FORMAL NOTIFICATION OF SECURITY FLAWS (Round 1)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

FORMAL NOTIFICATION OF SECURITY FLAWS (Round 1)

Maxwell, Douglas CIV USARMY RDECOM ARL (US)
This email serves as a formal notification of high priority security flaws found in the Open Simulator code by the MOSES team to the Open Simulator Developer.  We are allowing 90 days for a response to the list outlined in the paragraphs that follow before we publish technical specifics of these vulnerabilities in a public venue.  These vulnerabilities apply to both core open simulator architecture and Hypergrid technology.  

1.  UUID of assets and session IDs are transmitted in plain text between server and client.
2.  Any HTTP call made from a script can be traceable to the host machine it is calling from.  A script can serve as a crude HTTP proxy, allowing a grid to participate in DDOS attacks, botnets, or even a poor-man's tor.  Grid owners would not even know their servers were being used in this way.
3.  A mis-configured grid allows for commands to be called from a client.  Since the session IDs of an administrator are transmitted in the clear, anyone can execute operating system level commands without knowing the credentials of the administrator.
4.  C# and other languages supported by Open Simulator scripting are not API restricted.  A C# script can read/write the local file system of the server, open arbitrary network sockets, and make primary networking calls.  In other words, a user without credentials on your server can own it.

We are calling for the Developer community to examine these vulnerabilities and join us with the design and execution of a workable solution.  

Douglas Maxwell, Ph.D.
Science and Technology Manager
Virtual World Strategic Applications
U.S. Army Research Lab
Human Research & Engineering Directorate
(c) (407) 242-0209
_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
Reply | Threaded
Open this post in threaded view
|

Re: FORMAL NOTIFICATION OF SECURITY FLAWS (Round 1)

AJLDuarte
Hi
        Thanks for this notification.
        But this is a public mail list, so you already made this
notification public.
        Please use mantis to report security flaws.
        http://opensimulator.org/mantis/bug_report_page.php
        you have there a option to set the report private. Please activate
it
        Luckily all this set of flaws is already known by this list
subscribers, so no harm done.

        Maybe you should also report to Linden Labs the flaw 1.

        We do thank this notification and you are always welcome to join us
with the design and execution of a workable solution.
Regards,
Leal Duarte ( Ubit )


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Maxwell, Douglas
CIV USARMY RDECOM ARL (US)
Sent: Friday, September 30, 2016 13:28
To: [hidden email]
Subject: [Opensim-dev] FORMAL NOTIFICATION OF SECURITY FLAWS (Round 1)

This email serves as a formal notification of high priority security flaws
found in the Open Simulator code by the MOSES team to the Open Simulator
Developer.  We are allowing 90 days for a response to the list outlined in
the paragraphs that follow before we publish technical specifics of these
vulnerabilities in a public venue.  These vulnerabilities apply to both core
open simulator architecture and Hypergrid technology.  

1.  UUID of assets and session IDs are transmitted in plain text between
server and client.
2.  Any HTTP call made from a script can be traceable to the host machine it
is calling from.  A script can serve as a crude HTTP proxy, allowing a grid
to participate in DDOS attacks, botnets, or even a poor-man's tor.  Grid
owners would not even know their servers were being used in this way.
3.  A mis-configured grid allows for commands to be called from a client.
Since the session IDs of an administrator are transmitted in the clear,
anyone can execute operating system level commands without knowing the
credentials of the administrator.
4.  C# and other languages supported by Open Simulator scripting are not API
restricted.  A C# script can read/write the local file system of the server,
open arbitrary network sockets, and make primary networking calls.  In other
words, a user without credentials on your server can own it.

We are calling for the Developer community to examine these vulnerabilities
and join us with the design and execution of a workable solution.  

Douglas Maxwell, Ph.D.
Science and Technology Manager
Virtual World Strategic Applications
U.S. Army Research Lab
Human Research & Engineering Directorate
(c) (407) 242-0209
_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev

_______________________________________________
Opensim-dev mailing list
[hidden email]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev