[sldev] Anarchy online in-game web page exploit...
Argent Stonecutter
secret.argent at gmail.com
Sat Sep 6 05:30:49 PDT 2008
On 2008-09-05, at 09:35, Gareth Nelson wrote:
> http://securityevaluators.com//content/secondlife.jsp
One of many reasons I don't run streaming video in SL. But you don't
need streaming video in SL... there's no essential functionality in
streaming video, and just using it opens you up to a known privacy
exploit that SL finally provided mitigation for only recently.
My point in bringing this up is to reinforce the warning that complex
subsystems like this (and Gecko is a much more complex subsystem than
Quicktime) bring a risk with them. There are three flaws in Anarchy
Online's HTML wrapper exposed by this attack.
(1) A buffer overflow attack using pre-positioned data.
(2) their wrapping around the HTML control does not stop parent
directory traversal attacks. That means that the buffer overflow
attack isn't even necessary... if you can direct the HTML control to
any location in the system you can get it to run ActiveX controls lin
the local computer security zone, which bypasses all restrictions in
the HTML control.
(3) They are using the Internet Explorer browser component rather
than an open source one, which means that there are fewer eyes on the
source code (it's interesting to note that Quicktime is also a closed
source component), and they're exposed (as noted in point 2) to all
the deep and unfixable vulnerabilities in the "security zones" model.
For Second Life, the third flaws doesn't exist, but the first is
still a possibility, and while it's easier to close down attacks by
modifying Gecko than filtering the HTML code fed to the Microsoft
HTML control it's still a very large, complex, and (from my own
examination of the code when tracking down a proxy bug in it a few
years back) poorly documented and poorly factored package.
More information about the SLDev
mailing list