DoS attacks on SLX and the grid. (SLX) script byte code copyable? - SLUniverse Forums
Navigation » SLUniverse Forums > Virtual World Discussion > General SL Discussion » DoS attacks on SLX and the grid. (SLX) script byte code copyable?


General SL Discussion Discuss topics related to Second Life

 
Sponsor:
Steampunk Victorian Caledon
Reply
 
LinkBack Thread Tools Display Modes
Old 05-03-2008, 09:20 AM   #1 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,349
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
DoS attacks on SLX and the grid. (SLX) script byte code copyable?

Quote:
Originally Posted by SecondLife Herald
Second Life Herald: Slexchange ATM Script Cracked?
May 03, 2008
Slexchange ATM Script Cracked?

Secret requested when Secret is unknown

by Pixeleen Mistral, National Affairs desk

Friday, IntLibber Brautigan posted a warning of an exploit allowing technically savvy residents to “capture ATM scripts in bytecode format”. This is a significant development given the number of successful Second Life businesses that use LSL scripts to transfer goods and money -- an un-patched exploit could be a significant blow to the in-world economy.

Because the real wold dollar value of typical SL transactions is low, it is common to automate these transactions. However, automation generally means the scripted transactions are run with minimal of human supervision and depend on secrecy for security. This may present a problem. As Mr. Brautigan told the Herald, “with the code obtained, one can make an SLX terminal give you ANY product listed on SLX for free in any quantity or clean out the avatar owning the ATM - all their money - these capabilities have been tested I am told”.

Some observers are concerned that this sort of exploit could destabilize the in-world economy, and Mr. Brautigan reports that his source “has already notified Soft Linden about this vulnerability - he also tried to notify SLX but they said ‘our system is uncrackable’". There we no Linden Lab staff online friday evening willing to speak with the Herald on the record.

While the game gods remained silent, the Herald was able to interview Second Life resident Uildiar Kuhn to learn more about the exploit.


Uildiar Kuhn

Pixeleen Mistral: hi - are you busy?
Uildiar Kuhn: nah whats up

Pixeleen Mistral: rumors of getting script bytecode from objects by moving them back and forth across sim boundaries
Uildiar Kuhn: yeah ;p

Pixeleen Mistral: shouldn't the script code stay up on the server?
Uildiar Kuhn: I cant really discuss this with anyone.. its a very bad exploit if someone knows what too do with it

Pixeleen Mistral: this would explain the rumors of people copying scripts - did you report the exploit to LL?
Uildiar Kuhn: Yus too soft linden

Pixeleen Mistral: I was just talking to soft linden - who will not say anything on the record to a reporter. There are also a surprising number of Linden developers online this evening
Uildiar Kuhn nods

Pixeleen Mistral: do you think other people will be able to figure this one out?
Uildiar Kuhn: I only know a couple other people on the grid.. that can and they are responsible so we should be okay ;p

Pixeleen Mistral: so this is not an immediate crisis. Its more of a long term issue
Uildiar Kuhn: shouldn’t be long term i’m sure they will fix it

Pixeleen Mistral: will it take new client software - or can they just do a rolling restart on the servers?
Uildiar Kuhn: I'm not sure what there method of repair will be ^^

Pixeleen Mistral: you just told soft linden about this today?
Uildiar Kuhn: nah a couple months ago I’m sure they have been working on a fix for it

Pixeleen Mistral: wow. this is like that IM bug in jira that has been broken since february -- the one the griefers are using to flood people's mailboxes. Things get broken and don't get fixed
Uildiar Kuhn: They get fixed in time they can only work on so meny things at once hehe

Pixeleen Mistral: but the basic message here is only a couple other people could figure this out - so mostly residents should not worry
Uildiar Kuhn: yeah ^^
Uildiar Kuhn: And i’m sure they will hand out bans if people try it. Well those few ;p

Pixeleen Mistral: of course the griefers don't mind getting banned - but I guess the people who can figure it out are not griefers
Uildiar Kuhn nods

Pixeleen Mistral: at least we better hope so
Uildiar Kuhn: were fine hehe.. there far from griefers

Of course, wild claims are nothing new in the metaverse, and some readers may have difficulty believing that the Lab would leave a serious exploit un-patched for months.

I was also initially skeptical that a sim crossing could result in a script being quietly handed to the SL client software, but perhaps this accounts for the well known prim-hair-attached-to-the-butt-on-sim-crossing phenomena. While researching this story, a reliable source produced a portion of what is claimed to be the SLexchange ATM scripts and I began to wonder about the security of the Second Life Grid. Should resident trust their serious business secret bytecode to the Lab? Maybe not, if the bytecode below is real.


...

PUSHE
PUSHBP
PUSHARGI 3
PUSHARGS "I have not heard from the SL Exchange server for a very long time, so I am resetting myself. This does not always fix the problem, so you should check that I have in fact been reactivated on the SL Exchange website. If I have not been reactivated, you should replace me with a new copy."
PUSHARGE 16
PUSHSP
PUSHARGI 24
ADD Integer, Integer
POPBP
CALL 0

...

PUSHG 126
PUSHARGS "SLX Vendor Components"
PUSHARGS "00000000-0000-0000-0000-000000000000"
CAST String, Key
PUSHARGE 0
PUSHSP
PUSHARGI 16
ADD Integer, Integer
POPBP


...

PUSHBP
PUSHARGI 1
PUSHARGS "Got deliver item command"
PUSHARGE 16
PUSHSP
PUSHARGI 24

...

PUSHE
PUSHBP
PUSHARGI 1
PUSHARGS "Relaying deliver item command"
PUSHARGE 16
PUSHSP
PUSHARGI 24
ADD Integer, Integer
POPBP
...


CALLLIB_TWO_BYTE 139 //llGetLinkNumber()
PUSHG 186
PUSHARGS "normal"
PUSHARGS "00000000-0000-0000-0000-000000000000"
CAST String, Key
PUSHARGE 0
PUSHSP
PUSHARGI 16
ADD Integer, Integer
POPBP
CALLLIB_TWO_BYTE 164 //llMessageLinked()
JUMP 720
PUSHG 36
PUSH 4
EQ Integer, Integer
JUMPNIF Integer, 130
PUSHE
PUSHBP
PUSHARGI 1
PUSHARGS "Got XMLRPC channel."
PUSHARGE 16
PUSHSP
PUSHARGI 24

...

PUSHARGS ""
PUSHGS 386
EQ String, String
JUMPNIF Integer, 73
PUSHE
PUSHBP
PUSHARGI 2
PUSHARGS "Secret requested when Secret is unknown."
PUSHARGE 16
PUSHSP
PUSHARGI 24
ADD Integer, Integer

Quote:
Originally Posted by A posted reply on SLH:

Yes SLX is completely compromised. The bytecode can be decompiled and by looking at those scripts one can do just about anything.

I have the code in its entirety.

Additionally:
We are attacking the grid again. Our weapons actually don't directly attack the asset servers. When an object replicates all copies are a reference to the same asset but when our weapons replicate so fast and we are getting over twenty thousand of them returned per minute due to autoreturn it creates an asset for each and every one of them. We are also currently experimenting with disrupting SLX communications in-world since the admins got smart and began filtering our DDoS attacks.
We're demanding that Montana be banned or she issue a public apology for being a french biggot and pedophile. Until Montana is banned SLX will continue to be the target of ongoing attacks. Montana doesn't make much money here anyways so the admins are just trying to be stubborn thinking that they can report us the the FBI and that will solve the problem. We aren't going anywhere, SLX. Comply or you will be dismantled.
If any of you are getting tired of the attacks you could simply move over to onrez and leave this shitfest behind. You could PM the admins and beg them to comply. They likely will not listen but it doesn't matter to me or my associates if they go out of business.

You can also expect a delay on responses from support emails since we have spammed their inbox and Apotheus Silverman's personal email which can be obtained from a simple WHOIS on the domain.
I think the best part is that we can attack Second Life while we attack SLX. It's very convenient.

-DiSSENT
SL Exchange post about it

If byte code is being captured of scripts I doubt it is simply the bytecode being sent to the client. It would involve someone with access to the data being transfered between Regions. Perhaps between co-locations.

Humans can never live and let live... the wars continue on....
__________________
Quote:
WARNING: A chaotic good character acts as his conscience directs him with little regard for what others expect of him. He makes his own way, but he's kind and benevolent. He believes in goodness and right but has little use for laws and regulations. He hates it when people try to intimidate others and tell them what to do. He follows his own moral compass, which, although good, may not agree with that of society.

Last edited by Psyke Phaeton; 05-03-2008 at 09:43 AM.
Psyke Phaeton is offline   Reply With Quote
Old 05-03-2008, 10:05 AM   #2 (permalink)
Semi-Demi God
 
Shiva Shiskabob's Avatar
Bluuuuuuuue
 
Join Date: Feb 2008
Posts: 998
My Mood:
SL Join Date: 03/08/08
vendettas over the internet...
__________________
Panic! Paaaanic!

Is Himushet Anatra inworld. Minus th'pickles.
Shiva Shiskabob is offline   Reply With Quote
Old 05-03-2008, 10:09 AM   #3 (permalink)
Formerly Quantum Destiny

*SLU Supporter*
 
Robert Daguerre's Avatar
 
Join Date: Apr 2008
Location: England
Posts: 4,123
My Mood:
SL Join Date: 25 July 2004
Quote:
Originally Posted by Shiva Shiskabob View Post
vendettas over the internet...
Robert Daguerre is offline   Reply With Quote
Old 05-03-2008, 10:31 AM   #4 (permalink)
Ten
Senior Member
 
Join Date: Jun 2007
Posts: 6,914
My Mood:
SL Join Date: 10/7/2006

Awards: 1
Thwarting a Potential Drama Attack 
I got this in my inbox this morning, on my alt, Fawn Fotherington:


Quote:
Object-Name: DiSSENTiON Linden
Region: Fujin (259840, 257024)
Local-Position: (30, 61, 393)

WE STILL HAVEN'T FORGOTTEN ABOUT YOU LITTLE FROGGY
Your avatar key is 89dc93a0-fa71-4337-b9a0-225cfcebb65a and we have now placed it in scripts on the PN wiki here: Lolibawls - Patriotic Nigras in the top areas of the script where griefers will forever grief you whenever they use this and two other weapons. This MEssage was sent while we were in the process of DDoSing SLX
I've never used Fawn for SLX :\ so wtf?
__________________

Shopping Cart Disco
http://www.shoppingcartdisco.com

THE BEATINGS WILL CONTINUE UNTIL MORALE IMPROVES.
Ten is offline   Reply With Quote
1 User Laughed:
1 User Said Thanks:
Old 05-03-2008, 10:34 AM   #5 (permalink)
Semi-Demi God
 
Shiva Shiskabob's Avatar
Bluuuuuuuue
 
Join Date: Feb 2008
Posts: 998
My Mood:
SL Join Date: 03/08/08
patriotic nigras? what the hell are those?

also, again i say, vendettas over the internet! :-o
Shiva Shiskabob is offline   Reply With Quote
Old 05-03-2008, 10:41 AM   #6 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,349
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
Quote:
Originally Posted by Shiva Shiskabob View Post
patriotic nigras? what the hell are those?

also, again i say, vendettas over the internet! :-o
Patriotic Nigras :: Wrecking SecondLife Since 2006
Literature
Psyke Phaeton is offline   Reply With Quote
2 Users Said Thanks :
Old 05-03-2008, 10:45 AM   #7 (permalink)
Ten
Senior Member
 
Join Date: Jun 2007
Posts: 6,914
My Mood:
SL Join Date: 10/7/2006

Awards: 1
Thwarting a Potential Drama Attack 
Oh, wait, there was more:

Quote:
Object-Name: DiSSENTiON Linden
Region: Exchange (268288, 252928)
Local-Position: (86, 240, 37)

WE STILL HAVEN'T FORGOTTEN ABOUT YOU LITTLE FROGGY
Your avatar key is 89dc93a0-fa71-4337-b9a0-225cfcebb65a and we have now placed it in scripts on the PN wiki here: Lolibawls - Patriotic Nigras in the top areas of the script where griefers will forever grief you whenever they use this and two other weapons. You fail at releasing dox, since TOny COstello is a fake name and Frizzlefry and Codec are not the same person, dumbass. Good for lolz though. Now stick this dick in your mouth frenchie.
Don't these kids ever go to the fucking movies?
Ten is offline   Reply With Quote
1 User Laughed:
1 User Agreed:
Old 05-03-2008, 10:57 AM   #8 (permalink)
Ten
Senior Member
 
Join Date: Jun 2007
Posts: 6,914
My Mood:
SL Join Date: 10/7/2006

Awards: 1
Thwarting a Potential Drama Attack 
Yeah, I'm still getting the messages.
Ten is offline   Reply With Quote
Old 05-03-2008, 10:57 AM   #9 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,349
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
Quote:
Originally Posted by Ten View Post
Oh, wait, there was more:



Don't these kids ever go to the fucking movies?
Frenchie is a reference to:

"Grandmaster" Montana Corleone of the SLX forums
Location: Provence, France

I also suspect that the key then is hers and not yours. Be interesting to find out.

Last edited by Psyke Phaeton; 05-03-2008 at 11:09 AM.
Psyke Phaeton is offline   Reply With Quote
Old 05-03-2008, 10:58 AM   #10 (permalink)
Ten
Senior Member
 
Join Date: Jun 2007
Posts: 6,914
My Mood:
SL Join Date: 10/7/2006

Awards: 1
Thwarting a Potential Drama Attack 
Those damn Corleones, always causing trouble.

Oh wow, you're right. I just noticed that all the messages have a destination of "Montana Corleone". montanacorleone@gmail
Ten is offline   Reply With Quote
Old 05-03-2008, 11:07 AM   #11 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,349
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
Confirmed the key is hers also. So why are you seeing emails for her?
Psyke Phaeton is offline   Reply With Quote
Old 05-03-2008, 11:08 AM   #12 (permalink)
Ten
Senior Member
 
Join Date: Jun 2007
Posts: 6,914
My Mood:
SL Join Date: 10/7/2006

Awards: 1
Thwarting a Potential Drama Attack 
I haven't a clue, really. And it's from my alt, who wasn't rezzed until about a month ago.

So wtf?


--update-- BTW, the emails are still coming. Not very quickly, but they're coming. I just got four more within the last 20 minutes.
Ten is offline   Reply With Quote
Old 05-03-2008, 11:09 AM   #13 (permalink)
the marginal
 
Atashi Yue's Avatar
My World, Their UI
 
Join Date: Oct 2007
Posts: 1,965
My Mood:
So...someone is pissed at Montana, and targeting everyone else?

Atashi Yue is offline   Reply With Quote
Old 05-03-2008, 11:17 AM   #14 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,349
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
Ten, those emails are going directly to your email acct or are you forwarding IMs sent to your alt to email?
Psyke Phaeton is offline   Reply With Quote
Old 05-03-2008, 11:21 AM   #15 (permalink)
Ten
Senior Member
 
Join Date: Jun 2007
Posts: 6,914
My Mood:
SL Join Date: 10/7/2006

Awards: 1
Thwarting a Potential Drama Attack 
I'm pretty sure they're forwarded IMs, but then if they were they'd show destination "Fawn Fotherington", wouldn't they? Not "Montana Corleone". When you hit "reply" on the emails it shows a standard grid-based avatar response destination:

DiSSENTiON Linden <eab9b142-471b-45b2-45a8-777e63fbb91d@lsl.secondlife.com>
Ten is offline   Reply With Quote
Old 05-03-2008, 11:24 AM   #16 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,349
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
Quote:
Originally Posted by Ten View Post
I'm pretty sure they're forwarded IMs, but then if they were they'd show destination "Fawn Fotherington", wouldn't they? Not "Montana Corleone". When you hit "reply" on the emails it shows a standard grid-based avatar response destination:

DiSSENTiON Linden <eab9b142-471b-45b2-45a8-777e63fbb91d@lsl.secondlife.com>
Actually that's a scripted object the email is comming from. Also the info on the objects location implies to me its a direct script to your email address.

So why choose your gmail? Why do you think it's related to your alt?
Psyke Phaeton is offline   Reply With Quote
Old 05-03-2008, 11:30 AM   #17 (permalink)
Ten
Senior Member
 
Join Date: Jun 2007
Posts: 6,914
My Mood:
SL Join Date: 10/7/2006

Awards: 1
Thwarting a Potential Drama Attack 
Yeah, Fawn is registered to my regular SL email, but why would I get these in my gmail? And what scripted object is it targeting? Fawn doesn't have any weapons on her or anything.
Ten is offline   Reply With Quote
Old 05-03-2008, 11:31 AM   #18 (permalink)
the marginal
 
Atashi Yue's Avatar
My World, Their UI
 
Join Date: Oct 2007
Posts: 1,965
My Mood:
From SLX:

Quote:
If there was any danger to our customers and merchants, we'd disable item purchases and money transfers until the issue was resolved. I plan to post an announcement with a more complete explanation later today. Suffice to say this isn't the first time our LSL code has been compromised and attempted to use against us, I doubt it will be the last, and SLX was designed with that likely possibility in mind right from the start.
Atashi Yue is offline   Reply With Quote
Old 05-03-2008, 11:33 AM   #19 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,349
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
Quote:
Originally Posted by Ten View Post
Yeah, Fawn is registered to my regular SL email, but why would I get these in my gmail? And what scripted object is it targeting? Fawn doesn't have any weapons on her or anything.
I think you misunderstand. A scripted object made by someone else seems to be emailing your gmail account thinking it belongs to Montana Corleone.

I am unsure if it is emailing multiple people also or not. Might be time to go looking for the object
Psyke Phaeton is offline   Reply With Quote
Old 05-03-2008, 11:35 AM   #20 (permalink)
Ten
Senior Member
 
Join Date: Jun 2007
Posts: 6,914
My Mood:
SL Join Date: 10/7/2006

Awards: 1
Thwarting a Potential Drama Attack 
How strange... but I don't have anything rezzed by Fawn that's scripted... ?!?!

wtfz
Ten is offline   Reply With Quote
Old 05-03-2008, 11:39 AM   #21 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,349
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
Quote:
Originally Posted by Ten View Post
How strange... but I don't have anything rezzed by Fawn that's scripted... ?!?!

wtfz
It's not your scripted object nor do you own it. Anyone can make a script that sends emails to any email box. I can make a script that emails the President.

The object is no longer at that loacation. So I am guessing it keeps moving from place to place.

Paste the location info from the latest email maybe I can get to it in time.

Last edited by Psyke Phaeton; 05-03-2008 at 11:44 AM.
Psyke Phaeton is offline   Reply With Quote
Old 05-03-2008, 11:46 AM   #22 (permalink)
Ten
Senior Member
 
Join Date: Jun 2007
Posts: 6,914
My Mood:
SL Join Date: 10/7/2006

Awards: 1
Thwarting a Potential Drama Attack 
Latest email:


Object-Name: DiSSENTiON Linden
Region: Fujin (259840, 257024)
Local-Position: (104, 74, 257)

WE STILL HAVEN'T FORGOTTEN ABOUT YOU LITTLE FROGGY
Your avatar key is 89dc93a0-fa71-4337-b9a0-225cfcebb65a and we have now placed it in scripts on the PN wiki here: Lolibawls - Patriotic Nigras in the top areas of the script where griefers will forever grief you whenever they use this and two other weapons. This MEssage was sent while we were in the process of DDoSing SLX
Ten is offline   Reply With Quote
Old 05-03-2008, 11:52 AM   #23 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,349
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
Quote:
Originally Posted by Ten View Post
Latest email:


Object-Name: DiSSENTiON Linden
Region: Fujin (259840, 257024)
Local-Position: (104, 74, 257)

WE STILL HAVEN'T FORGOTTEN ABOUT YOU LITTLE FROGGY
Your avatar key is 89dc93a0-fa71-4337-b9a0-225cfcebb65a and we have now placed it in scripts on the PN wiki here: Lolibawls - Patriotic Nigras in the top areas of the script where griefers will forever grief you whenever they use this and two other weapons. This MEssage was sent while we were in the process of DDoSing SLX
Nope its gone. Which is hardly surprising. I think you should report it and give the Lindens the details from the emails. You can click "show details" in gmail when one is open to get more details to show the Lindens.

They can then simply delete the object.
Psyke Phaeton is offline   Reply With Quote
Old 05-03-2008, 12:15 PM   #24 (permalink)
Senior Member

*SLU Supporter*
 
Psyke Phaeton's Avatar
 
Join Date: Sep 2007
Location: Australia
Posts: 9,349
SL Join Date: 12-Oct-2003
Client: Viewer 3
Blog Entries: 4
Cris, I am going to keep hitting refresh until you ban Tenshi she is obviously mixed up in all of this
Psyke Phaeton is offline   Reply With Quote
2 Users Laughed:
Old 05-03-2008, 03:17 PM   #25 (permalink)
Ten
Senior Member
 
Join Date: Jun 2007
Posts: 6,914
My Mood:
SL Join Date: 10/7/2006

Awards: 1
Thwarting a Potential Drama Attack 
I went away for a couple of hours and I now have 144 new messages.


Here's the most recent:


Object-Name: DiSSENTiON Linden
Region: Fujin (259840, 257024)
Local-Position: (18, 28, 337)

WE STILL HAVEN'T FORGOTTEN ABOUT YOU LITTLE FROGGY
Your avatar key is 89dc93a0-fa71-4337-b9a0-225cfcebb65a and we have now placed it in scripts on the PN wiki here: Lolibawls - Patriotic Nigras in the top areas of the script where griefers will forever grief you whenever they use this and two other weapons. You fail at releasing dox, since TOny COstello is a fake name and Frizzlefry and Codec are not the same person, dumbass. Good for lolz though. Now stick this dick in your mouth frenchie.
Ten is offline   Reply With Quote
Reply

Tags
slx, script, griefing, grid, compromise, dos

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are On