Slashdot Mirror

← Back to Stories (view on slashdot.org)

Owning Virtual Worlds For Fun and Profit

Posted by samzenpus on from the cash-for-gold dept.

Trailrunner7 writes "Threatpost has a guest column by security researcher Charlie Miller on the ways in which attackers can easily take advantage of vulnerabilities in virtual worlds and perhaps online games to get control of other players' characters and avatars and even cash out their real-world bank accounts. From the article: 'It turns out that Second Life uses QuickTime Player to process its multimedia. When I started looking into virtual world exploits, with the help of Dino Dai Zovi, there was a stack buffer overflow in QuickTime Player that had been discovered by Krystian Kloskowski but had not yet been patched. In Second Life it is possible to embed images and video onto objects. We embedded a vulnerable file onto a small pink cube and placed it onto a [tract] of land we owned. No matter where the cube was, if a victim walked onto the land and had multimedia enabled (recommended but not required), they would be exploited. The cube could be inside a building, hovering in the air, or even under the ground, and the result was the same.'"

20 of 82 comments (clear)

  1. So... by Jorl17 · · Score: 2, Informative

    So...we were just told that with every new application comes a new series of security flaws?

    That's what keeps the industry running!

    --
    Have you heard about SoylentNews?
    1. Re:So... by Securityemo · · Score: 4, Funny

      Shhh! Don't tell anyone!

      --
      Emotions! In your brain!
    2. Re:So... by Rei · · Score: 5, Interesting

      I once coded for a free MMO and discovered a vulnerability in how they handled web autolinking -- you know, when you say something and it turns the text into a clickable link that will open in your web browser. At least for the unix client, they were handling it with popen (I forget how they did it for windows). Just the straight, raw, unmodified string. Talk about a huge freaking command injection target. :P But the people who ran the game were so hesitant to allow any security fixes out of fear that they might break something (yeah, I know... it drove me crazy). They just wanted me to keep coding the special effects system and not say a word of the flaw. It took me writing an exploit for it that would remove all of the files in the user's home directory (or the whole system if they ran the game as root) before they reluctantly agreed to let me patch it. And the exploit was so simple -- all you had to do was to say a particular malformed URL, it'd appear as an innocent link, and anyone who clicked it would be wiped.

      They *wouldn't* let me patch lesser security issues, such as those that would actually verify that data being sent back and forth was from who it said it was, to avoid a man-in-the-middle attack. They were purely reliant on the TCP stream; that was their only "security". And they did nothing to maintain a secure channel to prevent sniffing.

      Be careful with what you run on your system. :P

      Much more innocently, the first thing I ever did along these lines was back in the mid/late '90s and had to do with the MUD client zMud. It had an obscure feature that would let muds embed sound effects; if the mud output a particular string, it'd interpret part of it as a path to a sound file. So I had fun SHOUTing those commands with the path to windows system sounds included and making everyone's computer who used zMud start making noise ;) That was, until I got scolded by a wizard...

      --
      If you can't connect the dots at this point, it's because the dots are too f***ing close together.
    3. Re:So... by Sockatume · · Score: 2, Funny

      I love technology. You made people's computers burst into noise thousands of miles away, and were repremanded by a sorceror. What a great time to be alive.

      --
      No kidding!!! What do you say at this point?
  2. It's a content browser. by Securityemo · · Score: 3, Insightful

    A program that interacts with a virtual world in this manner is no different from a browser or other client. And clients have historically been a huge source of attack vectors. Now, what would be useful and unique - stealing the user's stuff by infecting the client or MITMing the connection at the client machine (between the client software and the network card.) The admins could easily pick up on this and trace the trail the simoleons/swords/whatever takes - but by then, they could already have been sold for real money to some poor guy who though he got a great deal. Especially in Second Life, where it seems like transactions like that can take place very rapidly.

    --
    Emotions! In your brain!
  3. Malicious file embedded inside a virtual world? by clone53421 · · Score: 2, Insightful

    SecondLife didn’t balk when they embedded a malformed QuickTime media file on their pink cube?

    Even 4chan scans .jpeg files for embedded RAR archives... how hard is it to figure out that a QuickTime file’s structure is invalid?

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
    1. Re:Malicious file embedded inside a virtual world? by Jarik+C-Bol · · Score: 3, Insightful

      its second life, do you really expect anything positive from it? its the mos eisley spaceport of gaming.

      --
      I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
  4. Can we shut up about SL please? by Sycraft-fu · · Score: 5, Insightful

    Seriously, the media seems to have a massive hard on for Second Life because they think it is the way the Internet ought to go. In reality Second Life is a pretty sub standard MMO with very few players. Why the hell do the fluff stories about it make Slashdot front page news?

    Goes double since it sounds like this problem is fairly unique to SL. If you start seeing this in WoW and Aeon and EVE and so on then that's a story. However this is just a case of a poor excuse for an MMO having poor security. This would be the same as posting "Hey, Cadence SBP 16.3 have a security vulnerability and you need to upgrade to 16.3.014!" Nobody gives a shit, at least not enough people for it to be worth front page Slashdot. I understand if there's a security issue in a major OS, or an app that is widely used but in SL? Who cares? Not enough people to make it /. worthy I'd think.

  5. Re:Hello 911!!!!! by shadowfaxcrx · · Score: 2, Informative

    funny, but unlike a normal MMO, Second Life's virtual money is purchased with real money by design. And there have already been property-rights lawsuits over virtual land and items within second life.

    --
    "I disagree with you" does not equal "flamebait."
  6. Once again Linux not vulnerable by seeker_1us · · Score: 3, Funny

    No quicktime for Linux :p

    1. Re:Once again Linux not vulnerable by Anonymous Coward · · Score: 5, Funny

      The safest airplane is the one that never leaves the ground.

  7. small pink cubes are always problematic by pedantic+bore · · Score: 4, Funny

    I thought we already knew that.

    --
    Am I part of the core demographic for Swedish Fish?
  8. what about the IRS and profit? IP rights are one t by Joe+The+Dragon · · Score: 2, Interesting

    what about the IRS and profit? IP rights are one thing but you still own the tax on them.

  9. Because that's not how it works. by sstamps · · Score: 4, Informative

    It is just a URL that you enter into a field in the in-world parcel data. The simulator hands it to the viewer (client/browser) and tells it to play that and put it onto a texture that is drawn on a 3D surface. The viewer hands the URL to Quickslime, which then plays it. SL's backend never sees the video file/data, as it is directly downloaded from the target host specified in the URL.

    I supposed you could argue why don't they run some kind of scanner on the URL before allowing it to be posted. Of course, that is pointless for any number of reasons, including:

    1) There is no scanner to check all possible video formats that Quickslime plays, nor one which is foolproof in terms of detecting vulnerabilities.
    2) Since the file/data is not hosted by Linden Lab, a single scan would be useless, as an attacker could put up a valid file, run the scan, then replace the file with a malicious one anytime afterwards.

    --
    -SS "Teach the ignorant, care for the dumb, and punish the stupid."
  10. Re:what about the IRS and profit? IP rights are on by blair1q · · Score: 2, Insightful

    They don't care what you bought and sold, they want to know you did it and how much you made from it.

    Then they want you to add that to your AGI and pay tax on it.

    If you buy a virtual item for real money, then sell it for more real money, you are legally required to report the difference as income to the IRS.

    Bartering virtual items (gold, swords, etc.) for each other is no different. You take the value you got for it, subtract the value you originally paid for it, and that's your income from the trade, which you have to report (in dollars, not quatloos) on a 1099-B for the year you made the trade. The tricky part is defining the value of something you've never seen traded for real items.

  11. Today's internal Linden Lab discussion... by Anonymous Coward · · Score: 5, Informative

    Here's what happened in one of Linden Lab's internal IRC channel today...

    [16:42] [Linden001] hey, we made slashdot: http://it.slashdot.org/story/10/08/18/2154207/Owning-Virtual-Worlds-For-Fun-and-Profit
    [16:45] [Linden002] fascinating.
    [17:11] [Linden003] besides, we enforced the patched version of QuickTime to close this exploit.
    [17:12] [Linden003] there is no mention of that in the article either.
    [17:14] [Linden003] he's writing about ancient history here (2007) -- it must be slow in the internet security guru business.

  12. Another Solution to This Problem?? by NOPerative · · Score: 3, Interesting

    Personally, I think a heck of a lot more vulnerabilities like this could be found and/or located if there were a decent, free (as in beer) disassembler out there. You would think that the industry giants would be more than willing to donate funds to such a project, yet I have yet to see anything such as this out there. Now, some of you might say, "Well, just jump on the IDA Pro bandwagon." My answer: "Easier said than done." The IDA folks _require_ you to be associated with a business when purchasing the program, where they can track your every move, mainly because they are paranoid that the might "accidentally" sell their software to a software cracker. The funny thing about this is that most crackers wouldn't even bother purchasing the program and just bittorrent the thing to begin with for free. Anywho, my solution is this: start an open-source-disassembler project, which will hopefully attract industry donations, and then offer users of the software incentives for locating vulnerabilities, such as cash rewards (based on severity), free commercial software/hardware, etc., and maybe we might just be instrumental in creating more security experts in the not-too-distant future.

    --
    I eat spaghetti code out of a bit-bucket while sitting at a hash table, and I pay for the meal with cache!
  13. Shades of Neil Stephenson's Snow Crash... by pidge-nz · · Score: 2, Interesting

    [Victim] Oh! Shiny!

    *Victim is now a drooling idiot*

  14. Second Life is irrelevant by gweihir · · Score: 2, Interesting

    A small, insignificant niche game that practically nobody plays. For some reason, the press loves it though.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  15. Very easy to crash windows quicktime with images by braddeicide · · Score: 2, Interesting

    We get this a lot, there's many images out there that'll make quicktime crash. We have an image board for showing things we're talking about, when we hit a "bad" image all the windows users disappear (crash) at the same time. A responsible Linux or Mac user then removes the image so they can return ;)