Jump to content




[IMPORTANT]REAL virus! Please fix!


23 replies to this topic

#1 knowingYou

  • New Members
  • 7 posts

Posted 17 March 2012 - 07:03 PM

I just want to point to some security vulnerabilities opened by ComputerCraft.
The main point is the file system with full, umlimited write access. Okay, you are not able to write outside of the computer directory, but there are other problems.

First: See this script as an example for disk exhaustion. Workaround: Add an option to limit space used by single computers/disks.

Second: Another (not obvious) hole is the possibilty to create files / folders. There are several options to destroy/damage the real computer's file system.
  • Create many files: By creating really many files (could be possible for multiple computers) you can make your file system instable. I had a HDD with a folder containing some sub-folders (IDK how many, guess something greater 2,000,000,000) and was not able to delete the folder! I tried for hours. Once I opened (or tried to open) the folder with Windows Explorer it crashed. Finally I had to format the whole thing.
  • Create deep structures. I managed to create pure Java code that generated a folder structure in just a few moments. This folder pointed me to a big problem: Once names get longer than 256 characters almost every OS and software will be unable to handle it! I needed hours to find a trick to remove the folder. And YES: This is possible in java so I guess it is using fs API, too.

Maybe I am wrong but please have a look at these facts.

#2 knowingYou

  • New Members
  • 7 posts

Posted 17 March 2012 - 08:59 PM

Workaround for my second point: Check paths for illegal characters and length (parse path to include host's file system).

#3 Casper7526

    OG of CC

  • Members
  • 362 posts

Posted 17 March 2012 - 10:03 PM

This is why CC should not be on public servers where griefing can occur. You can always make security measures against something, but it's just as easy to find a new way to bypass those said features.

#4 ironsmith123

  • New Members
  • 69 posts

Posted 18 March 2012 - 07:06 AM

View PostCasper7526, on 17 March 2012 - 10:03 PM, said:

This is why CC should not be on public servers where griefing can occur. You can always make security measures against something, but it's just as easy to find a new way to bypass those said features.
My server was having some lag issues due to tons of computer directories with few computers in actual existence. I just deleted the directories that weren't in use by any computer/turtle I had in game and the lag pretty much went away! Just be careful with who you let on your server, I definitely think you should whitelist it! If you plan on having lots of people on your server chances are your server will get tons of these directories made. Instead of placing programs or files in individual computers, just put them in the programs section of the actual computercraft mod in your server mods folder. Then you can delete the directories on a daily basis without worrying about getting rid of programs and having to put them back in! Have fun!

-Iron

#5 knowingYou

  • New Members
  • 7 posts

Posted 18 March 2012 - 09:43 AM

I did not understand multi-tasking so far but how about fork bombs?

#6 Sebra

  • Members
  • 726 posts

Posted 18 March 2012 - 10:39 AM

Each CC comp run only one task at any time.
Lua multitasking only switch different tasks one by one.

#7 knowingYou

  • New Members
  • 7 posts

Posted 19 March 2012 - 07:29 PM

How about memory? For example dynamic array indexing?

#8 knowingYou

  • New Members
  • 7 posts

Posted 20 March 2012 - 04:51 PM

bump

#9 knowingYou

  • New Members
  • 7 posts

Posted 22 March 2012 - 02:44 PM

bump

#10 Cloudy

    Ex-Developer

  • Members
  • 2,543 posts

Posted 22 March 2012 - 09:12 PM

And bumping helps how? This isn't actually a "virus" - just the fact there are no limits.

#11 bbqroast

  • Members
  • 124 posts

Posted 25 March 2012 - 01:30 AM

Dear Dan.

Please add the ability to limit the space per computer. Now.

#12 Casper7526

    OG of CC

  • Members
  • 362 posts

Posted 25 March 2012 - 02:37 AM

Dear user, please know that using CC will never be completely safe for a server and that the server should be for trusted individuals only.

#13 Cloudy

    Ex-Developer

  • Members
  • 2,543 posts

Posted 25 March 2012 - 04:36 PM

Also, where do you get off demanding it "now"? This software is provided for free. As such you have no right to demand anything and especially not in an immediate time frame.

#14 Alex_

  • Members
  • 63 posts
  • LocationPontefract, West Yorkshire, England

Posted 25 March 2012 - 07:45 PM

View PostCasper7526, on 17 March 2012 - 10:03 PM, said:

This is why CC should not be on public servers where griefing can occur. You can always make security measures against something, but it's just as easy to find a new way to bypass those said features.
If someone had the CC source code they could make permissions for it.

#15 Cloudy

    Ex-Developer

  • Members
  • 2,543 posts

Posted 25 March 2012 - 09:37 PM

View PostAlex_, on 25 March 2012 - 07:45 PM, said:

View PostCasper7526, on 17 March 2012 - 10:03 PM, said:

This is why CC should not be on public servers where griefing can occur. You can always make security measures against something, but it's just as easy to find a new way to bypass those said features.
If someone had the CC source code they could make permissions for it.

But this isn't going to happen, so I don't see the relevance in your statement.

#16 rockymc

  • Members
  • 103 posts

Posted 25 March 2012 - 09:39 PM

The only way to fix this "virus" is by adding a program that manipulates and adds a fake HD space.

#17 Advert

    Custom Title

  • Moderators
  • 459 posts
  • LocationLondon

Posted 26 March 2012 - 01:56 AM

View Postrockymc, on 25 March 2012 - 09:39 PM, said:

The only way to fix this "virus" is by adding a program that manipulates and adds a fake HD space.
This is incorrect.

You can limit the number of files and their size by wrapping the fs/io api.

#18 1139

  • New Members
  • 2 posts

Posted 06 April 2012 - 05:43 AM

View PostCloudy, on 25 March 2012 - 09:37 PM, said:

View PostAlex_, on 25 March 2012 - 07:45 PM, said:

View PostCasper7526, on 17 March 2012 - 10:03 PM, said:

This is why CC should not be on public servers where griefing can occur. You can always make security measures against something, but it's just as easy to find a new way to bypass those said features.
If someone had the CC source code they could make permissions for it.

But this isn't going to happen, so I don't see the relevance in your statement.

Couldn't you just decompile the classes?

#19 Hawk777

  • Members
  • 162 posts

Posted 06 April 2012 - 09:19 AM

View Postrockymc, on 25 March 2012 - 09:39 PM, said:

The only way to fix this "virus" is by adding a program that manipulates and adds a fake HD space.

Most knowledgeable system administrators would call such a program a disk quota. If anyone runs a server that's likely to be abused, I can't believe they don't already have this set up.

#20 djblocksaway

    Epic Coderz

  • New Members
  • 397 posts
  • LocationAustralia

Posted 06 April 2012 - 11:25 AM

hmm its not really a virus if you think about it. . . :)/>





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users