Security vulnerability brought by non-check inventory service

From OpenSimulator

(Difference between revisions)
Jump to: navigation, search
m (Robot: Cosmetic changes)
 
(31 intermediate revisions by 6 users not shown)
Line 1: Line 1:
[[User:Lulurun]]
+
__NOTOC__
 +
{{Quicklinks}}
 +
<br />
  
== Agenda ==
+
== Problem ==
  
To enable user avatar travel from a grid service to another grid service,
+
With the following conditions, one can simply take over the full control(CRUD) of other user's inventory.
There are 3 problems to be considered:
+
# InventoryServer is exposed to the public.
# How to enable foreign user login - [[OpenID for data portability in virtual world|Authentication]]
+
# user's UUID is given
# (If a foreign user can login)[[Avatar_portability_version_2|How to get a foreign user's belongings]](including appearance, inventory)
+
# '''Security'''
+
#* '''This is discussed in this page'''
+
  
To achieve the 1st, client side changes are needed. SO, so far, I have
+
Simply describe in the following figure:
only implemented the 2nd and the 3rd, and would like to explan my idea:
+
* InventoryServer is a normal http server, the normal way to use it is:
 +
** user get the authentication from UserServer
 +
** user control its inventory through RegionServer
 +
* But since the InventoryServer accepts any request without check if the user is authenticated, or, even it does not check if the request is from a RegionServer.
 +
* So, if you know other users' UUID, you can send CRUD http requests directly to the InventoryServer without login.
  
== Problem ==
+
[[Image:secure_inventory_1.PNG]]
 +
 
 +
And [[Avatar portability version 2|AvatarPortability]] needs a public inventory server,
 +
so we have to make a secure one.
 +
 
 +
== Solution ==
 +
 
 +
* every inventory operation packet contains a "session_id" field, but it is never used.
 +
* so, a secure inventory service could be like this
 +
[[Image:secure_inventory_2.PNG]]
 +
* "session_id" is a important information, that is(should be) only transfered in a login session.
 +
** "expect_user" transfer "session_id" from UserServer to RegionServer only when the authentication is OK, so "expect_user" is safe.
 +
** method, such like "get_agent_by_uuid" is very dangerous.
 +
 
 +
== Configuration ==
 +
 
 +
=== RegionServer side ===
 +
* in OpenSim.ini, [Network] section,
 +
inventory_server_url = http://127.0.0.1:8004
 +
'''secure_inventory_server''' = true / false
 +
* if the inventory server specified by "inventory_server_url" is a "secure" inventory server, set "secure_inventory_server = true". Then, inventory requests from the region server will have the user's session_id attached
 +
* else, set "secure_inventory_server = false". In this case, session_id is not attached to inventory requests.
 +
** Setting secure_inventory_server to false is only useful when you want your region server to connect to an '''old inventory server''' which does not expect a session_id.
  
== solution ==
+
=== InventoryServer side ===
 +
* in InventoryServer_Config.xml,
 +
'''session_lookup''' = true / false
 +
(* for session_lookup please also refer the picture above)
 +
* if you want the inventory server to validate each incoming inventory request by session_id, set session_lookup = true
 +
* else, set session_lookup = false
 +
** Setting session_lookup to false makes inventory server accept any request from any client.
  
== implementation ==
+
=== *NOTE* ===
 +
* Regardless of whether '''session_lookup''' is true or false, '''new inventory server''' requires a session_id in every inventory request. If you want your region server to connect to a '''new inventory server''', you should always set '''secure_inventory_server = true''' in OpenSim.ini.
 +
** Here '''new inventory server''' means inventory server after SVN revision 5600.

Latest revision as of 20:11, 3 March 2012


[edit] Problem

With the following conditions, one can simply take over the full control(CRUD) of other user's inventory.

  1. InventoryServer is exposed to the public.
  2. user's UUID is given

Simply describe in the following figure:

  • InventoryServer is a normal http server, the normal way to use it is:
    • user get the authentication from UserServer
    • user control its inventory through RegionServer
  • But since the InventoryServer accepts any request without check if the user is authenticated, or, even it does not check if the request is from a RegionServer.
  • So, if you know other users' UUID, you can send CRUD http requests directly to the InventoryServer without login.

Secure inventory 1.PNG

And AvatarPortability needs a public inventory server, so we have to make a secure one.

[edit] Solution

  • every inventory operation packet contains a "session_id" field, but it is never used.
  • so, a secure inventory service could be like this

Secure inventory 2.PNG

  • "session_id" is a important information, that is(should be) only transfered in a login session.
    • "expect_user" transfer "session_id" from UserServer to RegionServer only when the authentication is OK, so "expect_user" is safe.
    • method, such like "get_agent_by_uuid" is very dangerous.

[edit] Configuration

[edit] RegionServer side

  • in OpenSim.ini, [Network] section,
inventory_server_url = http://127.0.0.1:8004
secure_inventory_server = true / false
  • if the inventory server specified by "inventory_server_url" is a "secure" inventory server, set "secure_inventory_server = true". Then, inventory requests from the region server will have the user's session_id attached
  • else, set "secure_inventory_server = false". In this case, session_id is not attached to inventory requests.
    • Setting secure_inventory_server to false is only useful when you want your region server to connect to an old inventory server which does not expect a session_id.

[edit] InventoryServer side

  • in InventoryServer_Config.xml,
session_lookup = true / false
(* for session_lookup please also refer the picture above)
  • if you want the inventory server to validate each incoming inventory request by session_id, set session_lookup = true
  • else, set session_lookup = false
    • Setting session_lookup to false makes inventory server accept any request from any client.

[edit] *NOTE*

  • Regardless of whether session_lookup is true or false, new inventory server requires a session_id in every inventory request. If you want your region server to connect to a new inventory server, you should always set secure_inventory_server = true in OpenSim.ini.
    • Here new inventory server means inventory server after SVN revision 5600.
Personal tools
General
About This Wiki