[sldev] Anarchy online in-game web page exploit...

[Argent Stonecutter]

On 2008-09-05, at 09:35, Gareth Nelson wrote:
> http://securityevaluators.com//content/secondlife.jsp

One of many reasons I don't run streaming video in SL. But you don't  
need streaming video in SL... there's no essential functionality in  
streaming video, and just using it opens you up to a known privacy  
exploit that SL finally provided mitigation for only recently.

My point in bringing this up is to reinforce the warning that complex  
subsystems like this (and Gecko is a much more complex subsystem than  
Quicktime) bring a risk with them. There are three flaws in Anarchy  
Online's HTML wrapper exposed by this attack.

(1) A buffer overflow attack using pre-positioned data.

(2) their wrapping around the HTML control does not stop parent  
directory traversal attacks. That means that the buffer overflow  
attack isn't even necessary... if you can direct the HTML control to  
any location in the system you can get it to run ActiveX controls lin  
the local computer security zone, which bypasses all restrictions in  
the HTML control.

(3) They are using the Internet Explorer browser component rather  
than an open source one, which means that there are fewer eyes on the  
source code (it's interesting to note that Quicktime is also a closed  
source component), and they're exposed (as noted in point 2) to all  
the deep and unfixable vulnerabilities in the "security zones" model.

For Second Life, the third flaws doesn't exist, but the first is  
still a possibility, and while it's easier to close down attacks by  
modifying Gecko than filtering the HTML code fed to the Microsoft  
HTML control it's still a very large, complex, and (from my own  
examination of the code when tracking down a proxy bug in it a few  
years back) poorly documented and poorly factored package.