Warning Will Roger!!!

WARNING!!!

In Second Life we have a minor crisis today. There is an exploit that someone figured out. They are griefing the grid with it now. It is unclear how long this exploit has been around. You need to take action now.

The Problem

Red Hat Security Advisory is out. See: https://rhn.redhat.com/errata/RHSA-2009-1561.html This is an old issue as it was first found 2009. I suppose it just recently came to the Linden’s attention when someone figured out how to implement the exploit in SL.

If you are not a Linux user, you may not know that Red Hat is a flavor of Linux. They broke the news on the exploit.

The problem is in a part of the viewer code library libvorbis. It has runtime libraries for programs that support Ogg Vorbis. A type of sound file compression that SL uses. Presumably Windows users are the primary risk. But, the exploit door is in a library that Windows, Mac, and Linux use.

Multiple flaws were found in the libvorbis library. A specially-crafted Ogg Vorbis media format file (Ogg) could cause an application using libvorbis to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3379)

Viewer Developers were alerted by Linden Lab and asked to recompile their copies of the library to close the exploit.

We have also seen an upset in the usual roll out schedule as server side code was shuffled do to high crash rates. Whether this crashing was just a recent fix gone wrong or included any aspect of this exploit is unknown.

I am assuming new SL Viewers have the new library compile. I suppose anything made in the last week.

The KirstenLee S21(7a) has the fixed library. If you downloaded S21(7), get a new download.

I am uncertain if one can turn off sounds in the viewer and be safe. I suppose it is worth a try.

If you are using a viewer dated before today, you are probably at risk. Check with your viewer’s developer.

Some are rating this risk factor of 9 on a scale of 1 to 10 with 10 being a super nova. However, you should not be drowning in a river of bad ogg files. The problem is you can’t know when someone around you will release one.

 

11 thoughts on “Warning Will Roger!!!

  1. If I remember correctly, this vulnerability requires the attacker convince you to play a specially crafted .OGG file. While it is concerning this vulnerability exists, it wasn’t categorized as critical because of the perceived difficulty of an adversary being able to upload a malicious .OGG file.

    The SL main grid currently only allows the upload of .WAV files which are converted to .OGG files before being stuffed in the asset server. It is “difficult” at best to convert an attack payload file in a .WAV file into an attack file in a .OGG file.

    Of course, your mileage may vary with custom viewers and grids that regurgitate assets without some form of filtering or format conversion.

    -cheers
    -meadhbh oh (formerly infinity linden)

    • Thanks for the additional information.

      I’m not going to explain how, but a couple of SL features I can think of would allow me to get the viewer to play an ogg file that would not have to be uploaded to SL. Nor would any action be necessary on the resident’s part. So, from my perspective it remains a serous problem. It may be that LL did not think of these possibilities because the wav upload filters out most of the problems and is why the problem is still around.

      • I would guess at the family of dirty tricks that you can do with HTML as a cause for concern, but the nasty stuff you can do with that is one reason I don’t use the built-in browser.

    • >it wasn’t categorized as critical because of the perceived difficulty of an adversary being able to upload a malicious .OGG file.

      It should have been, because it’s trivial for a malicious agent to upload an arbitrary OGG file and the fix practically came on a silver platter. I don’t think it’s acceptable to ignore such a critical and easy to fix issue for so long just because the attack can’t be launched with an unmodified viewer.

      Due to the nature of how sound uploads in SL are handled (the wav->ogg/vorbis conversion is done client-side,) it used to be possible to upload these specially crafted OGG files to LL’s asset servers.

      Indeed, there are already assets on LL’s asset servers that abuse this vulnerability and they’ve been there for over a year. I don’t know of any instances of assets using this exploit to remotely execute code, but the exploit has been used to crash viewers. LL changed the verification method for uploaded OGG files a while back, so I don’t believe it’s possible to upload this specific kind of malicious OGG file anymore.

      Phoenix users shouldn’t need to worry about this, I mentioned the issue to LGG and their prebuilt libvorbis was upgraded to a version that wasn’t vulnerable to this attack about half a year ago. I might have mentioned it to other TPV devs, but I don’t remember which. If you’re not sure whether the viewer you’re using uses a vulnerable version of libvorbis, look in their source tree for the install.xml file and check the timestamp on their libvorbis package.

      I’m kind of surprised that it’s just being mentioned now. I created a JIRA issue about this quite a while ago and included links to the CVE advisories along with a patch for the new version of libvorbis to allow it to link to the viewer and the asset ids of sounds that exploited the vulnerability (I don’t remember exactly when, but probably around August.) It was made a major priority, then left untouched. I’m almost certain they knew about it even before I mentioned it, as well.

      User experience is important and all, but LL really needs to start spending more money and resources on securing their platform before something on the scale of what happened in 2006 happens again.

  2. Yes, there’s a vulnerability. The simple way to deal with it is to use the media filter to simply not play any .ogg file. (The ones from Second Life aren’t media, anyway.)

    • I don’t think specially crafter ogg files in media streams should be an issue in most 1.x viewers, because most of them don’t use a prebuilt gstreamer package that might link with libvorbis (and the Windows versions usually use quicktime, which doesn’t use the packaged libvorbis libs.)

      Imprudence and Co. on Windows, Kokua on any platform, along with any of the 2.X viewers without the updated libvorbis on linux may be affected.

      Don’t quote me on any of this, though, I’m just going by what’s in their install.xml files.

      • Not to mention that a .ogg file doesn’t need to have a .ogg extension, the server just needs to serve it with the proper mimetype.

  3. Pingback: Linden Lab alerts third-party viewer developers to active exploit

  4. I’m afraid that Kirsten’s report, not giving any details at all, was a bit scary. Looking at what has been said here, the worst that a file from Linden Lab could do is crash the Viewer. I can’t see an arbitrary code execution payload getting though an automatic conversion.

    Well, big deal. As for streaming media, I don’t listen to much.

    The exploit was apparently identified in 2009, and while it hardly looks a threat for SL users, it seems a little careless that the code in Viewer 2 (first released in 2010) didn’t get patched until now.

  5. Pingback: Säkerhetsproblem i viewers! « opensweden

  6. Pingback: Viewer security exploit revealed | Living in the Modem World

Leave a Reply

Your email address will not be published.