Jump to content

Tequila and CreamSoda Security Issue? Launchers compromised? [Mod Edit: They aren't.]


Recommended Posts

Posted

So wondering if the leaders of Homcoming have any comment on the security issues posted elsewhere about the launchers we all use.

From Reddit: https://www.reddit.com/r/Cityofheroes/comments/debb98/sweettea_new_launcher_due_to_major_security_issues/

 

"

Quote

 Tequila and Cream Soda allow manifests to have absolute paths in them. An absolute path is different from a relative path, because it is the full path to a file from the drive letter (C:) to the file name. This means a bad manifest could put files anywhere on someone's computer, and overwrite any file.

Another big issue is that files in a manifest can have a size of zero. I've found that these zero sized files tell Cream Soda and Tequila to DELETE a file instead of download the file. That means, with an absolute path to a system file or important documents, you could delete or overwrite those files.

 

Posted

There's been a lot of talk (most of it vile, as usual) over at the Cox/g Discord about this.  They are slinging a lot of accusations, which is nothing new.  But, when it's pointed at Homecoming, I take notice.

What was no more, is REBORN!

Posted

Thank you for the response,it was really my main reason for posting.I have had a couple of people asking about it since it was posted elsewhere.

 

It seems to me to be a simple question of trusting the manifest file, 

  • City Council
Posted
1 minute ago, SuperPlyx said:

Thank you for the response,it was really my main reason for posting.I have had a couple of people asking about it since it was posted elsewhere.

 

It seems to me to be a simple question of trusting the manifest file, 

Yep, that is exactly correct.

 

When you add a manifest to any of the launchers (including Sweet Tea), you are trusting the author of that manifest. The author of the manifest can, at any point in time, upload a virus to the manifest and let it run that instead of the client. That virus could then do whatever it wants, unconfined to the rules of the launcher that executed it. In either case and with any of the launchers, you are still required to have full trust in the author of any manifests you add to it, because at the end of the day if they want to exploit your system, they're going to be able to do so.

  • Thanks 1

If you need help, please submit a support request here or use /petition in-game.

 

Got time to spare? Want to see Homecoming thrive? Consider volunteering as a Game Master!

Posted

There are perfectly valid reasons for a game patcher to be able to access files outside of their primary game install path, and to be able to delete files.  Game patchers are not consumer-level utilities that accept input from end users, and therefore don't have any obligation to protect end users from their own mistakes.  They are designed particularly to be used with manifests that are verified to be safe and serve a very specific purpose - making City of Heroes work.

 

For Island Rum, I have tested and verified that the official manifests for Homecoming (http://patch.savecoh.com/manifest.xml) and Closed Beta function as intended, and are not harmful to your computer.  I do not recommend using any other manifests with Island Rum.  If security of unverified third party manifests becomes an issue, I am prepared to take measures to make sure they cannot be used with Island Rum.

  • Like 1
Posted
1 hour ago, Manga said:

There are perfectly valid reasons for a game patcher to be able to access files outside of their primary game install path, and to be able to delete files.

I am wondering if there are perfectly valid reasons for _our_ launcher to be able to access such files.

 

Of course the supposed security issue is complete nonsense - as noted above, a malicious manifest can do whatever it likes - but a simple error in the manifest like the catastrophic EVE boot.ini issue could occur and would be extremely unfortunate not least because it would add credibility to the conspiracy theories being flung around by the usual suspects.

 

I submit if Tequila and Island Rum don't need to be able to do this, they shouldn't be able to.

Homecoming Wiki  - please use it (because it reflects the game in 2020 not 2012) and edit it (because there is lots to do)

Things to do in City of Heroes, sorted by level.   Things to do in City of Villains, sorted by level.   Things only Incarnates can do in City of X.

Why were you kicked from your cross-alignment team? A guide.   A starting alignment flowchart  Travel power opinions

Get rid of the sidekick level malus and the 5-level exemplar power grace.

  • City Council
Posted
1 minute ago, thunderforce said:

I submit if Tequila and Island Rum don't need to be able to do this, they shouldn't be able to.

The draft spec I've been working on for the next-generation manifest does not include the capability to touch files outside of the base directory of the package in question.

 

I believe Island Rum has some legitimate use for that as it also handles installing wine and some other housekeeping necessary for the Mac version. For that it may require creating some extra packages with a more expansive scope to handle it, but we're not to the point of looking at it just yet.

Posted (edited)
46 minutes ago, thunderforce said:

I am wondering if there are perfectly valid reasons for _our_ launcher to be able to access such files.

 

Of course the supposed security issue is complete nonsense - as noted above, a malicious manifest can do whatever it likes - but a simple error in the manifest like the catastrophic EVE boot.ini issue could occur and would be extremely unfortunate not least because it would add credibility to the conspiracy theories being flung around by the usual suspects.

 

I submit if Tequila and Island Rum don't need to be able to do this, they shouldn't be able to.

 

What happens if you set the install path in Sweet Tea to "C:\" and then connect it to a manifest that puts files in "\Windows\System"?  It's no more secure than Tequila or Island Rum then, is it?  Securing an application against one particular case creates a false sense of security.

 

The only way to have a patcher that's 100% safe in every situation would be to give it a locked-down sandbox to play in, which would require two things:  1.  Having the patcher offer a list of verified manifests only;  and 2. Having the patcher set a standard install path, and refuse to allow installs anywhere else.  It's possible to do both, however, we would then see a lot of complaints from people who want to do odd things like install CoH on another hard drive.  

 

So far we haven't had a need to do either, because our manifests are carefully made and tested.  That's the real path to keeping the playerbase safe keeping all of the software paths clean - making sure that players use the correct manifest, and that we know exactly what it does.

 

By the way, Island Rum runs in user space by default.  It does not even have a way of authenticating as an administrator.  So if there are any rogue files in a manifest trying to write over system files, it would normally get an access violation error - unless the user went out of their way to launch it in administrator mode first.

Edited by Manga
Posted (edited)
On 10/7/2019 at 4:53 AM, Manga said:

What happens if you set the install path in Sweet Tea to "C:\" and then connect it to a manifest that puts files in "\Windows\System"?  It's no more secure than Tequila or Island Rum then, is it?  Securing an application against one particular case creates a false sense of security.

I've already said the supposed security issue is complete nonsense. I'm just proposing to guard against human error when constructing the manifest, giving an example of how that sort of human error can happen and have catastrophic consequences. Of course if (as Number Six) says Island Rum does have some legitimate need to work outside its tree, then this can't be helped; but if Tequila doesn't, it might as well not be able to.

 

ETA: In the light of Manga's explanation below, I can see why it's not remotely a high priority, because the risk of error is low.

Edited by thunderforce

Homecoming Wiki  - please use it (because it reflects the game in 2020 not 2012) and edit it (because there is lots to do)

Things to do in City of Heroes, sorted by level.   Things to do in City of Villains, sorted by level.   Things only Incarnates can do in City of X.

Why were you kicked from your cross-alignment team? A guide.   A starting alignment flowchart  Travel power opinions

Get rid of the sidekick level malus and the 5-level exemplar power grace.

Posted (edited)
7 hours ago, thunderforce said:

I've already said the supposed security issue is complete nonsense. I'm just proposing to guard against human error when constructing the manifest, giving an example of how that sort of human error can happen and have catastrophic consequences. Of course if (as Number Six) says Island Rum does have some legitimate need to work outside its tree, then this can't be helped; but if Tequila doesn't, it might as well not be able to.

 

That would be more of an issue if the manifest would require full paths - it does not.  If someone forgets to enter a path, the file would simply be dropped into the CoH install folder.  If the incorrect relative path were entered, a new folder would be created inside the CoH install folder.  It takes extra effort to enter a path into the manifest that could cause problems, so it's very unlikely to happen by accident.  

 

I don't want to do things like Sweet Tea that lure players into a false sense of security.  I don't want them to feel bullet-proof because of such claims when there are too many other exploits possible.  If we (myself and whoever is working on Tequila) have to implement more security, I want it to be fully comprehensive so players can feel bullet-proof.

 

Edited by Manga
  • Jimmy changed the title to Tequila and CreamSoda Security Issue? Launchers compromised? [Mod Edit: They aren't.]
  • City Council
Posted
6 hours ago, thunderforce said:

I've already said the supposed security issue is complete nonsense. I'm just proposing to guard against human error when constructing the manifest, giving an example of how that sort of human error can happen and have catastrophic consequences. Of course if (as Number Six) says Island Rum does have some legitimate need to work outside its tree, then this can't be helped; but if Tequila doesn't, it might as well not be able to.

Tequila doesn't need to, and if someone wants to put together a band-aid for that particular issue and submit it as a PR on GitHub, it would likely be accepted. Tequila isn't something we developed, it's just something we happen to be using at the moment.

 

As for whether or not we should redirect any of Homecoming's resources to fixing that particular issue, that's an open question. It's certainly doable and may end up being a quick fix, but given the number of other issues with Tequila and the fact that we'd like to dump it in favor of something more robust anyway, it's a question whether dealing with the logistics of rolling out a new version is worth spending time on.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...