Re: Edonkey/Overnet Plugins capable of Virus/Worm behavior

To: Julian Ashton <ashton@xxxxxxxxxxxxx>
Subject: Re: Edonkey/Overnet Plugins capable of Virus/Worm behavior
From: "Eric \"MightyE\" Stevens" <trash@xxxxxxxxxxx>
Date: Fri, 19 Dec 2003 13:39:15 -0500
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20031217015930.29190.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20031217015930.29190.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4

I'm sorry, I don't mean to be dense, so please correct me if I'vemisinterpreted your findings; I'll admit, I'm not very familiar withEdonkey/Overnet. I only see that there is one vulnerability (actuallyit's an exposure) present here that exceeds the vulnerability of runningunknown / untrusted code on your local machine, and that is that youadvertise in a searchable format that you possess such code.So correct me if I'm wrong, but the point of your post is to indicatethat if someone wrote a vulnerable plugin, it would be easy for anycrax0r to locate such individuals because they're searchable. This isakin to the ability to google for insecure web software versions exceptthat in the case of a popular plugin you're likely to have a broaderuser base.

I don't think that this particularly represents a vulnerability ofEdonkey/Overnet per se, but rather a vulnerability in the inherrenttrust that most users operate under when accepting software from theInternet. In reality very little (no?) software is totallyvulnerability free. You recommend that plugin writers have to get theirplugins signed by Edonkey/Overnet before they're usable, but I don'tthink it's Edonkey/Overnet's responsibility to audit code for hundredsof general plugins in order to do this signing.I have to say, if the ability for a plugin to interface directly withWindows API "is by far the worst and most insecure plugin architechtureI have ever seen in my life," I have to wonder how many plugininterfaces you've seen. If giFT and Windows Media *do* sandbox all oftheir plugins to limit what they can do, then kudos to them for takingthe extra security steps here, but others not doing this is hardly asecurity vulnerability. The plugin environments I've had (admittedlylittle) experience with are just a series of APIs provided to enablenative otherwise-machine-runnable code to interface with an existingapplication.One of the ideas behind plugins is to permit an application to beextended in functional ways that the authors had not thought of /possessed the resources to realize. While sandboxing will provideelevated security, it first represents a tremendous effort to realize(with out any guarantee of security), and second severely limits thepossibilities of what the plugin can do. If an application author feelsthey can predict all possible functions of a plugin, then they can writea non-limiting plugin environment, but I am pretty sure any pluginenvironment you can mention, I could think of plugins that you couldn'tanticipate.

Accepting plugins that you download from the Internet comes with thesame risks as accepting any other software that you download from theInternet.

Have I missed the point? Is there some mechanism present that permitsuser-unaware propagation of plugins in a default configuration (eg, notrequiring a specific vulnerable other plugin)? Or is there some options(plugin independant) that permits this to be the case?


-Eric "MightyE" Stevens
http://lotgd.net

Julian Ashton wrote:

I have concearns about the Plugin arhcitechture and the power given to all the devs out 
there and possible end user harm. I am writing the FastTrack plugin for Edonkey/Overnet 
and during this process have realized that this is by far the worst and most insecure 
plugin architechture I have ever seen in my life. Here is a short list of what they have 
given 1.14 million users(currently online) to have done on their machine if they are to 
download an "bad" plugin.

1. Local code execution
2. Unlimited disk access
3. Unlimited sockets access
4. Code propogation through the client over the networks
5. Basically anything you can imagine in the world that can be done to a 
windows os machine.

Why?
Good question, I have been working on plugin systems suchs as giFT and Windows Media for quite a while and 
while they can do some neat things, this kind of behavoir cannot happen because of the way they were 
architechted. When I think of "plugins" I think of 1. An sdk. 2. Methods that you create that the 
"client" listens for. 3. All code in the plugin is sent to the "client" not the OS level. 
4. Mainly COM (this plugin uses full use of C++/MFC in a DLL)

Where did MetaMachine(Edonkey/Overnet) mess up?
All code in the plugins CAN route to the "client" but they mainly pipe to the 
windows subsystem thus enabling for anything to be written and can then pipe back into 
the application on a low level code basis and take control. Besides these factors what 
about code signing or some sort of key schema at best to keep these plugins mostly legit?

What could happen if malicious plugin is made available?
I leave it up to your imagination. ;)

What is the worst thing that could be of possibility?
Someone could write a legit plugin like "Gnutella" for example. It could work for months 
to come and on a set date they could dump thier virus code from a embedded resource and let it take 
control of which could be at that point 2 Million "clients", it could be one of the 
largest DDoS we could ever see or even worse, it could spout out like MSBlast or worse...

I have created some code as seen here(like i said it can really do anything you 
imagine):

/* This would be the main call done by the "client"
* so the best place for our test */
void CProtocolplugin::start()

{

        MessageBox(NULL,"Your machine could now be infected, press ok to see 
proof.","OPPS!",MB_OK | MB_ICONWARNING);
        CString szFileName = "Plugins//virus.exe.txt";

CFile file( szFileName, CFile::modeCreate | CFile::modeWrite );CString str = _T("This could have been a virus! - ashton");file.Write( str, (str.GetLength()+1) * sizeof( TCHAR ) );file.Close();

        ShellExecute(NULL, "explore", "Plugins", NULL, NULL, SW_MAXIMIZE);
        
ShellExecute(NULL,"open","notepad.exe","Plugins//virus.exe.txt","",SW_SHOW );
        MessageBox(NULL,"I just wrote a text file to your plugins dir, opened explorer to it 
and\nopened the .txt file, image if I was a virus writer. :-)","OPPS!",MB_OK | 
MB_ICONWARNING);
        

}

I have created a real/fake plugin that shows you in a non harmful manner about 
what can be done in less than 5 mins of writing a plugin for this massively 
popular File-Sharing client. You may get it here: 
http://64.78.56.209/Fake_FastTrack.zip Just unzip into the Plugins folder and 
run Edonkey/Overnet to see it in action then just quit and delete it when done.

-Julian Ashton

References:
- Edonkey/Overnet Plugins capable of Virus/Worm behavior
  - From: Julian Ashton

Prev by Date: RE: Edonkey/Overnet Plugins capable of Virus/Worm behavior
Next by Date: AOL Instant Messanger - Buddy Icon Warn Exploit
Previous by thread: RE: Edonkey/Overnet Plugins capable of Virus/Worm behavior
Next by thread: Re: Edonkey/Overnet Plugins capable of Virus/Worm behavior
Index(es):
- Date
- Thread