Exploiting SecondLife

ISE and outside researchers discovered an exploit for Second Life that grants control of one character to a malicious character. This allows the adversary to perform actions that may have real-world consequences such as stealing the in-game currency known as Linden dollars, or controlling the player's machine.

Update: This vulnerability was patched in QuickTime 7.3.1 on December 13th, 2007, eliminating the vulnerability in fully patched Second Life Viewers and QuickTime Players; unpatched Second Life Viewers and QuickTime Players are still vulnerable.

SecondLife
Our victim investigating the exploit.

Welcome

Two security researchers, Charlie Miller, a Principal Security Analyst at Independent Security Evaluators, and Dino Dai Zovi decided to investigate the security of online games. This resulted in an exploit for Second Life that makes any player effected give the attacker their Linden dollars and yell "I got hacked!". In other words, it is possible to exploit a player to steal Linden dollars, and then cash them out for real US dollars. All the victim has to do is have video enabled and enter a piece of land owned by the attacker.

How the exploit works

The actual vulnerability lies in the third party QuickTime Player made by Apple. A vulnerability was announced on November 24th 2007 in the way QuickTime handles RTSP responses. Second Life allows players to embed media files in Second Life objects, and uses QuickTime to handle all video rendering. Furthermore, it is possible to have these media elements constantly playing. If a Second Life avatar walks onto a piece of land that contains an embedded malicious QuickTime File, they can be exploited.

What the exploit does

Once the malicious file has been viewed by the victim, the attacker has complete control over the victim's computer - and Second Life avatar. At this point the exploit could make the avatar do anything they like. This particular exploit freezes the avatar and makes them send the attacker's avatar twelve Linden dollars and shout "I got hacked". Please see the movie below. In this movie, the victim, Sussy McBride is wandering along, minding her own business. She stumbles upon a piece of land with a small purple box (the exploit). Remember, all she has to do is have video enabled and get on the same piece of land as the object. Very shortly after, she freezes, sends the attacker, Pwned Naglo, the twelve Linden dollars and yells that she was hacked.

 

Virtual worlds are interesting, because unlike the real world where client-side exploits are typically delivered via web browser links or emails, exploits in virtual worlds can be delivered in many different ways. Ours is activated by viewing a video on a purple box. One could imagine an exploit being delivered by looking at a shirt that a character is wearing, or by a character whispering something to another character. The possibilities are endless.

Mitigations

Perform a software update of your Second Life Viewer and QuickTime Player to eliminate this vulnerability. To prevent any future QuickTime vulnerabilities in the Second Life Viewer, users may discontinue the use of video. Specifically, users should click on Edit->Preferences... and then "Audio & Video". Make sure the box next to "Play Streaming Video When Available" is unchecked.

Please note that this will not be the last exploit of this kind written for Second Life, and that all virtual worlds are susceptible. Just like in the real world, be aware of your surroundings and play it safe.

Media Contact

You can contact us by phone at 443-270-2296.