[Opensim-dev] FORMAL NOTIFICATION OF SECURITY FLAWS (Round 1)

[Maxwell, Douglas CIV USARMY RDECOM ARL (US)]

This email serves as a formal notification of high priority security flaws found in the Open Simulator code by the MOSES team to the Open Simulator Developer.  We are allowing 90 days for a response to the list outlined in the paragraphs that follow before we publish technical specifics of these vulnerabilities in a public venue.  These vulnerabilities apply to both core open simulator architecture and Hypergrid technology.  

1.  UUID of assets and session IDs are transmitted in plain text between server and client.
2.  Any HTTP call made from a script can be traceable to the host machine it is calling from.  A script can serve as a crude HTTP proxy, allowing a grid to participate in DDOS attacks, botnets, or even a poor-man's tor.  Grid owners would not even know their servers were being used in this way.
3.  A mis-configured grid allows for commands to be called from a client.  Since the session IDs of an administrator are transmitted in the clear, anyone can execute operating system level commands without knowing the credentials of the administrator.
4.  C# and other languages supported by Open Simulator scripting are not API restricted.  A C# script can read/write the local file system of the server, open arbitrary network sockets, and make primary networking calls.  In other words, a user without credentials on your server can own it.

We are calling for the Developer community to examine these vulnerabilities and join us with the design and execution of a workable solution.  

Douglas Maxwell, Ph.D.
Science and Technology Manager
Virtual World Strategic Applications
U.S. Army Research Lab
Human Research & Engineering Directorate
(c) (407) 242-0209