Tequila and CreamSoda Security Issue? Launchers compromised? [Mod Edit: They aren't.]

[SuperPlyx]

So wondering if the leaders of Homcoming have any comment on the security issues posted elsewhere about the launchers we all use.

From Reddit: https://www.reddit.com/r/Cityofheroes/comments/debb98/sweettea_new_launcher_due_to_major_security_issues/

 

"

Quote

 Tequila and Cream Soda allow manifests to have absolute paths in them. An absolute path is different from a relative path, because it is the full path to a file from the drive letter (C:) to the file name. This means a bad manifest could put files anywhere on someone's computer, and overwrite any file.

Another big issue is that files in a manifest can have a size of zero. I've found that these zero sized files tell Cream Soda and Tequila to DELETE a file instead of download the file. That means, with an absolute path to a system file or important documents, you could delete or overwrite those files.

 

[Abraxus]

There's been a lot of talk (most of it vile, as usual) over at the Cox/g Discord about this.  They are slinging a lot of accusations, which is nothing new.  But, when it's pointed at Homecoming, I take notice.

[Number Six]

The issue that was brought up isn't really a 'vulnerability' per se, it's simply the nature of automatic downloaders. If you are trusting a program to automatically download updated executables, those executables can do anything they want to your system, including downloading malware. There is an implicit trust in any manifest you add to something like Tequila, and users should be fully aware of just what they're signing up for.

 

tl;dr: if you're worried about somebody putting absolute paths in a manifest file to overwrite files in system32, you should also be worried about what the exes they're downloading and running can do.

 

We have always recommended running the various downloaders as non-privileged users (do not use "run as Administrator"). That mitigates the damage to the OS that can be done, but even non-privileged programs can access data files which are what most people care about.

 

It does not appear that this new patcher addresses the real weakness in all of the updaters available to date -- the possibility of man-in-the-middle attacks or DNS hijacking. That's something that we've been concerned about for some time. Due to that, as well as Tequila being generally lacking in other features that we would like to have, the team's consensus has been to consider it a temporary utility until the new community patcher (Sunrise) was finished.

 

Unfortunately Sunrise development seems to have stalled as far as I can tell. We had some plans for our own updater in the future that we had been holding back on to avoid duplicating effort, but those will likely move up in the priority list.

[SuperPlyx]

Thank you for the response,it was really my main reason for posting.I have had a couple of people asking about it since it was posted elsewhere.

 

It seems to me to be a simple question of trusting the manifest file, 

[Cipher]

1 minute ago, SuperPlyx said:

Thank you for the response,it was really my main reason for posting.I have had a couple of people asking about it since it was posted elsewhere.

 

It seems to me to be a simple question of trusting the manifest file, 

Yep, that is exactly correct.

 

When you add a manifest to any of the launchers (including Sweet Tea), you are trusting the author of that manifest. The author of the manifest can, at any point in time, upload a virus to the manifest and let it run that instead of the client. That virus could then do whatever it wants, unconfined to the rules of the launcher that executed it. In either case and with any of the launchers, you are still required to have full trust in the author of any manifests you add to it, because at the end of the day if they want to exploit your system, they're going to be able to do so.

[Manga]

There are perfectly valid reasons for a game patcher to be able to access files outside of their primary game install path, and to be able to delete files.  Game patchers are not consumer-level utilities that accept input from end users, and therefore don't have any obligation to protect end users from their own mistakes.  They are designed particularly to be used with manifests that are verified to be safe and serve a very specific purpose - making City of Heroes work.

 

For Island Rum, I have tested and verified that the official manifests for Homecoming (http://patch.savecoh.com/manifest.xml) and Closed Beta function as intended, and are not harmful to your computer.  I do not recommend using any other manifests with Island Rum.  If security of unverified third party manifests becomes an issue, I am prepared to take measures to make sure they cannot be used with Island Rum.

[thunderforce]

1 hour ago, Manga said:

There are perfectly valid reasons for a game patcher to be able to access files outside of their primary game install path, and to be able to delete files.

I am wondering if there are perfectly valid reasons for _our_ launcher to be able to access such files.

 

Of course the supposed security issue is complete nonsense - as noted above, a malicious manifest can do whatever it likes - but a simple error in the manifest like the catastrophic EVE boot.ini issue could occur and would be extremely unfortunate not least because it would add credibility to the conspiracy theories being flung around by the usual suspects.

 

I submit if Tequila and Island Rum don't need to be able to do this, they shouldn't be able to.

[Number Six]

1 minute ago, thunderforce said:

I submit if Tequila and Island Rum don't need to be able to do this, they shouldn't be able to.

The draft spec I've been working on for the next-generation manifest does not include the capability to touch files outside of the base directory of the package in question.

 

I believe Island Rum has some legitimate use for that as it also handles installing wine and some other housekeeping necessary for the Mac version. For that it may require creating some extra packages with a more expansive scope to handle it, but we're not to the point of looking at it just yet.

[Manga]

46 minutes ago, thunderforce said:

I am wondering if there are perfectly valid reasons for _our_ launcher to be able to access such files.

 

Of course the supposed security issue is complete nonsense - as noted above, a malicious manifest can do whatever it likes - but a simple error in the manifest like the catastrophic EVE boot.ini issue could occur and would be extremely unfortunate not least because it would add credibility to the conspiracy theories being flung around by the usual suspects.

 

I submit if Tequila and Island Rum don't need to be able to do this, they shouldn't be able to.

 

What happens if you set the install path in Sweet Tea to "C:\" and then connect it to a manifest that puts files in "\Windows\System"?  It's no more secure than Tequila or Island Rum then, is it?  Securing an application against one particular case creates a false sense of security.

 

The only way to have a patcher that's 100% safe in every situation would be to give it a locked-down sandbox to play in, which would require two things:  1.  Having the patcher offer a list of verified manifests only;  and 2. Having the patcher set a standard install path, and refuse to allow installs anywhere else.  It's possible to do both, however, we would then see a lot of complaints from people who want to do odd things like install CoH on another hard drive.  

 

So far we haven't had a need to do either, because our manifests are carefully made and tested.  That's the real path to keeping the playerbase safe keeping all of the software paths clean - making sure that players use the correct manifest, and that we know exactly what it does.

 

By the way, Island Rum runs in user space by default.  It does not even have a way of authenticating as an administrator.  So if there are any rogue files in a manifest trying to write over system files, it would normally get an access violation error - unless the user went out of their way to launch it in administrator mode first.

Edited October 7, 2019 by Manga

[thunderforce]

On 10/7/2019 at 4:53 AM, Manga said:

What happens if you set the install path in Sweet Tea to "C:\" and then connect it to a manifest that puts files in "\Windows\System"?  It's no more secure than Tequila or Island Rum then, is it?  Securing an application against one particular case creates a false sense of security.

I've already said the supposed security issue is complete nonsense. I'm just proposing to guard against human error when constructing the manifest, giving an example of how that sort of human error can happen and have catastrophic consequences. Of course if (as Number Six) says Island Rum does have some legitimate need to work outside its tree, then this can't be helped; but if Tequila doesn't, it might as well not be able to.

 

ETA: In the light of Manga's explanation below, I can see why it's not remotely a high priority, because the risk of error is low.

Edited October 10, 2019 by thunderforce

[Manga]

7 hours ago, thunderforce said:

I've already said the supposed security issue is complete nonsense. I'm just proposing to guard against human error when constructing the manifest, giving an example of how that sort of human error can happen and have catastrophic consequences. Of course if (as Number Six) says Island Rum does have some legitimate need to work outside its tree, then this can't be helped; but if Tequila doesn't, it might as well not be able to.

 

That would be more of an issue if the manifest would require full paths - it does not.  If someone forgets to enter a path, the file would simply be dropped into the CoH install folder.  If the incorrect relative path were entered, a new folder would be created inside the CoH install folder.  It takes extra effort to enter a path into the manifest that could cause problems, so it's very unlikely to happen by accident.  

 

I don't want to do things like Sweet Tea that lure players into a false sense of security.  I don't want them to feel bullet-proof because of such claims when there are too many other exploits possible.  If we (myself and whoever is working on Tequila) have to implement more security, I want it to be fully comprehensive so players can feel bullet-proof.

 

Edited October 7, 2019 by Manga

[Number Six]

6 hours ago, thunderforce said:

I've already said the supposed security issue is complete nonsense. I'm just proposing to guard against human error when constructing the manifest, giving an example of how that sort of human error can happen and have catastrophic consequences. Of course if (as Number Six) says Island Rum does have some legitimate need to work outside its tree, then this can't be helped; but if Tequila doesn't, it might as well not be able to.

Tequila doesn't need to, and if someone wants to put together a band-aid for that particular issue and submit it as a PR on GitHub, it would likely be accepted. Tequila isn't something we developed, it's just something we happen to be using at the moment.

 

As for whether or not we should redirect any of Homecoming's resources to fixing that particular issue, that's an open question. It's certainly doable and may end up being a quick fix, but given the number of other issues with Tequila and the fact that we'd like to dump it in favor of something more robust anyway, it's a question whether dealing with the logistics of rolling out a new version is worth spending time on.