These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Assembly Hall

 
  • Topic is locked indefinitely.
 

In Game Browser Vulnerable to High Risk Remote Code Execution Exploits
Author
Previous Topic Next Topic
xarjin
Galactic Deep Space Industries
Brave Collective
#1 - 2013-06-07 20:47:04 UTC  |  Edited by: xarjin
I Hope i'm posting this in the right forum and the CSM council will take this seriously given the potential gravity of the situation.

The problem is as stated in the topic and ccp appears to be completely ignoring the issue. Major antivirus software vendors have started flagging the in game browser as an identity theft risk because it's based on a highly vulnerable version of google chrome from 2009

There's been a thread on reddit about it, a months old and similar years old threads on the eve issues and bug reporting forum as well as posts i've contributed to.

https://forums.eveonline.com/default.aspx?g=posts&t=205388

http://www.reddit.com/r/Eve/comments/18osz9/i_was_not_successful_just_posting_on_the_forums/


1) How am i even qualified to assert that the facts stated are plausible.

I'm a trained and certified IT Business Systems Analyst and Network Engineer with over 15 years experience and a long list of completed security related projects and have administered global network infrastructure projects

I also served as a volunteer member of the network infrastructure management and development team for The Gentoo Linux Project one of the most widely used and respected Linux distributions available today

My oDesk profile

2) Are these "security" issues are really that bad

Remote code execution exploits are as bad as a security vulnerability in human designed software can possibly be for the end user. this class of software exploits allow anyone who is knowledgeable enough to design malicious websites that both target those exploits with the intention of using the vulnerable software to remotely compromise the host computers the software is installed on.

For malicious websites to succeed in compromising vulnerable web browsers requires that vulnerable software to have it's own memory footprint on the computer it's installed on as well as at least one running process. The in game browser can be launched multiple times by opening tabs as it's based on google chrome.

Within the eve online game when anyone starts the in game web browser within eve online it launches in it's own process completely isolated from the eve online game process.

TL;DR anyone could hack the IGB using a combination social media and social engineering to raise the public profile of a malicious website and make every last eve online subscriber install a remote keylogger or trojan viruses by browsing the thoretical website.

I do not want to see this happen to our beloved eve subscriber community as the fallout from an incident such as this would be catastrophic.

CSM8 Please for the benefit if every last person that plays eve. Get this fixed yesterday Cry



Quote:
this really needs to be addressed by the dev's given that antivirus vendors have started flagging ccp's IGB exe file as a security risk.

https://forums.eveonline.com/default.aspx?g=posts&t=239089

also this should serve as an eye opening concern. The denial of service exploit previously used as an example is far less of an issue that remote code execution exploits. Since the IGB runs in it's own process anyine usng IGB that potentially visits a malicious website is vulnerable to remotely having their computer hyjacked by a trojan.


http://msisac.cisecurity.org/advisories/2013/2013-053.cfm

MS-ISAC ADVISORY NUMBER:
2013-053

DATE(S) ISSUED:
05/21/2013

SUBJECT:
Multiple Google Chrome Vulnerabilities Could Allow for Remote Code Execution
OVERVIEW:

Multiple vulnerabilities have been discovered in Google Chrome that could allow remote code execution, bypass of security restrictions, or cause denial-of-service conditions. Google Chrome is a web browser used to access the Internet. Details are not currently available that depict accurate attack scenarios, but it is believed that some of the vulnerabilities can be exploited if a user visits, or is redirected to a specially crafted web page.

Successful exploitation of these vulnerabilities may result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

SYSTEMS AFFECTED:

Google Chrome for Windows, Mac and Linux versions prior to 27.0.1453.93

RISK:

Government:

Large and medium government entities: High
Small government entities: High

Businesses:

Large and medium business entities: High
Small business entities: High

Home users: High
Tarunik Raqalth'Qui
Native Freshfood
Minmatar Republic
#2 - 2013-06-07 23:22:24 UTC
Considering that malicious advertisements (malads?) inside legit pages/sites are a thing, this should be a higher priority. Furthermore, considering that DDoS attacks seem to be a part of the shady side of the Eve metagame already (to go with RMT + botting), it is not a far leap to more insidious attack methods.
Alona Gene
Doomheim
#3 - 2013-06-08 00:39:36 UTC
I agree, this needs to be given a much higher priority by CCP. By CCP knowing of this vulnerability, they are morally and professionally obligated to fix it.

In my opinion, keeping the IGB secure and patched is much more important then content even.

CSM, please bring this to light to CCP and support our safety.

-Signed-
xarjin
Galactic Deep Space Industries
Brave Collective
#4 - 2013-07-11 01:14:34 UTC
Bumping for Visibility given the serious nature of the topic.

Please CSM's look into this.
Omega Flames
Caldari Provisions
Caldari State
#5 - 2013-07-11 01:48:55 UTC
it's been over a month, has any dev taken the time to verify whether or not this is true?
xarjin
Galactic Deep Space Industries
Brave Collective
#6 - 2013-07-11 03:06:21 UTC  |  Edited by: xarjin
Omega Flames wrote:
it's been over a month, has any dev taken the time to verify whether or not this is true?



It's already been confirmed that the IGB is vulnerable to exploits that were patched in chrome 4.x but no dev has commented on this which from an assurance perspective is troubling.

Enta Ozuwara wrote:
People on Reddit were asking for some sort of proof. Since a Remote Code Execution would need to be carefully planned, I have instead run a DoS exploit fixed in Chrome 4.1.

Result: Awesomium.exe crashes


The linked quote above is only a denial of service vulnerability that makes the browser crash which is fairly harmless but if a vulnerability that exists in chromium 4.x still works then every other exploit newer than this also will succeed.

Many of them are serious sandbox violations.

If you browse this website with the IGB it clearly displays the browser version as chromium/chrome 3.x and also shows that the IGB posesses the ability to use host system java binary which alone is a known high security risk if left outdated.

http://www.whatismybrowser.com

Gives you this

http://i.imgur.com/qehUbKA.png

Chome with no secure sandbox, outdated java and flash player leaves the host system completely vulnerable to remote compromise.
Omega Flames
Caldari Provisions
Caldari State
#7 - 2013-07-11 03:18:26 UTC
xarjin wrote:
Omega Flames wrote:
it's been over a month, has any dev taken the time to verify whether or not this is true?



It's already been confirmed that the IGB is vulnerable to exploits that were patched in chrome 4.x but no dev has commented on this which from an assurance perspective is troubling.

you posting stuff does not a confirmation make especially not in something of this technical of a nature.
xarjin
Galactic Deep Space Industries
Brave Collective
#8 - 2013-07-11 03:20:10 UTC  |  Edited by: xarjin
Omega Flames wrote:
you posting stuff does not a confirmation make especially not in something of this technical of a nature.


Noted i am both experienced and qualified to diagnose issues of such a technical nature. It only remains to be seen if the dev's will actually do anything about it. so far they have done nothing for several years.
Manhim
Garoun Investment Bank
Gallente Federation
#9 - 2013-07-11 08:09:47 UTC
Weird, I ran the same website as you did, it doesn't detect Flash nor Java. Probably because the IGB doesn't even have Flash or Java plug-ins to begin with so it cannot bridge to the executables on the computer (And I really don't know how you got this result on your IGB).
Mag's
Azn Empire
#10 - 2013-07-11 10:11:23 UTC
I've never used the in game browser, because I have no control over it. I either alt tab out or had my laptop on next to me.

This thread comes as no surprise tbh, but thanks all the same.

Destination SkillQueue:- It's like assuming the Lions will ignore you in the Savannah, if you're small, fat and look helpless.
xarjin
Galactic Deep Space Industries
Brave Collective
#11 - 2013-07-11 14:44:21 UTC  |  Edited by: xarjin
Manhim wrote:
Weird, I ran the same website as you did, it doesn't detect Flash nor Java. Probably because the IGB doesn't even have Flash or Java plug-ins to begin with so it cannot bridge to the executables on the computer (And I really don't know how you got this result on your IGB).


If you only use internet explorer which less people do now than Firefox or chrome you wouldn't have the correct flash plugin installed in your system.

It's been an urban myth within the eve community for years that the IGB had "disabled features" for added security such as not having flash player, java and such but i submit that added security if it ever existed is more or less nonexistent with an ancient insecure web browser version.

Also if the browser runs in it's own process and can detect the host system's flash and java binaries it can potentially use them or they can potentially be used.

Also if your using a mac that may be another reason why it wasn't detected. The mac client runs in an emulator.

My eve client also is NOT installed in the default location...

I don't know if anyone else will get a different result from that web page. it's entirely possible but If being installed in C:\Program Files is what the eve client relies on to provide security to the insecure software installed with it that's a poor security policy.

Above all else there's some hard questions for ccp to answer. The CSM needs to seriously consider asking them.
Manhim
Garoun Investment Bank
Gallente Federation
#12 - 2013-07-12 03:49:11 UTC
I'm using Windows 8 and I'm pretty sure that you need a working plug-in to support the binaries for the browser which I'm pretty sure doesn't support plug-ins.

It is indeed something that needs to be looked-at and this had been discussed at the Fanfest that CCP didn't knew what they wanted to do with it, since players where using it they couldn't really scrap it and updating it would be a hard thing to do (my first guess is that they might be using webkit libraries for more then just browser, but I could be wrong).