. a lot of the stores/vendors, even in this economy do very very well indeed.....

i DJ on second life so i don't have to buy any lindens dollars and the average tip from each person who wants to tip you is 100 lindens but it has been known to go as high as a thousand on a single tip... doesn't sound much? well i get get maybes 5-6000 lindens over a 2(sometiems 3) hour DJ slot.

multiply that by the 6 slots i do per week in two different clubs and it's not bad at all.

i occassionally buy stuff to wear but generally i save it and cash it in at First Meta Exchange [firstmetaexchange.com] for real world cash and it goes to my paypal account
i do this every 3 months which works out at sometimes around $360 USDs a quarter. i would be MOST put out if someone used an exploit to remove my lindens from my SL account however even at that, every time it goes over 20,000 lindens i transfer the 20,000 to the FMX account to await my quarterly "cashing in".

it buys me geek toys and has come in handy on a few occassions when it has helped pay part of a laqrger purchase

however 100 lindens, which you reckon is expensive really.. REALLY isn't at all, it's just one step up from the freebie store stuff and mostly , but not all the time, are not the best of items.

Re:what about the IRS and profit? IP rights are on (1)

shadowfaxcrx (1736978) | more than 3 years ago | (#33305488)

That was a typo - I meant $1,000 lindens.

Regarding what you make, that's great, but if the exchange rate is still roughly 4 bucks to $1,000 lindens, then you're making 8-12 bucks an hour. Decent for playing a video game, yes, but hardly a living wage, especially since I doubt the virtual clubs provide employee health insurance ;)

At any rate, $360USD a quarter is nice for an individual who wants to buy a toy at Newegg, but from the government's perspective, they'd probably spend that just in employee wages if they went after people for it. There's a lot of tax violators out there who are violating to the tune of tens if not hundreds of thousands of dollars. It makes a lot more sense to go after the larger dollars than to waste time (and money) chasing chump change.

So... (2, Informative)

Jorl17 (1716772) | more than 3 years ago | (#33295468)

So...we were just told that with every new application comes a new series of security flaws?

That's what keeps the industry running!

Re:So... (1)

TarMil (1623915) | more than 3 years ago | (#33295504)

So...we were just told that with every new application comes a new series of security flaws? That's what keeps the industry running!

Yup, and that's what keeps /. talking.

Re:So... (5, Interesting)

Rei (128717) | more than 3 years ago | (#33295846)

I once coded for a free MMO and discovered a vulnerability in how they handled web autolinking -- you know, when you say something and it turns the text into a clickable link that will open in your web browser. At least for the unix client, they were handling it with popen (I forget how they did it for windows). Just the straight, raw, unmodified string. Talk about a huge freaking command injection target. :P But the people who ran the game were so hesitant to allow any security fixes out of fear that they might break something (yeah, I know... it drove me crazy). They just wanted me to keep coding the special effects system and not say a word of the flaw. It took me writing an exploit for it that would remove all of the files in the user's home directory (or the whole system if they ran the game as root) before they reluctantly agreed to let me patch it. And the exploit was so simple -- all you had to do was to say a particular malformed URL, it'd appear as an innocent link, and anyone who clicked it would be wiped.

They *wouldn't* let me patch lesser security issues, such as those that would actually verify that data being sent back and forth was from who it said it was, to avoid a man-in-the-middle attack. They were purely reliant on the TCP stream; that was their only "security". And they did nothing to maintain a secure channel to prevent sniffing.

Be careful with what you run on your system. :P

Much more innocently, the first thing I ever did along these lines was back in the mid/late '90s and had to do with the MUD client zMud. It had an obscure feature that would let muds embed sound effects; if the mud output a particular string, it'd interpret part of it as a path to a sound file. So I had fun SHOUTing those commands with the path to windows system sounds included and making everyone's computer who used zMud start making noise ;) That was, until I got scolded by a wizard...

Re:So... (2, Funny)

Sockatume (732728) | more than 3 years ago | (#33299678)

I love technology. You made people's computers burst into noise thousands of miles away, and were repremanded by a sorceror. What a great time to be alive.

Re:So... (1)

Vegar (1181915) | more than 3 years ago | (#33300264)

I once coded for a free MMO

This wouldn't happen to be the MMO wherein there is a lot of Entropy, if you know what I mean?

Re:So... (1)

Rei (128717) | more than 3 years ago | (#33304784)

Bingo. ;)

P.S. -- Some of the best special effects I coded were never used. :P But they're still sitting around in the code base, supported by the client -- they just never got added to any maps. For example, blowing 3d leaves that accumulate around objects, then swirl away.

It's a content browser. (3, Insightful)

Securityemo (1407943) | more than 3 years ago | (#33295472)

A program that interacts with a virtual world in this manner is no different from a browser or other client. And clients have historically been a huge source of attack vectors. Now, what would be useful and unique - stealing the user's stuff by infecting the client or MITMing the connection at the client machine (between the client software and the network card.) The admins could easily pick up on this and trace the trail the simoleons/swords/whatever takes - but by then, they could already have been sold for real money to some poor guy who though he got a great deal. Especially in Second Life, where it seems like transactions like that can take place very rapidly.

Re:It's a content browser. (1)

Securityemo (1407943) | more than 3 years ago | (#33296266)

I'm an idiot who does't read articles - he did construct shellcode to puppeteer the client's avatar from inside the client program. And it's goddamn awesome.

Re:It's a content browser. (1)

quanticle (843097) | more than 3 years ago | (#33302248)

He doesn't really explain, but he says that he used the shell access that the QuickTime exploit gave him to inject code into the main event loop of the Second Life client. I too would be really interested in knowing how he managed to patch the binary on the fly.

Re:It's a content browser. (1)

Securityemo (1407943) | more than 3 years ago | (#33302526)

You "just" intercept function calls using DLL injection; it's a very useful and basic technique. Another thing you can do with that is process migration from the shellcode, allowing you to hold a system until it's rebooted without creating a separate process, and without touching disk. Take a look at the meterpreter payload from the metasploit project if you want to see a nice example.

Re:It's a content browser. (1)

makomk (752139) | more than 3 years ago | (#33298906)

Now, what would be useful and unique - stealing the user's stuff by infecting the client or MITMing the connection at the client machine (between the client software and the network card.)

Was doable once upon a time, if you had the ability to fake source IP addresses on packets and a bit of patience (or alternatively knew a clever trick to make the server treat you as a trusted part of the Second Life grid). Both issues have now been fixed, but there may be others. Didn't even need to compromise the client.

Malicious file embedded inside a virtual world? (2, Insightful)

clone53421 (1310749) | more than 3 years ago | (#33295476)

SecondLife didn’t balk when they embedded a malformed QuickTime media file on their pink cube?

Even 4chan scans .jpeg files for embedded RAR archives... how hard is it to figure out that a QuickTime file’s structure is invalid?

Re:Malicious file embedded inside a virtual world? (3, Insightful)

Jarik C-Bol (894741) | more than 3 years ago | (#33295506)

its second life, do you really expect anything positive from it? its the mos eisley spaceport of gaming.

Re:Malicious file embedded inside a virtual world? (1)

clone53421 (1310749) | more than 3 years ago | (#33295522)

Yeah. I almost self-replied to that effect, but I figured somebody else would. Thanks...

Re:Malicious file embedded inside a virtual world? (1)

Arancaytar (966377) | more than 3 years ago | (#33299122)

A wretched hive of scum and villainy!

Re:Malicious file embedded inside a virtual world? (0)

Anonymous Coward | more than 3 years ago | (#33305916)

A wretched hive of scum and villainy!

Or, to put it another way [youtube.com]...

Re:Malicious file embedded inside a virtual world? (1)

NekoHunter (794689) | more than 3 years ago | (#33300140)

Wait... did you just reply to a post about 4chan by saying that something *else* is a hive of scum and villainy?

Re:Malicious file embedded inside a virtual world? (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33301492)

Keep in mind that Obi-Wan said "you will never find a more wretched hive of scum an villany." That implies that there is more than one such hive.

The GP called Second Life the Mos Eisley of Gaming. You will never find a game world that is a more wretched hive yada yada. That doesn't preclude 4chan being the Mos Eisley of the Whole Damned Internet.

Re:Malicious file embedded inside a virtual world? (1)

clone53421 (1310749) | more than 2 years ago | (#33312376)

Yes, but to put the credit where the credit belongs, I directly implied it before he explicitly stated it.

Re:Malicious file embedded inside a virtual world? (1)

Securityemo (1407943) | more than 3 years ago | (#33295566)

Because that's not how it works. Why would you verify an entire file structure instead of just checking that the header looks right? In some cases, this might not be enough as the vulnerable code might be parsing a very odd condition of the file format's contents that didn't show up in testing - in that case, the file will look completely valid, or at least can be made to using poly/metamorphic shellcode that's been split up to cram it inside structures that can fit it. But we're talking a few hundred bytes at most, and in the case of a movie format, you could just put it in the video data.

Granted, I have never done this myself, specifically, but I know it's possible.

Re:Malicious file embedded inside a virtual world? (1)

clone53421 (1310749) | more than 3 years ago | (#33295774)

Why would you verify an entire file structure instead of just checking that the header looks right?

Transcoding perhaps? Every video site I’ve ever uploaded to transcoded the video...

Re:Malicious file embedded inside a virtual world? (1)

Securityemo (1407943) | more than 3 years ago | (#33295832)

Yeah, but in such a case the discussion would be moot; it would probably be extremely unlikely to be able to create a file that, when transcoded, turns into a file that triggers the exploitable condition.

Re:Malicious file embedded inside a virtual world? (1)

MichaelSmith (789609) | more than 3 years ago | (#33295784)

Even 4chan scans .jpeg files for embedded RAR archives... how hard is it to figure out that a QuickTime file’s structure is invalid?

Well fine, but that is a specific check for a known attack. How to you scan for all the unknown attacks?

Because that's not how it works. (4, Informative)

sstamps (39313) | more than 3 years ago | (#33295916)

It is just a URL that you enter into a field in the in-world parcel data. The simulator hands it to the viewer (client/browser) and tells it to play that and put it onto a texture that is drawn on a 3D surface. The viewer hands the URL to Quickslime, which then plays it. SL's backend never sees the video file/data, as it is directly downloaded from the target host specified in the URL.

I supposed you could argue why don't they run some kind of scanner on the URL before allowing it to be posted. Of course, that is pointless for any number of reasons, including:

1) There is no scanner to check all possible video formats that Quickslime plays, nor one which is foolproof in terms of detecting vulnerabilities.
2) Since the file/data is not hosted by Linden Lab, a single scan would be useless, as an attacker could put up a valid file, run the scan, then replace the file with a malicious one anytime afterwards.

Re:Because that's not how it works. (1)

quanticle (843097) | more than 3 years ago | (#33302298)

As long as the data is being transferred from one client to another without any intermediation on the part of Linden Labs, vulnerabilities like this will continue to exist. The solution is to have all data exchange pass through Linden Labs' servers. Of course, whether this is feasible in terms of bandwidth is an entirely different matter.

Re:Because that's not how it works. (1)

sstamps (39313) | more than 3 years ago | (#33302698)

It isn't feasible, and it isn't the direction or intention of Linden Lab to host such content going forward.

For many years now, they have been approaching their viewer design as a "browser", potentially adding the ability to pull assets (textures, sounds, animations, etc) via http from any source. That's sort of what their newest feature "html-on-a-prim" or "media-on-a-prim" is all about; the beginning of a move towards that. It is a good idea, as it allows for the same decentralization of asset services which allows for a more robust set of capabilities for content creation and sharing, as well as taking some of the load off of their backs.

The vulnerability isn't theirs (and it also has been fixed for a long time now), so there really isn't a whole lot they can do about it.

A small pink cube? (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33295478)

Why not just a billboard that says "HOT CHESTY GAY FOX VIXEN YIFF VIDEO HERE!!!"

That would be 7211% more effective considering the outrageously perverse gullibility of the furry fandom.

Captcha: inject. How relevant!

Heh... (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33295528)

You're thinking too small and short term...

The skys the limit once you gain a foothold on the users machine.

You can do ALOT if you don't do anything too noticable or damaging or too much at once.

And many people play games from their work machines. Or from the inside of their 'secure network'.

Can we shut up about SL please? (5, Insightful)

Sycraft-fu (314770) | more than 3 years ago | (#33295584)

Seriously, the media seems to have a massive hard on for Second Life because they think it is the way the Internet ought to go. In reality Second Life is a pretty sub standard MMO with very few players. Why the hell do the fluff stories about it make Slashdot front page news?

Goes double since it sounds like this problem is fairly unique to SL. If you start seeing this in WoW and Aeon and EVE and so on then that's a story. However this is just a case of a poor excuse for an MMO having poor security. This would be the same as posting "Hey, Cadence SBP 16.3 have a security vulnerability and you need to upgrade to 16.3.014!" Nobody gives a shit, at least not enough people for it to be worth front page Slashdot. I understand if there's a security issue in a major OS, or an app that is widely used but in SL? Who cares? Not enough people to make it /. worthy I'd think.

Re:Can we shut up about SL please? (1)

BuckaBooBob (635108) | more than 3 years ago | (#33295668)

Not only that the exploit is 2 years old.. There is no mention of anything thats recent in the article.. Quite the pointless article.

Re:Can we shut up about SL please? (1)

PietjeJantje (917584) | more than 3 years ago | (#33295714)

You must have been in jail or on a space mission the past few years. Welcome back to Slashdot! Second Life is widely regarded as no longer relevant nowadays.

Re:Can we shut up about SL please? (0)

Anonymous Coward | more than 3 years ago | (#33296214)

"Hey, Cadence SBP 16.3 have a security vulnerability and you need to upgrade to 16.3.141!"

FTFY

--
The cake is a Pi!

Re:Can we shut up about SL please? (1)

Issarlk (1429361) | more than 3 years ago | (#33298908)

Secondlife is not a MMO. That's why you see it as sub standard.

Think of SL as an awesome 3D chatroom with complete creative power given to its user.

Re:Can we shut up about SL please? (1)

elrous0 (869638) | more than 3 years ago | (#33300382)

Second Life has put a *lot* of of effort and resources into PR over the years (many developers could learn a thing or two from them in this regard). As a result, their place in pop culture and the media is massively exaggerated. Too many developers neglect promotion in the same way that they neglect good documentation, good design/UI, etc. And that's why Second Life is on "The Office" and no one in the mainstream media has even heard of Linux.

Obviously you don't know what you're talking about (0)

Anonymous Coward | more than 3 years ago | (#33300500)

Second Life isn't a traditional MMO, it's a virtual world with no real point other than exploration and socializing, or crafting and building. The things SL is good at, it is UNEQUALED at. A huge fantasy world where you can create almost anything you can imagine, or do anything you can desire, with little or no supervision. The most wide-open game ever, maybe that ever will be. But hey, feel free to sneer at it as "not an MMO" between pork rinds and sips of Mt. Dew... it's just more interesting to read comments from people who actually know what the hell they are talking about.

Re:Can we shut up about SL please? (1)

kilanash (1114181) | more than 3 years ago | (#33300552)

Seriously, the media seems to have a massive hard on for Second Life...

So does the entire populous of Second Life as well, from what I am told.

Re:Can we shut up about SL please? (1)

tlhIngan (30335) | more than 3 years ago | (#33301752)

Seriously, the media seems to have a massive hard on for Second Life because they think it is the way the Internet ought to go. In reality Second Life is a pretty sub standard MMO with very few players. Why the hell do the fluff stories about it make Slashdot front page news?

Uh... Second Life is mostly dead these days. Everyone's moved to Facebook. Even companies which were racing to setup SL storefronts are abandoning them in droves after it turns out ROI isn't there and it's just costing money. When the recession hit, they basically stopped supporting it. No one's cared about SL for years.

SL maybe was relevant 3 or 4 years ago. It's effectively "dead" now, replaced with the new hotness, Facebook. (These things come and go - remember when everyone was storming on about MySpace?). Facebook's on a slow decline, though, while Twitter seems up and up (for now). The only reason Facebook's not totally dead is people do need their farmville fix. Though even that has iPhone and Android apps these days. Maybe the post-Facebook world is that of gaming hubs like Xbox Live, PSN, OpenFeint and whatever Apple has.

The only reason this is news is it's an interesting way to pwn a machine by having the user willingly do things. It's like doing a raid in WoW, only that killing that monster ends up infecting your PC. Or talking to a supposed NPC loads your PC up with spyware. Effectively, game MMO clients are similar to where web browsers were several years ago, and they're a new line of attack since security is usually only concentrated only on the server side.

Re:Can we shut up about SL please? (1)

RJFerret (1279530) | more than 3 years ago | (#33302722)

Who would care about the games you mentioned? (Although you can play games in SL, the majority of the worldwide users are not "players".) I generate hundreds of dollars annually from my activities in SL, I know others who earn their entire salaries there.

I've never even seen the games you listed, and if there were similar problems with them, I bet a fraction of the people would be affected compared to Second Life.

That being said, I don't presume that similar information shouldn't be shared--in an information sharing medium!

There were a bunch of media stories about SL years ago, before Twitter came along. The media has generally been quiet about SL since. If you don't care, read a story you DO care about instead silly!

Once again Linux not vulnerable (3, Funny)

seeker_1us (1203072) | more than 3 years ago | (#33295634)

No quicktime for Linux :p

Re:Once again Linux not vulnerable (5, Funny)

Anonymous Coward | more than 3 years ago | (#33295734)

The safest airplane is the one that never leaves the ground.

Re:Once again Linux not vulnerable (1)

Securityemo (1407943) | more than 3 years ago | (#33295936)

No. See, that's because it's not an airplane, it's a Jawa Sandcrawler/nuclear submarine hybrid. People try to use it as a plane, and some well-meaning souls have tried to glue wings to it in an effort to at least keep up appearances, but it really works much better without those.

Re:Once again Linux not vulnerable (0)

Anonymous Coward | more than 3 years ago | (#33295944)

Just because there isn't the Apple QuickTime player doesn't mean a Linux user playing Second Life can't play multimedia files.

seeker's point was still reasonable in terms of the idea of a varied ecosystem.

In fact, the vulnerability might not have impacted OSX users of QuickTime either. Who knows.

Re:Once again Linux not vulnerable (1)

Securityemo (1407943) | more than 3 years ago | (#33296292)

It's not about the exploit, it's about using shellcode injected into the client to do fun and profitable stuff. The exploitation vector is just an example.

go47 (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33295864)

centRalized

Today's internal Linden Lab discussion... (5, Informative)

Anonymous Coward | more than 3 years ago | (#33296264)

Here's what happened in one of Linden Lab's internal IRC channel today...

[16:42] [Linden001] hey, we made slashdot: http://it.slashdot.org/story/10/08/18/2154207/Owning-Virtual-Worlds-For-Fun-and-Profit [slashdot.org]
[16:45] [Linden002] fascinating.
[17:11] [Linden003] besides, we enforced the patched version of QuickTime to close this exploit.
[17:12] [Linden003] there is no mention of that in the article either.
[17:14] [Linden003] he's writing about ancient history here (2007) -- it must be slow in the internet security guru business.

Re:Today's internal Linden Lab discussion... (1)

RobertLTux (260313) | more than 3 years ago | (#33296372)

of course thanks to the new SL 2.0 feature of Media On A Prim there can be a huge new set of exploits
(unless they lock down the builtin browser (webkit based))

Re:Today's internal Linden Lab discussion... (1)

makomk (752139) | more than 3 years ago | (#33298920)

Of course, the QuickTime exploit was one of the few Second Life exploits that was actually made public. For example, I had a T-Shirt that would open a remotely-accessible command shell on the wearer's PC in older Second Life client versions (that are no longer in use anywhere). Quietly patched in a new release that was made mandatory a few days later.

Re:Today's internal Linden Lab discussion... (1)

braddeicide (570889) | more than 3 years ago | (#33299980)

[17:14] [Linden003] he's writing about ancient history here (2007) -- it must be slow in the internet security guru business.

Windows users can easily be crashed using this still, but I don't know if it can be used to execute code etc.

Re:Today's internal Linden Lab discussion... (1)

Joe Snipe (224958) | more than 3 years ago | (#33303038)

You know had the Author of TFA used an unpatched exploit as an example there would have been all sorts of clamor about not giving Linden Labs time to patch it. The article itself was on the subject of this attack vector, not this specific vulnerability. Let's not turn Slashdot into a bashing competition, shall we?

Another Solution to This Problem?? (3, Interesting)

NOPerative (1011343) | more than 3 years ago | (#33296284)

Personally, I think a heck of a lot more vulnerabilities like this could be found and/or located if there were a decent, free (as in beer) disassembler out there. You would think that the industry giants would be more than willing to donate funds to such a project, yet I have yet to see anything such as this out there. Now, some of you might say, "Well, just jump on the IDA Pro bandwagon." My answer: "Easier said than done." The IDA folks _require_ you to be associated with a business when purchasing the program, where they can track your every move, mainly because they are paranoid that the might "accidentally" sell their software to a software cracker. The funny thing about this is that most crackers wouldn't even bother purchasing the program and just bittorrent the thing to begin with for free. Anywho, my solution is this: start an open-source-disassembler project, which will hopefully attract industry donations, and then offer users of the software incentives for locating vulnerabilities, such as cash rewards (based on severity), free commercial software/hardware, etc., and maybe we might just be instrumental in creating more security experts in the not-too-distant future.

Re:Another Solution to This Problem?? (1)

UnknownSoldier (67820) | more than 3 years ago | (#33296390)

> if there were a decent, free (as in beer) disassembler out there.

Define decent? :-) You mean interactive?

Hiew or something here doesn't fit the bill ?
http://www.thefreecountry.com/programming/disassemblers.shtml [thefreecountry.com]

(Granted, hiew isn't open-source, and technically a hex editor, but it is good.)

Why not clone IDA Pro and OllyDbg ?

Re:Another Solution to This Problem?? (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33296684)

A clone of IDA Pro (as in interactive disassembly) with a somewhat intuitive interface would be a good start, although I'm not really sure one would ever say any interactive-disassembler could be intuitive :D. As far as HIEW or any other hex editor goes, I'll just say that u can only go "so far" with a hex editor or something like Olly. We'd need something that could auto-disassemble known text and data segments (such as code generated via Visual Studio and known link libraries), leaving us with unknown areas to tackle. We also need to be able to save the file and possibly re-assemble the code, with this ability mainly being used to make sure that we have a correct disassembly of the code and haven't overlooked something. This would also allow us to share dis-assemblies and work as a collective and group via forums, etc.

The main problem I have with IDA Pro and the like is that the program isn't cheap, and that means that not a whole heck of a lot of otherwise knowledgeable folks are going to be using the program. That is, we need numbers here to turn the tide, and a free, open-source project with incentives might just get enough people interested so that patches can be generated in a quick, timely fashion. In other words, with numbers and good social interaction, we'll locate and "fix" threats quickly, or at least we'll be able to help manufacturers with detailed dis-assemblies that will help them to zoom in on the problem in a timely fashion. With expensive, close-sourced solutions, there just isn't "enough of em" out there to make a difference, so zero-day attacks will be destined to rule the roost for the foreseeable future.

Best Regards....

Re:Another Solution to This Problem?? (1)

phantomfive (622387) | more than 3 years ago | (#33297452)

Just out of curiosity, what does IDA Pro do that free dissassemblers don't do, and why would it make any difference at all if software crackers can already get IDA Pro from bittorrent?

Not New and this guy is an idiot (0)

Anonymous Coward | more than 3 years ago | (#33297602)

The bad news was that due to a quirk in the way the virtual world was architected, the malicious file was downloaded straight from the attacker to the victim without going through the Second Life servers.

I'm a security researcher too and I use the Second Life platform all the time, how am I suppose to take this guy seriously after he says that? It was purposely designed this way, it's just a normal HTTP client to server relationship.

No matter where the cube was, if a victim walked onto the land and had multimedia enabled (recommended but not required), they would be exploited.

You're an idiot, the entire exploit requires the multimedia vector to be open, by disabling media you close the vector. This is true whether it be Media-On-A-Prim or Streaming Media via QuickTime.

The good news about this exploit was that you couldn’t take the “exploit” to other parts of the virtual world. The multimedia is associated with the piece of land and not the object itself. So you couldn’t just litter Second Life with little exploit cubes.

I'm assuming you are not talking about Media-On-A-Prim because that's exactly what you can do, in fact, I've developed a PoC attachment which harvests IP addresses of everyone you walk past who has Media-On-A-Prim enabled.

The exploit may be something that another avatar whispers to you or an object they hand you or it may be a particular place in the virtual world. Unlike most typical computer attacks, your avatar will be able to see and interact with the “exploit”.

Ideally, if you were exploiting people in world via the Media-On-A-Prim vector or Streaming Media you'd want the victim to not interact with it at all, let alone see it, else you increase the risk of discovery.

Shades of Neil Stephenson's Snow Crash... (2, Interesting)

pidge-nz (603614) | more than 3 years ago | (#33297714)

[Victim] Oh! Shiny!

*Victim is now a drooling idiot*

Re:Shades of Neil Stephenson's Snow Crash... (1)

GameboyRMH (1153867) | more than 3 years ago | (#33301036)

First Snow Crash reference is waaaay down the page. This is bloody shameful, Slashdot! >:(

I think the exact same attack could work in SL, except you're pwning the client machine instead of the user's brain.

Well I guess you could try to crash the user's brain once you have control of their machine, by running a high-speed horror slideshow of shock images in fullscreen.

Second Life is irrelevant (2, Interesting)

gweihir (88907) | more than 3 years ago | (#33299136)

A small, insignificant niche game that practically nobody plays. For some reason, the press loves it though.

Very easy to crash windows quicktime with images (2, Interesting)

braddeicide (570889) | more than 3 years ago | (#33299960)

We get this a lot, there's many images out there that'll make quicktime crash. We have an image board for showing things we're talking about, when we hit a "bad" image all the windows users disappear (crash) at the same time. A responsible Linux or Mac user then removes the image so they can return ;)
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...