ISE and outside researchers discovered an exploit for Second Life that grants control
of one character to a malicious character. This allows the adversary to perform
actions that may have real-world consequences such as stealing the in-game currency
known as Linden dollars, or controlling the player's machine.
Update: This vulnerability was patched in QuickTime 7.3.1 on December 13th, 2007,
eliminating the vulnerability in fully patched Second Life Viewers and QuickTime
Players; unpatched Second Life Viewers and QuickTime Players are still vulnerable.
Our victim investigating the exploit.
Welcome
Two security researchers, Charlie Miller, a Principal Security Analyst at Independent Security Evaluators, and Dino Dai Zovi
decided to investigate the security of online games. This resulted in an exploit for
Second Life that makes any player effected give the attacker their Linden dollars
and yell "I got hacked!". In other words, it is possible to exploit a player to
steal Linden dollars, and then cash them out for real US dollars. All the victim has
to do is have video enabled and enter a piece of land owned by the attacker.
How the exploit works
The actual vulnerability lies in the third party QuickTime Player made by Apple. A vulnerability was announced on November 24th
2007 in the way QuickTime handles RTSP responses. Second Life allows players to
embed media files in Second Life objects, and uses QuickTime to handle all video
rendering. Furthermore, it is possible to have these media elements constantly
playing. If a Second Life avatar walks onto a piece of land that contains an
embedded malicious QuickTime File, they can be exploited.
What the exploit does
Once the malicious file has been viewed by the victim, the attacker has complete
control over the victim's computer - and Second Life avatar. At this point the
exploit could make the avatar do anything they like. This particular exploit freezes
the avatar and makes them send the attacker's avatar twelve Linden dollars and shout
"I got hacked". Please see the movie below. In this movie, the victim, Sussy McBride
is wandering along, minding her own business. She stumbles upon a piece of land with
a small purple box (the exploit). Remember, all she has to do is have video enabled
and get on the same piece of land as the object. Very shortly after, she freezes,
sends the attacker, Pwned Naglo, the twelve Linden dollars and yells that she was
hacked.
Virtual worlds are interesting, because unlike the real world where client-side
exploits are typically delivered via web browser links or emails, exploits in
virtual worlds can be delivered in many different ways. Ours is activated by viewing
a video on a purple box. One could imagine an exploit being delivered by looking at
a shirt that a character is wearing, or by a character whispering something to
another character. The possibilities are endless.
Mitigations
Perform a software update of your Second Life Viewer and QuickTime Player to
eliminate this vulnerability. To prevent any future QuickTime vulnerabilities in the
Second Life Viewer, users may discontinue the use of video. Specifically, users
should click on Edit->Preferences... and then "Audio & Video". Make sure the
box next to "Play Streaming Video When Available" is unchecked.
Please note that this will not be the last exploit of this kind written for Second
Life, and that all virtual worlds are susceptible. Just like in the real world, be
aware of your surroundings and play it safe.
