Deadline For Next MOULa Update - Nov 5?

CyanWorlds.com Engine Project Management
User avatar
JWPlatt
Member
Posts: 1137
Joined: Sun Dec 07, 2008 7:32 pm
Location: Everywhere, all at once

Re: Deadline For Next MOULa Update - Nov 5?

Post by JWPlatt »

The fan updates probably won't make it by Monday - mostly because Mark says he should have had a build by now and hasn't had the opportunity yet to pull the changes, let alone start any integration.

Mark likes the idea of giving Skoader the time to finish the physics changes. He added that we certainly don't have to time the update with one of the restarts. It is just more convenient.

About resource.dat, Mark says there is probably no reason it needs to be built on Cyan's build system, so an already generated file would be good. It could even be in the plasma tree somewhere.
Perfect speed is being there.
User avatar
Lyrositor
Member
Posts: 156
Joined: Sun Feb 05, 2012 10:58 pm
Contact:

Re: Deadline For Next MOULa Update - Nov 5?

Post by Lyrositor »

I've just realized that there is a pretty major vulnerability H'uru fixed that should be ported for the next update, if it's not too late: https://github.com/H-uru/Plasma/pull/218
From what I understand, it allows internal clients to send any Python command they wish to other clients with a netpropagated (or even targeted) Python.RunFile, thus allowing for remote attack upon other computers. I've talked about this with a few people in the Cavern, and they seem quite concerned about getting this fix in. If it's not too late, I could do some work on porting it, it's not a particularly difficult fix.
Lyrositor
Explorer #16601888
To D'ni, or not to D'ni. There is no question.
Image
User avatar
rarified
Member
Posts: 1061
Joined: Tue Dec 16, 2008 10:48 pm
Location: Colorado, US

Re: Deadline For Next MOULa Update - Nov 5?

Post by rarified »

Sounds like something that should go in regardless of which update window it can fit in. Go ahead and submit a pull request on Bitbucket.

Thanks!
_R
One of the OpenUru toolsmiths... a bookbinder.
User avatar
Annabelle
Member
Posts: 118
Joined: Thu Dec 22, 2011 4:40 am

Re: Deadline For Next MOULa Update - Nov 5?

Post by Annabelle »

Let me ask a question.

If let say I have 2 avatars: Annabelle and La belle Anna. La belle Anna is inside her Kadish and she is high up a collision wall. Annabelle is in her Relto. If I pull Annabelle to La belle Anna's Kadish with scripts that are within the client, is that a "remote attack upon another computer" ? I always pulled my avatars from ages to ages saving time with the linking process which is a real pain.
Annabelle-Sophie KI 4247 & Annabelle KI 5152 both members of DRC (2) :) & the lovable Grr KI 106414 sole member of Grr's Hood
User avatar
Lyrositor
Member
Posts: 156
Joined: Sun Feb 05, 2012 10:58 pm
Contact:

Re: Deadline For Next MOULa Update - Nov 5?

Post by Lyrositor »

No, the exploit is related to Python.RunFile, and would consist of sending things like (really simple attack): "shutil; shutil.rmtree('dat')" (which, I think, would delete the dat directory in Uru). A more severe attack could destroy everything on the user's hard drive, launch unwanted programs, shutdown the computer, download a virus, etc..
Lyrositor
Explorer #16601888
To D'ni, or not to D'ni. There is no question.
Image
User avatar
Annabelle
Member
Posts: 118
Joined: Thu Dec 22, 2011 4:40 am

Re: Deadline For Next MOULa Update - Nov 5?

Post by Annabelle »

ah LOL ok I see... hmm that's out of my poor technical range (my scripts are: ARBITRARY CENSORED ON JAN 10TH 2013 TO AVOID USAGE for instance ;) ) :lol: :lol: And anyway that would implied a nasty attack on my own PC in a way which would be counter-productive. :mrgreen:

That's a serious issue though and I'm glad you are taking care of that business. ... And I thought URU was made for exploration and social gathering! I never thought of a backdoor script pushing utility!
Last edited by Annabelle on Fri Jan 11, 2013 1:07 am, edited 1 time in total.
Annabelle-Sophie KI 4247 & Annabelle KI 5152 both members of DRC (2) :) & the lovable Grr KI 106414 sole member of Grr's Hood
Christian Walther
Member
Posts: 317
Joined: Sat Dec 13, 2008 10:54 am

Re: Deadline For Next MOULa Update - Nov 5?

Post by Christian Walther »

JWPlatt wrote:About resource.dat, Mark says there is probably no reason it needs to be built on Cyan's build system, so an already generated file would be good. It could even be in the plasma tree somewhere.
Which it already is: http://foundry.openuru.org/hg/CWE-ou/rev/54aa180243ae
Lyrositor wrote:I've just realized that there is a pretty major vulnerability H'uru fixed that should be ported for the next update, if it's not too late: https://github.com/H-uru/Plasma/pull/218
Thanks for the reminder, Lyrositor. I meant to examine and port that a long time ago, but never got around to it, and eventually forgot about it. If you have time, that would be very welcome.
Annabelle wrote:If I pull Annabelle to La belle Anna's Kadish with scripts that are within the client, is that a "remote attack upon another computer" ?
In a way it is, but fortunately those who know how to use it usually behave themselves so far. But as Lyrositor explained, what we’re talking about here is a different, much more severe vulnerability.
User avatar
D'Lanor
Member
Posts: 142
Joined: Tue Dec 23, 2008 11:23 pm

Re: Deadline For Next MOULa Update - Nov 5?

Post by D'Lanor »

Lyrositor wrote:No, the exploit is related to Python.RunFile, and would consist of sending things like (really simple attack): "shutil; shutil.rmtree('dat')" (which, I think, would delete the dat directory in Uru). A more severe attack could destroy everything on the user's hard drive, launch unwanted programs, shutdown the computer, download a virus, etc..
But what is the point? Would that work with an external client? I thought running Python files directly was only possible with internal clients. And if you can compile your own internal client you can revert the "fix". Or implement other exploits for that matter.
User avatar
Lyrositor
Member
Posts: 156
Joined: Sun Feb 05, 2012 10:58 pm
Contact:

Re: Deadline For Next MOULa Update - Nov 5?

Post by Lyrositor »

From what I've seen, it should work with external clients, since, while Python.Cheat IS defined out, Python.RunFile isn't on Externals, so it can be netpropagated.
Lyrositor
Explorer #16601888
To D'ni, or not to D'ni. There is no question.
Image
User avatar
Annabelle
Member
Posts: 118
Joined: Thu Dec 22, 2011 4:40 am

Re: Deadline For Next MOULa Update - Nov 5?

Post by Annabelle »

well... some like me for instance cannot compile their own internal client. We are using already built client like the "Fun House Client". I think Lyrositor is more talking about them. Someone might not be able to compile a client but is enough savvy to run a malicious script to a remote party.

EDIT:

@ Christian Walther: thx for clarifying this point about using scripts that can be seen like "an attack upon a remote computer". Usually, I do ask beforehand if the person is willing before using a script that will take control over their avatar unless it's implicit: I'm doing a magic event for instance. If someone can do it themselves, I ask to be informed prior to the linking to my own age unless I stated to them explicitly: "link where I am". That's to prevent Age GUID steal while they are inside them to be able to come back at will while I'm offline.
Annabelle-Sophie KI 4247 & Annabelle KI 5152 both members of DRC (2) :) & the lovable Grr KI 106414 sole member of Grr's Hood
Post Reply

Return to “Management”