News • UnrealEd • Files • Mods • FragBU • Liandri Archives
BeyondUnreal Forums

Go Back   BeyondUnreal Forums > BeyondUnreal > Off Topic

Reply
 
Thread Tools Display Modes
Old 3rd Aug 2012, 12:42 AM   #21
Big-Al
amateur de bi่re
 
Big-Al's Avatar
 
Join Date: Jun. 14th, 2003
Location: Under a black flag.
Posts: 8,035
https://addons.mozilla.org/en-US/firefox/blocked/p113
__________________


I drink moosepiss
Big-Al is offline   Reply With Quote
Old 5th Aug 2012, 05:51 PM   #22
FireSlash
Whats a FireSlash?
 
FireSlash's Avatar
 
Join Date: Feb. 3rd, 2001
Location: Central Ohio
Posts: 4,300
I feel I should probably point out that what ubisoft has installed here isn't a backdoor. The bug isn't even related to DRM beyond the fact that the addon itself is packaged with their DRM.

It's really just a common programmer mistake on a piece of code that probably should have been reviewed a few more times before shipping.

U-play installs a browser addon that allows them to produce clickable links to launch uplay. The idea here was probably to help aid support and integrate better with their website by allowing you to click a link that might, for example, connect you to a server, or launch a game. Similar to how the steam:// url scheme works but implemented as a browser addon instead.

The problem is that the programmer who wrote this little bit of code forgot to scrub the input for malicious input. As a result, someone figured out how to embed other launch commands into the scheme that will fire off raw. Basically it allows a website to run program. This obviously becomes problematic when you start command chaining to produce solutions like "download this file, then run it, then i just pwnd you".

So while you may hate Ubisoft, Uplay, or whatever for introducing this security flaw, It's kind of annoying to see people crucifying them for installing a backdoor when they didn't. It should also be pointed out that Ubi had a fix out the same day the story broke.
__________________
Theory is when you know everything and nothing works.
Practice is when things work, and no one knows why.
Here we combine theory and practice.
Nothing works and no one knows why.
FireSlash is offline   Reply With Quote
Old 5th Aug 2012, 06:52 PM   #23
Sir_Brizz
More Than Just Mad Skill
 
Sir_Brizz's Avatar
 
Join Date: Feb. 3rd, 2000
Location: >:3
Posts: 25,485
Quote:
Originally Posted by FireSlash View Post
It should also be pointed out that Ubi had a fix out the same day the story broke.
Within 6 hours, actually, which is rather quick for them.
__________________
64 65 61 74 68 62 6f 6f 67 65 72 73 20 6d 6f 74 68 65 72 20 6f 66 20 63 6f 75 72 73 65

Liandri Archives - A veritable smorgasbord of information about the Unreal series
If Titanic taught me anything, it's to never let go until you're a frozen corpse staring hopelessly into a barren horizon.
Sir_Brizz is offline   Reply With Quote
Old 9th Aug 2012, 11:01 AM   #24
rejecht
Attention Micronians
 
rejecht's Avatar
 
Join Date: Jun. 15th, 2009
Location: .no
Posts: 473
Quote:
Originally Posted by FireSlash View Post
The problem is that the programmer who wrote this little bit of code forgot to scrub the input for malicious input.
Was it you? :>


It wasn't a backdoor by design, but by function. "Backdoor" would probably be more correctly used in a context where we're talking about malicious software, but it's just a quickpost as a heads up. Add to that I don't own any Ubisoft titles because I don't own any Ubisoft titles. In retrospect I'd change the subject to something like "PC vs Console (Was: Ubisoft uPlay bug opens computer to interwebs)."
__________________
When all else fails, post on forums with fellow zombies.
rejecht is offline   Reply With Quote
Old 10th Aug 2012, 12:57 AM   #25
FireSlash
Whats a FireSlash?
 
FireSlash's Avatar
 
Join Date: Feb. 3rd, 2001
Location: Central Ohio
Posts: 4,300
Quote:
Originally Posted by rejecht View Post
Was it you? :>
No, this is my claim to bug fame.
__________________
Theory is when you know everything and nothing works.
Practice is when things work, and no one knows why.
Here we combine theory and practice.
Nothing works and no one knows why.
FireSlash is offline   Reply With Quote
Old 10th Aug 2012, 10:23 AM   #26
Sir_Brizz
More Than Just Mad Skill
 
Sir_Brizz's Avatar
 
Join Date: Feb. 3rd, 2000
Location: >:3
Posts: 25,485
Quote:
Originally Posted by FireSlash View Post
No, this is my claim to bug fame.
Wait... you work for Valve on Steam?
__________________
64 65 61 74 68 62 6f 6f 67 65 72 73 20 6d 6f 74 68 65 72 20 6f 66 20 63 6f 75 72 73 65

Liandri Archives - A veritable smorgasbord of information about the Unreal series
If Titanic taught me anything, it's to never let go until you're a frozen corpse staring hopelessly into a barren horizon.
Sir_Brizz is offline   Reply With Quote
Old 10th Aug 2012, 12:35 PM   #27
Capt.Toilet
Good news everyone!
 
Capt.Toilet's Avatar
 
Join Date: Feb. 16th, 2004
Location: Ottawa, KS
Posts: 5,794
If Fireslash does then I shall say this. Brizz gets games for free so I want games for free. Free games for me = yay. Get on it.
__________________
Capt.Toilet is offline   Reply With Quote
Old 10th Aug 2012, 09:55 PM   #28
FireSlash
Whats a FireSlash?
 
FireSlash's Avatar
 
Join Date: Feb. 3rd, 2001
Location: Central Ohio
Posts: 4,300
Quote:
Originally Posted by Capt.Toilet View Post
If Fireslash does then I shall say this. Brizz gets games for free so I want games for free. Free games for me = yay. Get on it.
No.
__________________
Theory is when you know everything and nothing works.
Practice is when things work, and no one knows why.
Here we combine theory and practice.
Nothing works and no one knows why.
FireSlash is offline   Reply With Quote
Old 11th Aug 2012, 06:27 AM   #29
rejecht
Attention Micronians
 
rejecht's Avatar
 
Join Date: Jun. 15th, 2009
Location: .no
Posts: 473
I could hear Sir Brizz's eyes salivating all the way from Norway.


Programming is still a multi-contextual experience. Logical glitches are simply not avoidable. Add to that, some logical glitches come with a higher public multiplication factor than others. (I still remember Service Pack 6 (SP6) for Windows NT 4.0--after a reboot, the TCP/IP stack would stop working, thus was born SP6a.)
__________________
When all else fails, post on forums with fellow zombies.
rejecht is offline   Reply With Quote
Reply

Tags
security vulnerability

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 07:35 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.

Copyright ©1998 - 2012, BeyondUnreal, Inc.
Privacy Policy | Terms of Use
Bandwidth provided by AtomicGamer