Originally Posted by SecondLife Herald

Second Life Herald: Slexchange ATM Script Cracked?
May 03, 2008
Slexchange ATM Script Cracked?

Secret requested when Secret is unknown

by Pixeleen Mistral, National Affairs desk

Friday, IntLibber Brautigan posted a warning of an exploit allowing technically savvy residents to “capture ATM scripts in bytecode format”. This is a significant development given the number of successful Second Life businesses that use LSL scripts to transfer goods and money -- an un-patched exploit could be a significant blow to the in-world economy.

Because the real wold dollar value of typical SL transactions is low, it is common to automate these transactions. However, automation generally means the scripted transactions are run with minimal of human supervision and depend on secrecy for security. This may present a problem. As Mr. Brautigan told the Herald, “with the code obtained, one can make an SLX terminal give you ANY product listed on SLX for free in any quantity or clean out the avatar owning the ATM - all their money - these capabilities have been tested I am told”.

Some observers are concerned that this sort of exploit could destabilize the in-world economy, and Mr. Brautigan reports that his source “has already notified Soft Linden about this vulnerability - he also tried to notify SLX but they said ‘our system is uncrackable’". There we no Linden Lab staff online friday evening willing to speak with the Herald on the record.

While the game gods remained silent, the Herald was able to interview Second Life resident Uildiar Kuhn to learn more about the exploit.


Uildiar Kuhn

Pixeleen Mistral: hi - are you busy?
Uildiar Kuhn: nah whats up

Pixeleen Mistral: rumors of getting script bytecode from objects by moving them back and forth across sim boundaries
Uildiar Kuhn: yeah ;p

Pixeleen Mistral: shouldn't the script code stay up on the server?
Uildiar Kuhn: I cant really discuss this with anyone.. its a very bad exploit if someone knows what too do with it

Pixeleen Mistral: this would explain the rumors of people copying scripts - did you report the exploit to LL?
Uildiar Kuhn: Yus too soft linden

Pixeleen Mistral: I was just talking to soft linden - who will not say anything on the record to a reporter. There are also a surprising number of Linden developers online this evening
Uildiar Kuhn nods

Pixeleen Mistral: do you think other people will be able to figure this one out?
Uildiar Kuhn: I only know a couple other people on the grid.. that can and they are responsible so we should be okay ;p

Pixeleen Mistral: so this is not an immediate crisis. Its more of a long term issue
Uildiar Kuhn: shouldn’t be long term i’m sure they will fix it

Pixeleen Mistral: will it take new client software - or can they just do a rolling restart on the servers?
Uildiar Kuhn: I'm not sure what there method of repair will be ^^

Pixeleen Mistral: you just told soft linden about this today?
Uildiar Kuhn: nah a couple months ago I’m sure they have been working on a fix for it

Pixeleen Mistral: wow. this is like that IM bug in jira that has been broken since february -- the one the griefers are using to flood people's mailboxes. Things get broken and don't get fixed
Uildiar Kuhn: They get fixed in time they can only work on so meny things at once hehe

Pixeleen Mistral: but the basic message here is only a couple other people could figure this out - so mostly residents should not worry
Uildiar Kuhn: yeah ^^
Uildiar Kuhn: And i’m sure they will hand out bans if people try it. Well those few ;p

Pixeleen Mistral: of course the griefers don't mind getting banned - but I guess the people who can figure it out are not griefers
Uildiar Kuhn nods

Pixeleen Mistral: at least we better hope so
Uildiar Kuhn: were fine hehe.. there far from griefers

Of course, wild claims are nothing new in the metaverse, and some readers may have difficulty believing that the Lab would leave a serious exploit un-patched for months.

I was also initially skeptical that a sim crossing could result in a script being quietly handed to the SL client software, but perhaps this accounts for the well known prim-hair-attached-to-the-butt-on-sim-crossing phenomena. While researching this story, a reliable source produced a portion of what is claimed to be the SLexchange ATM scripts and I began to wonder about the security of the Second Life Grid. Should resident trust their serious business secret bytecode to the Lab? Maybe not, if the bytecode below is real.


...

PUSHE
PUSHBP
PUSHARGI 3
PUSHARGS "I have not heard from the SL Exchange server for a very long time, so I am resetting myself. This does not always fix the problem, so you should check that I have in fact been reactivated on the SL Exchange website. If I have not been reactivated, you should replace me with a new copy."
PUSHARGE 16
PUSHSP
PUSHARGI 24
ADD Integer, Integer
POPBP
CALL 0

...

PUSHG 126
PUSHARGS "SLX Vendor Components"
PUSHARGS "00000000-0000-0000-0000-000000000000"
CAST String, Key
PUSHARGE 0
PUSHSP
PUSHARGI 16
ADD Integer, Integer
POPBP


...

PUSHBP
PUSHARGI 1
PUSHARGS "Got deliver item command"
PUSHARGE 16
PUSHSP
PUSHARGI 24

...

PUSHE
PUSHBP
PUSHARGI 1
PUSHARGS "Relaying deliver item command"
PUSHARGE 16
PUSHSP
PUSHARGI 24
ADD Integer, Integer
POPBP
...


CALLLIB_TWO_BYTE 139 //llGetLinkNumber()
PUSHG 186
PUSHARGS "normal"
PUSHARGS "00000000-0000-0000-0000-000000000000"
CAST String, Key
PUSHARGE 0
PUSHSP
PUSHARGI 16
ADD Integer, Integer
POPBP
CALLLIB_TWO_BYTE 164 //llMessageLinked()
JUMP 720
PUSHG 36
PUSH 4
EQ Integer, Integer
JUMPNIF Integer, 130
PUSHE
PUSHBP
PUSHARGI 1
PUSHARGS "Got XMLRPC channel."
PUSHARGE 16
PUSHSP
PUSHARGI 24

...

PUSHARGS ""
PUSHGS 386
EQ String, String
JUMPNIF Integer, 73
PUSHE
PUSHBP
PUSHARGI 2
PUSHARGS "Secret requested when Secret is unknown."
PUSHARGE 16
PUSHSP
PUSHARGI 24
ADD Integer, Integer

Originally Posted by A posted reply on SLH:

Yes SLX is completely compromised. The bytecode can be decompiled and by looking at those scripts one can do just about anything.

I have the code in its entirety.

Additionally:
We are attacking the grid again. Our weapons actually don't directly attack the asset servers. When an object replicates all copies are a reference to the same asset but when our weapons replicate so fast and we are getting over twenty thousand of them returned per minute due to autoreturn it creates an asset for each and every one of them. We are also currently experimenting with disrupting SLX communications in-world since the admins got smart and began filtering our DDoS attacks.
We're demanding that Montana be banned or she issue a public apology for being a french biggot and pedophile. Until Montana is banned SLX will continue to be the target of ongoing attacks. Montana doesn't make much money here anyways so the admins are just trying to be stubborn thinking that they can report us the the FBI and that will solve the problem. We aren't going anywhere, SLX. Comply or you will be dismantled.
If any of you are getting tired of the attacks you could simply move over to onrez and leave this shitfest behind. You could PM the admins and beg them to comply. They likely will not listen but it doesn't matter to me or my associates if they go out of business.

You can also expect a delay on responses from support emails since we have spammed their inbox and Apotheus Silverman's personal email which can be obtained from a simple WHOIS on the domain.
I think the best part is that we can attack Second Life while we attack SLX. It's very convenient.

-DiSSENT

Originally Posted by Joshua Nightshade

Boob boob boob. Boobs. Floppy funbags. Tittymagic. Jugs. Boob. That will be all.

Originally Posted by Shiva Shiskabob

vendettas over the internet...

Originally Posted by Shiva Shiskabob

patriotic nigras? what the hell are those?

also, again i say, vendettas over the internet! :-o

Originally Posted by Ten

Oh, wait, there was more:



Don't these kids ever go to the fucking movies?

Originally Posted by Ten

I'm pretty sure they're forwarded IMs, but then if they were they'd show destination "Fawn Fotherington", wouldn't they? Not "Montana Corleone". When you hit "reply" on the emails it shows a standard grid-based avatar response destination:

DiSSENTiON Linden <eab9b142-471b-45b2-45a8-777e63fbb91d@lsl.secondlife.com>

Originally Posted by Ten

Yeah, Fawn is registered to my regular SL email, but why would I get these in my gmail? And what scripted object is it targeting? Fawn doesn't have any weapons on her or anything.

Originally Posted by Ten

How strange... but I don't have anything rezzed by Fawn that's scripted... ?!?!

wtfz

Originally Posted by Ten

Latest email:


Object-Name: DiSSENTiON Linden
Region: Fujin (259840, 257024)
Local-Position: (104, 74, 257)

WE STILL HAVEN'T FORGOTTEN ABOUT YOU LITTLE FROGGY
Your avatar key is 89dc93a0-fa71-4337-b9a0-225cfcebb65a and we have now placed it in scripts on the PN wiki here: Lolibawls - Patriotic Nigras in the top areas of the script where griefers will forever grief you whenever they use this and two other weapons. This MEssage was sent while we were in the process of DDoSing SLX