quote:

---

Originally posted by timothy on mess.be
A serious bug in all MSGPLus 2.x and 3.x versions could allow your buddies to execute commands remotely on your computer.

The damage that can be done at most; is creating a complete system failure and loss of critical data.

How to prevent this from happening:

Avoid the use of the (!N) and (!NP) commando. Especially when people ask you to send this commando !

---

Patchou hasn't spoken a word, to my acknoledgement, and timothy didn't give more detail too. But this is what I am going to say:

If there is really such a bug, please do NOT post about how to execute it. Such posts are indeed to be removed, and with the power of mod-banning, the ones who post are likely to be banned.

Yeah. I am aware of this bug, there was a thread about it yesterday...Surprisingly simple to do...I'm not going to say how because I want to keep this under-wraps as well but lets just say be careful about what's in people's screen names...

Were you talking to me Mnjul?

I'm very scared. This is serious.

Only I'm using these commands at Wouter's openConvo Plug-In, but in the "Events log", so I think this is internally, and don't cause trouble.

Or yes?

Well I assume this problem is controlled via a remote user so when you    use internal cmd's I think you should be ok.

quote:

---

Originally posted by Mnjul
Patchou hasn't spoken a word, to my acknoledgement, and timothy didn't give more detail too. But this is what I am going to say:

If there is really such a bug, please do NOT post about how to execute it. Such posts are indeed to be removed, and with the power of mod-banning, the ones who post are likely to be banned.

---

As a preventing action, I have removed the (!N) tag from the openConvo plug-in.

I mailed Patchou about this..but don't worry, I think Timothy had already done so when he posted on mess.be And again, don't worry, Patchou is enough trustworthy so, just wait for an update very soon

quote:

---

Originally posted by Mnjul
I mailed Patchou about this..but don't worry, I think Timothy had already done so when he posted on mess.be And again, don't worry, Patchou is enough trustworthy so, just wait for an update very soon

---

I already mailed him before, but since I have the idea it didn’t got through I’ve posted it <somewhere> here. (mods please remove that topic).

Its to serious to leave in there, but since I didn’t got response on my mail I decided to give it a little push over here. The post on mess is merely to warn people, since I’ve posted it a lot of people started using the trick (still harmless).

An no, it aint a Hoax, we’ve tried several things (on our selves) and all could ended up with disastrous results..

What?!?!? what is the meaning of the joke? There is absolutely nothing to be worried about and there's nothing to fix. I never got any mail from Timothy about this, else, I would have replied the same thing I'm going to reply now. Here is what they seem to be talking about:

Let's say your contact's name is a link to a file on the internet.
Now let's say that for some extraordinary dumb reason you decide to try to excuse the "/run (!N)" command.
Now that you've done that, let's say that you accept the security warning displayed by Internet Explorer.
... damn, you just downloaded a file from the internet that could be dangerous .

This "security alert" posted on mess.be should be simply deleted. If you use the /run command, you're aware that you're executing something I think and, if for some reason, you're using it with some tags, I would tend to think that you know what you're doing, don't you think?

quote:

---

I already mailed him before,

---

I never got any mail from you Tim, that's unfortunate . Well, if we're talking about the same thing, at least I'm sure that there's nothing to worry about. As I sais in my previous post, even if the user did some kind of copy past, he would still have to select Open and accept the security warning displayed by Internet Explorer. I see no problem here. Any program allows you to run something, at least from an explorer file selection window. That's not a security problem, that's just a fact .

Note: if I'm missing something, please let me know. I still see no difference with sending a link to a user and asking him to click on it. I can't be held responsible if a user follows instructions given by someone, anythign could be done by any software in that case. A security problem would be that Plus! automatically downloads and executes the program, which it doesn't do.

I PM-ed you, it has nothing to do with downloading of files, its about executing remote commands on some-one else’s computer, all posts and messages about it are removed

And sorry about the big media attention, but when the message doesn’t get through I use the "hard" way to put it to the attention.

If you PMed me you should have gotten a message from the forum saying that I rarely reply to PMs as I receive too many, sorry about that . As for executing remote commands, I see what you mean, but there's nothing harmful that could be done this way. If a user types (!N) alone after being asked by someone that has "/nick Sadam" as name and wonders why his name because Sadam, it's not the end of the world . Again, the same user could ask the same guy to download a file and execute it, which woud be far more dangerous.

yeah, but the /run command also executes from a nick....

And people are "dumb" enough to type (!N) if you ask them without questioning why,

Hm, I'm starting to see the point. It is rather social engineering If I'm not wrong. But it's very likely to happen to many people who don't know about what dangerous files they may accept or whan certain commands can do.

Maybe /run command should prompt before running exe's, com's, bat's, scr's or pif's.

quote:

---

Originally posted by timothy
And people are "dumb" enough to type (!N) if you ask them without questioning why,

---

The problem is, those programs are allready on the other user`s computer, system tools etc. And now it just executes without a warning this way,

Patchou, i agree that changing someone elses nick isnt exactly 'dangerous', But all of the Messenger Plus! commands are available to these people to use - people wanted to find a way of getting an IP over messenger, now they have it.
However as timothy stated before: if someone has "/run application" in there name, typing (!N) will execute the run command (without the end user needing to type /run) and some people really are stupid enough to do this - believe me.
For example, if someone sets there name as "/nick ~~~(!IP)~~~~" its not so likley that the user (remember - not all messenger users are as smart as the people here) will recognise it as being malicious.

Is there not a way that you can filter out the (!N) command from executing any other commands, this would solve the problem.

Just my .02, you can choose what you want to do with Plus!, it is your extension after all. I just thaught that you may want to keep your users more secure from a potentially large security hole.

If we avoided tags to imply the hability to run inner commands we would stop some plugins and home-made aliases to work, so I don't see any other solution than warning when system files or executables are going to be runned.
Optionally: "Don't warn me again for this file"

The execution by short codes isn’t the problem, the execution with (!N) should be prohibited. This one should only be intended to display some-one`s nickname...

Why not sterilise the (!N) command? this is the only one that would need modifying as its the only one that a remote attacker could use. For example in PHP there is a command that lets you stop variables being executed as variables and just shown how they are. Couldnt this be possible with MP3?

<?PHP
$a = "blah";
echo "$a";
echo "\n";
echo '$a';
?>

would return:

blah
$a

----

Anyway, not to parse (!N) content would be a good solution to avoid contact running random commands remotely.

Zero1: tell the contact to write (!IP) instead much easier.

Anyway, I know that if I told someone to write '/run [whatever]' they'd do... so the problem would be solved but not completely. The social engineering would still exist (and newbies, too).

Not sure if that would help a lot

Yes, the addslashes command was what i was using as an example
You could tell someone to execute that command on its own, but it could look a little suspicious. I dont want to post anything that could be actually used - but there are more dangerous things that can be done than the ip command. The point is most people would probably not look at that name twice, and then it would be too late.

or worse: after they tell you to type (!N) they could change their nicknames so it looks less suspicious.

quote:

---

Originally posted by Zero1
but there are more dangerous things that can be done than the ip command

---

Personally, the only reason why the /run command would be left in there is because you want a quick way to execute something without using your mouse.... ( windows key + r is a great alternative ).

Other use is that you have scripted some commands, or launching programs with msgplus vars.

But I dont see why plugin creators would rely on the /run command, because If you know how to program you also know how to launch a program.

quote:

---

Originally posted by timothy
But I dont see why plugin creators would rely on the /run command, because If you know how to program you also know how to launch a program.

---

I would suggest this:

• Disable (!N) parsing.
  
• Show a warning before using /run for the first time (or with a "don't show me this again" checkbox).

So the threat is actually there? That's some damn buisness. So in laymens (simple) terms what is the problem?

The problem is that the contents of (!N) are parsed... Imagine that you have a contact whose name is "/run notepad", if you write (!N), instead of showing "/run notepad", Plus! will parse that and run notepad.

lol... bhaa.... as this subject seems to be very important for you, I'll comply. No commands will be executable from tags like (!N) in the next version of Plus!.

Seems important to who?

NOOOOOO!!!!

This is so fun to play with.. Yes I know U might be able to do some serious damage but it is really funny to play around with my m8s... ....

quote:

---

Originally posted by Patchou
lol... bhaa.... as this subject seems to be very important for you, I'll comply. No commands will be executable from tags like (!N) in the next version of Plus!.

---

Err...now that this will be fixed in the next version, let's stop discussing, OK?