Sloppy software willingly accepts rogue queries - BanLink passwords compromised?
by Pixeleen Mistral, National Affairs desk
BanLink is a resident-created Second Life "service" allowing land owners to easily share lists of players to ban from their virtual land. Given the potential for abuse of such a system, you might expect a certain level of care would have been exercised to protect the database that houses the ban lists. You would be wrong.
supposedly private information revealed: Philip Linden banned for unauthorized return of content
A reliable source contacted the Herald earlier this week with evidence showing the BanLink site can easily be exploited by an SQL injection attack to reveal information that the site's developers presumably wish to keep private - such as account information and passwords. While it was amusing to see details of Philip Linden's ban and some would agree with a complaint against the Mullah of Ravenglass, I was saddened to see erroneous information tied to my identity.
After the initial amusement wore off, I asked the source - who refers to himself as "a man with a lion face" - how simple URLs could reveal so much information. He replied, "poor coding, seems like. they don't even take the quotes out of input or escape them. basically, you can inject your own queries into the database calls and have it return whatever data you want. a more malicious person might use it to get passwords, emails, or IPs of banlink administrators". Even worse, the man with a lion face said that attempts to contact BanLink developers Travis Lambert and Mera Pixel had been in vain. The Herald has tried to contact the developers as well, without success.
a notorious griefer's entry in BanLink - trolling and harassing residents in Indigo
To verify the original source's claims, the Herald turned to two independent technical experts, who both agreed that the site suffers from significant security issues that may allow uncontrolled access to sensitive information.
One expert pointed out that all the tables in the BanLink database are an open book at this point, and it is unclear how well user passwords have been encrypted. This suggests that anyone who has a BanLink account will want to avoid using the same password on any other system.
Banlink says "To protect privacy, you may only view records for your own avatar". Maybe not.
It is possible that BanLink is an orphaned project. A July 10th posting on Mera Pixel's blog says that Ms. Pixel was planning to step aside, but then picked up work on the project again this summer - but the blog has been very quiet of late.
Orphaned or not, BanLink users should assume their account information may been released into the wilds of teh interwebs and BanLink's ban lists could have been tampered with - the entry for Pixeleen Mistral looks particularly suspect.
BanLink is not entirely reliable - an example of erroneous information in the database
Anyone that has been around the world of web programming long enough to be respectable in the business knows you have to use stored procedures to isolate the database. Better yet use a middle tier and the middle tier uses stored procedure calls further isolating the db. Anyway such discussions could go on forever. Fact is they should have paid a professional (or at least convinced one to help free) to design and code the system. So now every entry in that system is suspect. when they fix it they need to run a truncate table sql statement against the ban_list table and start over from scratch.
Posted by: All Seeing Eye | September 19, 2009 at 05:39 PM
I want this Ban Link information now. How do I get in there and get it? Anybody who is in Ban Link should now sue the shit out of Intlibber for making the flimsy SL allegations that are Ban Link available to the real life public where they can do real harm and injury far beyond any idiotic circumstances in SL. I want to know the names of people putting avatars into Ban Link. I want to get those names NOW. Ban Link is an illegal conspiracy and its time for the names to come out and heads to roll.
It may be time to confront Linden Labs with this as well since they allow Ban Link to continue apparently with their blessings.
Posted by: sue | September 19, 2009 at 06:00 PM
is sl coming to an end or just BAN LINK. i'm on ban list becaws i told arkady yost his wife bella had a fat ass! (well she DOES!) and because i cused out some random chump i dont even know or recall. the system is flawed!
Posted by: Jumpman Lane | September 19, 2009 at 10:45 PM
I ended up on banlink once due to someone abusing the system. I was just part of some "spy"'s blanket report on random users claiming they were PN. Regardless of facts, or anything of the like.
People abuse banlink all the time, it isnt even really used to get rid of griefers, since most people who actively grief have accounts that rarely last beyond a day or two. People just abuse the AR system and get people age banned (usually on false pretenses) It's really a system of "Here's someone I don't like you you shouldn't like either, if you disagree, you're someone not to be trusted!"
It just helps groupthink along, is all. Sadly, a virtual world originally dedicated to creativity and self-expression, locked down by little napoleons and power mongers who can only sleep at night if they have imposed themselves upon others and forced their will on them.
Posted by: At0m0 Beerbaum | September 20, 2009 at 04:35 AM
You do realize that to save credibility, they will have to redo EVERYTHING, databases, etc. Who knows if it has been breached several times before or not and never reported. it's no longer trustworthy.
This is quite excellent :)
Posted by: At0m0 Beerbaum | September 20, 2009 at 05:10 AM
And just who gets to say whose name appears on this database? Where is the appeals procedure so that we can correct mistakes? Where is the accountability in all this?
This smells like a system for allowing private citizens to inflict punishment on those they believe have done wrong even without proof and sometimes purely as personal vendetta. Ultimately it's nothing more than a lynch mob database and Linden Lab need to do something about it.
Posted by: Ban banlink! | September 20, 2009 at 06:04 AM
Whoever posted under Ban banlink, this is not a new system. It has been around for years and LL doesn't give a shit about it. As for it being exploited, about damn time. Maybe this will be the nail in the coffin for them.
Posted by: Nidol | September 20, 2009 at 08:58 AM
In my opinion, this situation warrants a trashing of Ban Link in its current form, data and all. Especially since a SQL Injection vulnerability on a service like Ban Link where data integrity is key can mean pretty much all data should be considered invalid. Even a name change wouldn't be an unreasonable decision to make.
Posted by: JESUS CHRIST IT'S A LION! GET IN THE CAR! | September 20, 2009 at 09:05 AM
Ah, Herald? Before blaming "sloppy software", perhaps you could try doing one of those silly things that real newspapers do .. SPELL CHECK your headline ... "revals" ????
Posted by: JustMe | September 20, 2009 at 09:26 AM
@Nidol
Thanks for the information
Someone commented just a few days ago on one of these threads (I forget which now) about how people who post anonymously should have the courage of their convictions and post under their actual names. Words to that effect anyway. But it's crap like this Banlink and the way it can be abused arbitrarily that prevents people from using their actual names. Imagine as an example, someone makes a fair comment about how someone's new product is actually really sucky in their opinion. Fine, that person gets the hump and bans you from their land. No big problem. But Banlink seems to then have you banned from a bunch of other places, just because you expressed an opinion that someone didn't like.
And people wonder why Second Life is on its last legs.....
Posted by: Ban Banlink | September 20, 2009 at 09:54 AM
Every group on BanLink has to decide what other groups it trusts. There isn't a global ban list. Every ban has to have an explanation. Some groups have admins that ban for petty reasons and personal vendettas - this is usually pretty obvious and those groups aren't generally trusted by many other groups.
If you are banned somewhere because of BanLink, it notifies you of that fact and what you can do to dispute it. Even if the person who entered the ban refuses to listen to you, any group that imported that ban can locally override it. So you are not magically banned from fifty million places with no options just because one person won't talk to you.
BanLink has its flaws, but it's a definite step up from passing around notecards full of names to ban with no reason, and bans with no explanation or recourse whatsoever. This used to happen all the time before BanLink. Someone from a group like "Gay For Philip" would annoy the wrong furry, and every single person in that group would wind up seeing ban lines everywhere.
Also, BanLink is self-correcting: if there are a bunch of bogus bans, they can be disputed and overridden as necessary. It's really just business as usual.
The bigger problem with BanLink's future is that both of the developers have been missing for months and it seems unlikely that either of them have time or inclination to secure the site and get it back online.
Posted by: masa | September 20, 2009 at 11:43 AM
I posted a note on this article in my blog at http://www.troymcconaghy.com/blog/2009/9/20/a-note-on-the-alphaville-herald.html
Posted by: Troy | September 20, 2009 at 12:52 PM
I love how people jump to conclusions and don't wait for statements or anything from Mera, the joke here is all the people complaining. You probably are not part of the system so you have no clue in hell how it works and just assume that because you think it works a certain way that you are right.
Posted by: Red | September 20, 2009 at 02:48 PM
@JESUS CHRIST IT'S A LION! GET IN THE CAR!
Got some news for you. "Data integrity" doesn't exist. %99 of vulnerabilities are due to improper input sanitization. This includes RFI, LFI, SQLi, heap and stack overflows, format strings,etc,etc. Hell, you can escalate to a shell with LFI pretty trivially on linux by injecting environment variables using the proc/pid/environ method. And you can bypass most stack protections such as NX/DEP (non executable stack or data execution prevention as it's called in vista) and Address Space Layout Randomization (randomizes memory addresses to make it difficult for attackers to redirect EIP to injected shellcode though on Intel processors which most pcs use partial overwrites are effective due to little-endian-ness). You can bypass NX by simply using ret2libc and calling functions from standard c libraries. SQLi and most web exploitation is largely unimpressive because it's so trivial. Kiddies can get scanners that will find these for them will relative ease.
And input sanitization doesn't really cover things like race conditions, poor passwords, and social engineering aka abuse of trust-based communications. Or configuration errors. You should check out MITRE.
Security holes like the above as well as business logic errors are present just about everywhere. More than %90 percent of your computers are likely using software that contains at least one of these vulnerabilities, even if the vuln hasn't been discovered yet.
This is why being a hacker is so awesome. If I am the one finding the 0dayz, then who is going to exploit me? If I have already audited every software package I am running, then what's left? I'm sure there'll be new classes of bugs to make things interesting. I mean, have you seen the ipv6 specs? They're going to be implementing syscalls over the network lol.
code c
Posted by: A guy | September 20, 2009 at 03:11 PM
dear "A guy",
By your logic, it sounds like just because I can never be 100% secure that nobody will rape or murder me, I should just go walking around dangerous neighborhoods with a blindfold and my pants down?
Sure, I could lock the door to my house, but a determined burglar could get around that so I'll just leave the door open so everyone can see the heaps of gold I have lying around.
Posted by: Judiciary | September 20, 2009 at 05:17 PM
@red I am on ban link BECAUSE i told a guy ARKADY YOST his wife had a sexy, fat ass. he was a turdy land manager NOT EVENAN ESTASTE MANAGER. he fell out with the siowner and is banned at that sim stil. I appealed andam stillon ban list for it. Only othe reason is cursin outa complete stranger who remains a stranger andd i cant even recall where the sim was the cursin occured. been many dumps i cant goto caws of ban link since 07 but i dont know where they are and dont miss em so i say tell that fool who invented ban link to turn his keyboard sideways andstuff it up his ass. it might fit!
Posted by: Jumpman Lane | September 20, 2009 at 11:16 PM
hmm, my grandparents were put on a list during WWII. banlink is no diff, it's a great tool to discriminate with =(
Posted by: Ener Hax | September 21, 2009 at 12:54 AM
Seems like most people that posted on this thread is a suspect then. Common people forget that Land owners are entitled to ban people that act in disagreement with them. They pay tiers, they choose who gets to be there. After all we are only guests at those servers and we haven't the right to be there, we have the privilege to be there if we follow the rules of our host. If you decide not to, you brought it onto yourself and will suffer the consequences… as a ban or a multiple ban if they use BanLink or alike system to point out trouble makers. Think before you type, respect the Server or Parcel owner's rules. If you disagree with them go somewhere else where your way of thinking is welcome.
Posted by: Jarlston Hammerer | September 21, 2009 at 11:30 AM
@ Jarlston Hammerer
Way to not read the thread, let alone being able to tell the tree from the forest.
Posted by: lol kids | September 21, 2009 at 09:10 PM
Wow... just wow...
An SQL injection attack in your code, in 2009, no less... serious amateur work. Seriously. This is not something found in professionally developed code anymore. Not unless the "professionals" are cut-rate idiots from Rent-A-Coder or something.
Posted by: Julia Banshee | September 22, 2009 at 03:47 AM
@Julia Banshee
Oh really? I''m guessing your info is from a second hand source, since I see a steady stream of SQLi vulns on milw0rm on a regular basis. I find holes in professionally developed code. They just aren't the obvious strcpy, strncpy, memcpy, gets,etc,etc bofs. Get some talent and then analyze code. Also static analysis with Flawfinder (for c/c++) does not constitute thorough code analysis lol. The biggest security holes are pretty subtle now adays. If there wasn't still flaws in professionally developed code then MITRE's CVE db wouldn't even exist. As long as programmers have to sanitize input like this, the vulns will keep coming. The security industry is evolving but that's all. It's survival of the fittest and those who can't adapt are being rooted (no pun intended) out.
Posted by: Security Consultant | September 22, 2009 at 08:36 PM
erroneous information?
Sorry if I got this wrong but you do work for the Herald don't you? And I do recall the Herald having some hand in some 'lulz' that were had at the expense of others, there's a couple of articles about this in this very blog.
I don't think the ban on Banlink is justified at all, but the information is (at least partially) correct :)
About BL itself... Sure people will try to (and sometimes succeed) abuse the system for their own personal gain and vendettas. But to prevent such things there's a few buts and ifs to Banlink:
Bans do not automatically apply to every sim that uses banlink, each user chooses which other users they trust and want to share banlists with. Thus if someopne abuses the system over and over again, no-one will want to trust him and any of his bans will end up being only valid for his own place.
Each ban has to have a good reason and has to state that, if a ban is not really valid, it can be appealed to and be removed from the shared lists.
The only very short experience I have had with Banlink, has mostly shown advantages, especially against larger griefer attacks in multiple locations. Sure, if one alt gets banned from most of their targets, you can easily make another one, but for every one place they start to grief and get banned from, there's dozens that they cannot use that alt for anymore...
They'll end up wasting more time creating new accounts, then they are having teh lulz at the expense of 'bawwwwing' SLfags. That gets boring pretty quickly I bet :3
Banlink is not perfect by far, and (especially now) just begging for to be abused. But it works for what it's supposed to do. Some commenters see it very black and white, like the references to walking pants down trough dark alleys and lists in WW2... Newsflash, there's many shades of grey.
(PS Godwin's law)
Posted by: Studebaker Williamson | September 25, 2009 at 09:23 AM
When I first got into SL, I didn't have a lot of L$. So I wound up buying a small parcel of land. Well, apparently small parcels of land run afoul of some group of virtual treehuggers called 'The Arbor Group'. I was insulted by someone called Nobody Fugazi, who claimed I was an ad farmer, when really I just wanted a little spot to call home. So, in response, I put up a sign that said, plainly, "I think Nobody Fugazi is dumb.". Later on, in numerous locations, I began to get repeated messages that something was attempting to 'teleport me home'. It didn't function properly, but I got the message. This particular virtual tree hugger likes to use their system and their land to terrorize anyone who disagrees with them. I think these little systems are fantastic for proving who among us has a power trip. IRC operators or moderators that work to try to censor what people say really just wind up with egg on their face later. I still think Nobody Fugazi is dumb.
Posted by: FWord Utorid | September 26, 2009 at 12:18 AM
This is why I have little to do with SL anymore. I've said it for years, there are far too many children in SL. Either that, or SL harbors the most seriously mentally retarded people I've ever witnessed. Just read the posts in this thread. And I have news for you, either Linden continues to love to play games, or they are seriously hacked as well. My guess is both.
Posted by: Sinden Lucks | September 27, 2009 at 05:22 PM
Well, looks like http://slbanlink.com/ is down, which is unfortunate, but the BanLink boxes are still sending avatars home despite this. If they have taken their site down for maintenance, shouldn't they also deactivate the banning system? As it is now, one has no appeals process - hardly democratic.
Posted by: Bell Clanger | September 29, 2009 at 12:47 AM
"To protect privacy, you may only view records for your own avatar"
To protect privacy my ass. This feature of banlink was added in to stop griefing groups sharing their banlink records to prove to eachother how many landowners they'd pissed off before the lindens caught them. It's not to protect privacy atall - it's to try and deprive griefers of using banlink as a scoreboard.
Posted by: Alyx Stoklitsky | September 29, 2009 at 03:58 AM
Well it's been almost 2 yesrs for me since I was banned from NCI beach, which was managed or owned by Carl Metropolitan well I was banned for using a swear word as I was defending a newbie by a attack from one of that places
inner circle of kiss asses so I was banned by Mr. Metropolitan as of last week he is not associated with NCI anymore and told me he can't help me..and I still banned from certain sims that used SLBanlink how id this if their servers are down?? SLBanlink appears to have met it's long overdue fate...so why dosn't Linden free all us political prisoners? and break the trusts manually themselves?
Posted by: Up4 Dawes | October 05, 2009 at 04:41 AM
I was put on banlinks and not notified. I TP'd to a sandbox and was sent home. I IM'd the Sandbox's owner who gave me access. Havne't been able to view why I was banned. That is wrong in my book.
Posted by: Isabel Wulluf | October 24, 2009 at 02:10 AM
Interesting related information
http://secondthoughts.typepad.com/second_thoughts/2010/01/woodbury-and-justice-league-goons-develop-new-larp-ar-vw-rp.html#more
Posted by: Varspet Taka | January 11, 2010 at 07:23 AM
"After the initial amusement wore off, I asked the source - who refers to himself as "a man with a lion face" - how simple URLs could reveal so much information. He replied, "poor coding, seems like. they don't even take the quotes out of input or escape them. basically, you can inject your own queries into the database calls and have it return whatever data you want. a more malicious person might use it to get passwords, emails, or IPs of banlink administrators"."
Just wanted to point out that it's a common myth that all you have to do to mitigate SQL injection attacks is filter out single quotes, or escape them. Coldfusion 8 automatically escapes single quotes and I could still perform SQL injection by using the CHAR() function. There are other ways to get passed weak filtering that relies only on removing single quotes too. And SQL injection vulnerabilities are still among the most common - and devastating - on the web. They're going to be even more common with the advent of PHP 6, since programmers will now have to sanitize input on their own. No more magic quotes xD
Posted by: deadlycodec | January 16, 2010 at 11:53 AM
@All Seeing Eye
Guess you should read this:
"Another solution commonly proposed for dealing with SQL injection attacks is to use stored procedures. Although stored procedures prevent some types of SQL injection attacks, they fail to protect against many others. For example, the following PL/SQL procedure is vulnerable to the same SQL injection attack shown in the first example.
procedure get_item (
itm_cv IN OUT ItmCurTyp,
usr in varchar2,
itm in varchar2)
is
open itm_cv for ' SELECT * FROM items WHERE ' ||
'owner = '''|| usr ||
' AND itemname = ''' || itm || '''';
end get_item;
Stored procedures typically help prevent SQL injection attacks by limiting the types of statements that can be passed to their parameters. However, there are many ways around the limitations and many interesting statements that can still be passed to stored procedures. Again, stored procedures can prevent some exploits, but they will not make your application secure against SQL injection attacks. "
-Quoted from OWASP @ http://www.owasp.org/index.php/SQL_Injection
Posted by: deadlycodec | January 16, 2010 at 12:07 PM
*** Anyone that has been around the world of web programming long enough to be respectable in the business knows you have to use stored procedures to isolate the database. Better yet use a middle tier and the middle tier uses stored procedure calls further isolating the db. ***
Ugh, no actually you most certainly don't. And I've been doing web apps since 1995. No reason to do that whatsoever. Just properly escape user-entered text.
Posted by: jj | January 28, 2010 at 05:24 PM