Second Life Forums Archive - Possible to spoof channel messages from an avatar?

Seven Shikami

Registered User

Join date: 22 Sep 2006

Posts: 82

02-25-2009 21:20

I'm working on a gadget that verifies in the listen() event that it's actually hearing from the owner and not from a scripted gadget of any sort. (Obviously gestures would still work.) Yes, I know about filtering the llListen; it's complicated but for sake of arguement assume I can't use that.

My thinking is if (id != llGetOwner()) { return; } is enough. But someone's telling me he remembers a thing from a place at some point which said that won't do it, that it's possible to spoof the key/id that the communication is coming from, so that it looks like it's avatar originated when really it's a HUD or other object. Says that this was also used to bypass owner-control-only vehicles, etc.

I don't buy it, but since this is supposedly an age-old hack, I figured I should ask. Truth or fiction?

Faust Vollmar

llSetAgentSanity(FALSE);

Join date: 3 Feb 2007

Posts: 87

02-25-2009 21:27

It can't happen by "normal" means.

If Chat Source spoofing is possible, it should end up on the SEC section of the JIRA pretty quick when someone tries to abuse it.

To keep it short I haven't heard of that happening.

Innula Zenovka

Registered User

Join date: 20 Jun 2007

Posts: 1,825

02-26-2009 00:30

From: Seven Shikami

My thinking is if (id != llGetOwner()) { return; } is enough. But someone's telling me he remembers a thing from a place at some point which said that won't do it, that it's possible to spoof the key/id that the communication is coming from, so that it looks like it's avatar originated when really it's a HUD or other object. Says that this was also used to bypass owner-control-only vehicles, etc.

News to me, too.

I'm wondering if your friend hasn't half-remembered reading that you can't use if (id!=llGetOwner()) if you *are* using a scripted HUD to control (e.g.) a vehicle -- because the HUD's key is not that that of its owner -- so you have to check for if (llGetOwnerId(id) ==llGetOwner ) instead. This will return true for messages coming from the owner, too, since avatars (agents? I always get confused) own themselves.

Void Singer

Int vSelf = Sing(void);

Join date: 24 Sep 2005

Posts: 6,973

02-26-2009 04:47

it might be possible to spoof a meesage coming from a custom client as being from another client (not sure how/where the chat protocol generates it's association tags) but there should be no feasible way for an object to spoof itself being ANY agent since it's associations are generated by the server. at least not for simple script detection.

btw
if (id == llGetOwner()){
//--respond
}
works slightly faster as a test than the negation and return method IIRC

_____________________

|
| . "Cat-Like Typing Detected"
| . This post may contain errors in logic, spelling, and
| . grammar known to the SL populace to cause confusion
|
| - Please Use PHP tags when posting scripts/code, Thanks.
| - Can't See PHP or URL Tags Correctly? Check Out This Link...
| -

Hewee Zetkin

Registered User

Join date: 20 Jul 2006

Posts: 2,702

02-26-2009 09:25

A lot of scripts use a test more like 'if (llGetOwnerKey(id) != llGetOwner()) { return; }' which will ALLOW HUDs and other objects owned by the same resident as the object the script is in to issue commands. This makes scripts a little more "HUD-friendly". There isn't a way for a script in an object owned by someone else to spoof being owned by you, but:

1.) If someone gave you an object that happened to chat on the correct channel to issue false commands to the script, that could be a problem.

2.) If the HUD/object issuing the command is in a different sim from the object the script is in, it'll give a false negative because 'llGetOwnerKey(id)' will return they key of the object instead of the true owner. False negatives are usually an inconvenience rather than a security hole though. It's the false positives you definitely want to watch out for!

Possible to spoof channel messages from an avatar?
Seven Shikami Registered User Join date: 22 Sep 2006 Posts: 82	02-25-2009 21:20 I'm working on a gadget that verifies in the listen() event that it's actually hearing from the owner and not from a scripted gadget of any sort. (Obviously gestures would still work.) Yes, I know about filtering the llListen; it's complicated but for sake of arguement assume I can't use that. My thinking is if (id != llGetOwner()) { return; } is enough. But someone's telling me he remembers a thing from a place at some point which said that won't do it, that it's possible to spoof the key/id that the communication is coming from, so that it looks like it's avatar originated when really it's a HUD or other object. Says that this was also used to bypass owner-control-only vehicles, etc. I don't buy it, but since this is supposedly an age-old hack, I figured I should ask. Truth or fiction?
Faust Vollmar llSetAgentSanity(FALSE); Join date: 3 Feb 2007 Posts: 87	02-25-2009 21:27 It can't happen by "normal" means. If Chat Source spoofing is possible, it should end up on the SEC section of the JIRA pretty quick when someone tries to abuse it. To keep it short I haven't heard of that happening.
Innula Zenovka Registered User Join date: 20 Jun 2007 Posts: 1,825	02-26-2009 00:30 From: Seven Shikami My thinking is if (id != llGetOwner()) { return; } is enough. But someone's telling me he remembers a thing from a place at some point which said that won't do it, that it's possible to spoof the key/id that the communication is coming from, so that it looks like it's avatar originated when really it's a HUD or other object. Says that this was also used to bypass owner-control-only vehicles, etc. News to me, too. I'm wondering if your friend hasn't half-remembered reading that you can't use if (id!=llGetOwner()) if you are using a scripted HUD to control (e.g.) a vehicle -- because the HUD's key is not that that of its owner -- so you have to check for if (llGetOwnerId(id) ==llGetOwner ) instead. This will return true for messages coming from the owner, too, since avatars (agents? I always get confused) own themselves.
Void Singer Int vSelf = Sing(void); Join date: 24 Sep 2005 Posts: 6,973	02-26-2009 04:47 it might be possible to spoof a meesage coming from a custom client as being from another client (not sure how/where the chat protocol generates it's association tags) but there should be no feasible way for an object to spoof itself being ANY agent since it's associations are generated by the server. at least not for simple script detection. btw if (id == llGetOwner()){ //--respond } works slightly faster as a test than the negation and return method IIRC _____________________ \| \| . "Cat-Like Typing Detected" \| . This post may contain errors in logic, spelling, and \| . grammar known to the SL populace to cause confusion \| \| - Please Use PHP tags when posting scripts/code, Thanks. \| - Can't See PHP or URL Tags Correctly? Check Out This Link... \| -
Hewee Zetkin Registered User Join date: 20 Jul 2006 Posts: 2,702	02-26-2009 09:25 A lot of scripts use a test more like 'if (llGetOwnerKey(id) != llGetOwner()) { return; }' which will ALLOW HUDs and other objects owned by the same resident as the object the script is in to issue commands. This makes scripts a little more "HUD-friendly". There isn't a way for a script in an object owned by someone else to spoof being owned by you, but: 1.) If someone gave you an object that happened to chat on the correct channel to issue false commands to the script, that could be a problem. 2.) If the HUD/object issuing the command is in a different sim from the object the script is in, it'll give a false negative because 'llGetOwnerKey(id)' will return they key of the object instead of the true owner. False negatives are usually an inconvenience rather than a security hole though. It's the false positives you definitely want to watch out for!

Welcome to the Second Life Forums Archive

Possible to spoof channel messages from an avatar?