|
I have concearns about the Plugin arhcitechture and the
power given to all the devs out there. I am writing the FastTrack plugin for
Edonkey/Overnet and during this process have realized that this is by far the
worst and most insecure plugin architechture I have ever seen in my life, the
client does no validity check on them at all, nor does MetaMachine(the
company). Here is a short list of what they have given 1.14 million
users(currently online) to have done on their machine if they are to download
an "bad" plugin. 1. Local code execution 2. Unlimited disk access 3. Unlimited sockets access 4. Code propogation through the client over the networks 5. Basically anything you can imagine in the world that can
be done to a windows os machine. Why? Good question, I have been working on plugin systems suchs
as giFT and Windows Media for quite a while and while they can do some neat
things, this kind of behavoir cannot happen because of the way they were
architechted. When I think of "plugins" I think of 1. An sdk. 2.
Methods that you create that the "client" listens for. 3. All code in
the plugin is sent to the "client" not the OS level. 4. Mainly COM
(this plugin uses full use of C++/MFC in a DLL) Where did MetaMachine(Edonkey/Overnet) mess up? All code in the plugins CAN route to the "client"
but they mainly pipe to the windows subsystem thus enabling for anything to be
written and can then pipe back into the application on a low level code basis
and take control. Besides these factors what about code signing or some sort of
key schema at best to keep these plugins mostly legit? Why not some sort of CRC
checking or anyway to verify the authenticity of the plugin. What could happen if malicious plugin is made available? I leave it up to your imagination. ;) What is the worst thing that could be of possibility? Someone could write a legit plugin like "Gnutella"
for example. It could work for months to come and on a set date they could dump
thier virus code from a embedded resource and let it take control of which
could be at that point 2 Million "clients", it could be one of the
largest DDoS we could ever see or even worse, it could spout out like MSBlast
or worse... I have created some code as seen here(like i said it can
really do anything you imagine): /* This would be the main call done by the
"client" * so the best place for our test */ void CProtocolplugin::start() { MessageBox(NULL,"Your machine could now be
infected, press ok to see proof.","OPPS!",MB_OK |
MB_ICONWARNING); CString szFileName =
"Plugins//virus.exe.txt"; CFile file( szFileName, CFile::modeCreate |
CFile::modeWrite ); CString str = _T("This could have been a
virus! - ashton"); file.Write( str, (str.GetLength()+1) * sizeof(
TCHAR ) ); file.Close(); ShellExecute(NULL, "explore",
"Plugins", NULL, NULL, SW_MAXIMIZE); ShellExecute(NULL,"open","notepad.exe","Plugins//virus.exe.txt","",SW_SHOW
); MessageBox(NULL,"I just wrote a text file
to your plugins dir, opened explorer to it and\nopened the .txt file, image if
I was a virus writer. :-)","OPPS!",MB_OK | MB_ICONWARNING); } I have created a real/fake plugin that shows you in a non
harmful manner about what can be done in less than 5 mins of writing a plugin
for this massively popular File-Sharing client. You may get it here:
http://64.78.56.209/Fake_FastTrack.zip Just unzip into the Plugins folder and
run Edonkey/Overnet to see it in action then just quite and delete it when
done. Please note that my intentions are to make this aware to the end users
mainly at this point as well as MetaMachine for a fix. This vulnerability goes
back numerous versions and still stands in version 52, although the SDK just
recently became avail. The best message I have for Edonkey/Overnet users is
"do NOT install any plugins until you have heard otherwise that they are
safe from MetaMachine". -Julian Ashton ashton (at) joltmedia (dot) com |
