OpenUru.org

The fan updates probably won't make it by Monday - mostly because Mark says he should have had a build by now and hasn't had the opportunity yet to pull the changes, let alone start any integration.

Mark likes the idea of giving Skoader the time to finish the physics changes. He added that we certainly don't have to time the update with one of the restarts. It is just more convenient.

About resource.dat, Mark says there is probably no reason it needs to be built on Cyan's build system, so an already generated file would be good. It could even be in the plasma tree somewhere.

I've just realized that there is a pretty major vulnerability H'uru fixed that should be ported for the next update, if it's not too late: https://github.com/H-uru/Plasma/pull/218
From what I understand, it allows internal clients to send any Python command they wish to other clients with a netpropagated (or even targeted) Python.RunFile, thus allowing for remote attack upon other computers. I've talked about this with a few people in the Cavern, and they seem quite concerned about getting this fix in. If it's not too late, I could do some work on porting it, it's not a particularly difficult fix.

Sounds like something that should go in regardless of which update window it can fit in. Go ahead and submit a pull request on Bitbucket.

Thanks!
_R

Let me ask a question.

If let say I have 2 avatars: Annabelle and La belle Anna. La belle Anna is inside her Kadish and she is high up a collision wall. Annabelle is in her Relto. If I pull Annabelle to La belle Anna's Kadish with scripts that are within the client, is that a "remote attack upon another computer" ? I always pulled my avatars from ages to ages saving time with the linking process which is a real pain.

No, the exploit is related to Python.RunFile, and would consist of sending things like (really simple attack): "shutil; shutil.rmtree('dat')" (which, I think, would delete the dat directory in Uru). A more severe attack could destroy everything on the user's hard drive, launch unwanted programs, shutdown the computer, download a virus, etc..

ah LOL ok I see... hmm that's out of my poor technical range (my scripts are: ARBITRARY CENSORED ON JAN 10TH 2013 TO AVOID USAGE for instance ) And anyway that would implied a nasty attack on my own PC in a way which would be counter-productive.

That's a serious issue though and I'm glad you are taking care of that business. ... And I thought URU was made for exploration and social gathering! I never thought of a backdoor script pushing utility!

JWPlatt wrote:About resource.dat, Mark says there is probably no reason it needs to be built on Cyan's build system, so an already generated file would be good. It could even be in the plasma tree somewhere.

Which it already is: http://foundry.openuru.org/hg/CWE-ou/rev/54aa180243ae

Lyrositor wrote:I've just realized that there is a pretty major vulnerability H'uru fixed that should be ported for the next update, if it's not too late: https://github.com/H-uru/Plasma/pull/218

Thanks for the reminder, Lyrositor. I meant to examine and port that a long time ago, but never got around to it, and eventually forgot about it. If you have time, that would be very welcome.

Annabelle wrote:If I pull Annabelle to La belle Anna's Kadish with scripts that are within the client, is that a "remote attack upon another computer" ?

In a way it is, but fortunately those who know how to use it usually behave themselves so far. But as Lyrositor explained, what we’re talking about here is a different, much more severe vulnerability.

Lyrositor wrote:No, the exploit is related to Python.RunFile, and would consist of sending things like (really simple attack): "shutil; shutil.rmtree('dat')" (which, I think, would delete the dat directory in Uru). A more severe attack could destroy everything on the user's hard drive, launch unwanted programs, shutdown the computer, download a virus, etc..

But what is the point? Would that work with an external client? I thought running Python files directly was only possible with internal clients. And if you can compile your own internal client you can revert the "fix". Or implement other exploits for that matter.

From what I've seen, it should work with external clients, since, while Python.Cheat IS defined out, Python.RunFile isn't on Externals, so it can be netpropagated.

well... some like me for instance cannot compile their own internal client. We are using already built client like the "Fun House Client". I think Lyrositor is more talking about them. Someone might not be able to compile a client but is enough savvy to run a malicious script to a remote party.

EDIT:

@ Christian Walther: thx for clarifying this point about using scripts that can be seen like "an attack upon a remote computer". Usually, I do ask beforehand if the person is willing before using a script that will take control over their avatar unless it's implicit: I'm doing a magic event for instance. If someone can do it themselves, I ask to be informed prior to the linking to my own age unless I stated to them explicitly: "link where I am". That's to prevent Age GUID steal while they are inside them to be able to come back at will while I'm offline.