BanLink Security Broken – Shocking SQL Reveals All!!!

by Alphaville Herald on 19/09/09 at 3:53 pm

Sloppy software willingly accepts rogue queries -  BanLink passwords compromised?

by Pixeleen Mistral, National Affairs desk

BanLink is a resident-created Second Life "service" allowing land owners to easily share lists of players to ban from their virtual land. Given the potential for abuse of such a system, you might expect a certain level of care would have been exercised to protect the database that houses the ban lists. You would be wrong.

Bl-Philip

supposedly private information revealed: Philip Linden banned for unauthorized return of content

A reliable source contacted the Herald earlier this week with evidence showing the BanLink site can easily be exploited by an SQL injection attack to reveal information that the site's developers presumably wish to keep private – such as account information and passwords. While it was amusing to see details of Philip Linden's ban and some would agree with a complaint against the Mullah of Ravenglass, I was saddened to see erroneous information tied to my identity.

After the initial amusement wore off, I asked the source – who refers to himself as "a man with a lion face" – how simple URLs could reveal so much information. He replied, "poor coding, seems like. they don't even take the quotes out of input or escape them. basically, you can inject your own queries into the database calls and have it return whatever data you want. a more malicious person might use it to get passwords, emails, or IPs of banlink administrators". Even worse, the man with a lion face said that  attempts to contact BanLink developers Travis Lambert and Mera Pixel had been in vain. The Herald has tried to contact the developers as well, without success.

Bl3

a notorious griefer's entry in BanLink – trolling and harassing residents in Indigo

To verify the original source's claims, the Herald turned to twoindependent technical experts, who both agreed that the site suffersfrom significant security issues that may allow uncontrolled access tosensitive information.

One expert pointed out that all thetables in the BanLink database are an open book at this point, and itis unclear how well user passwords have been encrypted. This suggeststhat anyone who has a BanLink account will want to avoid using the samepassword on any other system.

BL privacy

Banlink says "To protect privacy, you may only view records for your own avatar". Maybe not.

It is possible that BanLink is an orphaned project. A July 10th posting on Mera Pixel's blog says that Ms. Pixel was planning to step aside, but then picked up work on the project again this summer – but the blog has been very quiet of late.

Orphaned or not, BanLink users should assume their account information may been released into the wilds of teh interwebs and BanLink's ban lists could have been tampered with – the entry for Pixeleen Mistral looks particularly suspect.

Bl- pixeleen

BanLink is not entirely reliable – an example of erroneous information in the database

32 Responses to “BanLink Security Broken – Shocking SQL Reveals All!!!”

  1. All Seeing Eye

    Sep 19th, 2009

    Anyone that has been around the world of web programming long enough to be respectable in the business knows you have to use stored procedures to isolate the database. Better yet use a middle tier and the middle tier uses stored procedure calls further isolating the db. Anyway such discussions could go on forever. Fact is they should have paid a professional (or at least convinced one to help free) to design and code the system. So now every entry in that system is suspect. when they fix it they need to run a truncate table sql statement against the ban_list table and start over from scratch.

  2. sue

    Sep 19th, 2009

    I want this Ban Link information now. How do I get in there and get it? Anybody who is in Ban Link should now sue the shit out of Intlibber for making the flimsy SL allegations that are Ban Link available to the real life public where they can do real harm and injury far beyond any idiotic circumstances in SL. I want to know the names of people putting avatars into Ban Link. I want to get those names NOW. Ban Link is an illegal conspiracy and its time for the names to come out and heads to roll.

    It may be time to confront Linden Labs with this as well since they allow Ban Link to continue apparently with their blessings.

  3. Jumpman Lane

    Sep 19th, 2009

    is sl coming to an end or just BAN LINK. i’m on ban list becaws i told arkady yost his wife bella had a fat ass! (well she DOES!) and because i cused out some random chump i dont even know or recall. the system is flawed!

  4. At0m0 Beerbaum

    Sep 20th, 2009

    I ended up on banlink once due to someone abusing the system. I was just part of some “spy”‘s blanket report on random users claiming they were PN. Regardless of facts, or anything of the like.

    People abuse banlink all the time, it isnt even really used to get rid of griefers, since most people who actively grief have accounts that rarely last beyond a day or two. People just abuse the AR system and get people age banned (usually on false pretenses) It’s really a system of “Here’s someone I don’t like you you shouldn’t like either, if you disagree, you’re someone not to be trusted!”

    It just helps groupthink along, is all. Sadly, a virtual world originally dedicated to creativity and self-expression, locked down by little napoleons and power mongers who can only sleep at night if they have imposed themselves upon others and forced their will on them.

  5. At0m0 Beerbaum

    Sep 20th, 2009

    You do realize that to save credibility, they will have to redo EVERYTHING, databases, etc. Who knows if it has been breached several times before or not and never reported. it’s no longer trustworthy.

    This is quite excellent :)

  6. Ban banlink!

    Sep 20th, 2009

    And just who gets to say whose name appears on this database? Where is the appeals procedure so that we can correct mistakes? Where is the accountability in all this?

    This smells like a system for allowing private citizens to inflict punishment on those they believe have done wrong even without proof and sometimes purely as personal vendetta. Ultimately it’s nothing more than a lynch mob database and Linden Lab need to do something about it.

  7. Nidol

    Sep 20th, 2009

    Whoever posted under Ban banlink, this is not a new system. It has been around for years and LL doesn’t give a shit about it. As for it being exploited, about damn time. Maybe this will be the nail in the coffin for them.

  8. JESUS CHRIST IT'S A LION! GET IN THE CAR!

    Sep 20th, 2009

    In my opinion, this situation warrants a trashing of Ban Link in its current form, data and all. Especially since a SQL Injection vulnerability on a service like Ban Link where data integrity is key can mean pretty much all data should be considered invalid. Even a name change wouldn’t be an unreasonable decision to make.

  9. JustMe

    Sep 20th, 2009

    Ah, Herald? Before blaming “sloppy software”, perhaps you could try doing one of those silly things that real newspapers do .. SPELL CHECK your headline … “revals” ????

  10. Ban Banlink

    Sep 20th, 2009

    @Nidol

    Thanks for the information

    Someone commented just a few days ago on one of these threads (I forget which now) about how people who post anonymously should have the courage of their convictions and post under their actual names. Words to that effect anyway. But it’s crap like this Banlink and the way it can be abused arbitrarily that prevents people from using their actual names. Imagine as an example, someone makes a fair comment about how someone’s new product is actually really sucky in their opinion. Fine, that person gets the hump and bans you from their land. No big problem. But Banlink seems to then have you banned from a bunch of other places, just because you expressed an opinion that someone didn’t like.

    And people wonder why Second Life is on its last legs…..

  11. masa

    Sep 20th, 2009

    Every group on BanLink has to decide what other groups it trusts. There isn’t a global ban list. Every ban has to have an explanation. Some groups have admins that ban for petty reasons and personal vendettas – this is usually pretty obvious and those groups aren’t generally trusted by many other groups.

    If you are banned somewhere because of BanLink, it notifies you of that fact and what you can do to dispute it. Even if the person who entered the ban refuses to listen to you, any group that imported that ban can locally override it. So you are not magically banned from fifty million places with no options just because one person won’t talk to you.

    BanLink has its flaws, but it’s a definite step up from passing around notecards full of names to ban with no reason, and bans with no explanation or recourse whatsoever. This used to happen all the time before BanLink. Someone from a group like “Gay For Philip” would annoy the wrong furry, and every single person in that group would wind up seeing ban lines everywhere.

    Also, BanLink is self-correcting: if there are a bunch of bogus bans, they can be disputed and overridden as necessary. It’s really just business as usual.

    The bigger problem with BanLink’s future is that both of the developers have been missing for months and it seems unlikely that either of them have time or inclination to secure the site and get it back online.

  12. Troy McConaghy

    Sep 20th, 2009

  13. Red

    Sep 20th, 2009

    I love how people jump to conclusions and don’t wait for statements or anything from Mera, the joke here is all the people complaining. You probably are not part of the system so you have no clue in hell how it works and just assume that because you think it works a certain way that you are right.

  14. A guy

    Sep 20th, 2009

    @JESUS CHRIST IT’S A LION! GET IN THE CAR!

    Got some news for you. “Data integrity” doesn’t exist. %99 of vulnerabilities are due to improper input sanitization. This includes RFI, LFI, SQLi, heap and stack overflows, format strings,etc,etc. Hell, you can escalate to a shell with LFI pretty trivially on linux by injecting environment variables using the proc/pid/environ method. And you can bypass most stack protections such as NX/DEP (non executable stack or data execution prevention as it’s called in vista) and Address Space Layout Randomization (randomizes memory addresses to make it difficult for attackers to redirect EIP to injected shellcode though on Intel processors which most pcs use partial overwrites are effective due to little-endian-ness). You can bypass NX by simply using ret2libc and calling functions from standard c libraries. SQLi and most web exploitation is largely unimpressive because it’s so trivial. Kiddies can get scanners that will find these for them will relative ease.

    And input sanitization doesn’t really cover things like race conditions, poor passwords, and social engineering aka abuse of trust-based communications. Or configuration errors. You should check out MITRE.

    Security holes like the above as well as business logic errors are present just about everywhere. More than %90 percent of your computers are likely using software that contains at least one of these vulnerabilities, even if the vuln hasn’t been discovered yet.

    This is why being a hacker is so awesome. If I am the one finding the 0dayz, then who is going to exploit me? If I have already audited every software package I am running, then what’s left? I’m sure there’ll be new classes of bugs to make things interesting. I mean, have you seen the ipv6 specs? They’re going to be implementing syscalls over the network lol.

    code c

  15. Judiciary

    Sep 20th, 2009

    dear “A guy”,

    By your logic, it sounds like just because I can never be 100% secure that nobody will rape or murder me, I should just go walking around dangerous neighborhoods with a blindfold and my pants down?

    Sure, I could lock the door to my house, but a determined burglar could get around that so I’ll just leave the door open so everyone can see the heaps of gold I have lying around.

  16. Jumpman Lane

    Sep 20th, 2009

    @red I am on ban link BECAUSE i told a guy ARKADY YOST his wife had a sexy, fat ass. he was a turdy land manager NOT EVENAN ESTASTE MANAGER. he fell out with the siowner and is banned at that sim stil. I appealed andam stillon ban list for it. Only othe reason is cursin outa complete stranger who remains a stranger andd i cant even recall where the sim was the cursin occured. been many dumps i cant goto caws of ban link since 07 but i dont know where they are and dont miss em so i say tell that fool who invented ban link to turn his keyboard sideways andstuff it up his ass. it might fit!

  17. Ener Hax

    Sep 21st, 2009

    hmm, my grandparents were put on a list during WWII. banlink is no diff, it’s a great tool to discriminate with =(

  18. Jarlston Hammerer

    Sep 21st, 2009

    Seems like most people that posted on this thread is a suspect then. Common people forget that Land owners are entitled to ban people that act in disagreement with them. They pay tiers, they choose who gets to be there. After all we are only guests at those servers and we haven’t the right to be there, we have the privilege to be there if we follow the rules of our host. If you decide not to, you brought it onto yourself and will suffer the consequences… as a ban or a multiple ban if they use BanLink or alike system to point out trouble makers. Think before you type, respect the Server or Parcel owner’s rules. If you disagree with them go somewhere else where your way of thinking is welcome.

  19. lol kids

    Sep 21st, 2009

    @ Jarlston Hammerer

    Way to not read the thread, let alone being able to tell the tree from the forest.

  20. Julia Banshee

    Sep 22nd, 2009

    Wow… just wow…

    An SQL injection attack in your code, in 2009, no less… serious amateur work. Seriously. This is not something found in professionally developed code anymore. Not unless the “professionals” are cut-rate idiots from Rent-A-Coder or something.

  21. Security Consultant

    Sep 22nd, 2009

    @Julia Banshee

    Oh really? I”m guessing your info is from a second hand source, since I see a steady stream of SQLi vulns on milw0rm on a regular basis. I find holes in professionally developed code. They just aren’t the obvious strcpy, strncpy, memcpy, gets,etc,etc bofs. Get some talent and then analyze code. Also static analysis with Flawfinder (for c/c++) does not constitute thorough code analysis lol. The biggest security holes are pretty subtle now adays. If there wasn’t still flaws in professionally developed code then MITRE’s CVE db wouldn’t even exist. As long as programmers have to sanitize input like this, the vulns will keep coming. The security industry is evolving but that’s all. It’s survival of the fittest and those who can’t adapt are being rooted (no pun intended) out.

  22. Studebaker Williamson

    Sep 25th, 2009

    erroneous information?

    Sorry if I got this wrong but you do work for the Herald don’t you? And I do recall the Herald having some hand in some ‘lulz’ that were had at the expense of others, there’s a couple of articles about this in this very blog.
    I don’t think the ban on Banlink is justified at all, but the information is (at least partially) correct :)

    About BL itself… Sure people will try to (and sometimes succeed) abuse the system for their own personal gain and vendettas. But to prevent such things there’s a few buts and ifs to Banlink:

    Bans do not automatically apply to every sim that uses banlink, each user chooses which other users they trust and want to share banlists with. Thus if someopne abuses the system over and over again, no-one will want to trust him and any of his bans will end up being only valid for his own place.

    Each ban has to have a good reason and has to state that, if a ban is not really valid, it can be appealed to and be removed from the shared lists.

    The only very short experience I have had with Banlink, has mostly shown advantages, especially against larger griefer attacks in multiple locations. Sure, if one alt gets banned from most of their targets, you can easily make another one, but for every one place they start to grief and get banned from, there’s dozens that they cannot use that alt for anymore…

    They’ll end up wasting more time creating new accounts, then they are having teh lulz at the expense of ‘bawwwwing’ SLfags. That gets boring pretty quickly I bet :3

    Banlink is not perfect by far, and (especially now) just begging for to be abused. But it works for what it’s supposed to do. Some commenters see it very black and white, like the references to walking pants down trough dark alleys and lists in WW2… Newsflash, there’s many shades of grey.

    (PS Godwin’s law)

  23. FWord Utorid

    Sep 26th, 2009

    When I first got into SL, I didn’t have a lot of L$. So I wound up buying a small parcel of land. Well, apparently small parcels of land run afoul of some group of virtual treehuggers called ‘The Arbor Group’. I was insulted by someone called Nobody Fugazi, who claimed I was an ad farmer, when really I just wanted a little spot to call home. So, in response, I put up a sign that said, plainly, “I think Nobody Fugazi is dumb.”. Later on, in numerous locations, I began to get repeated messages that something was attempting to ‘teleport me home’. It didn’t function properly, but I got the message. This particular virtual tree hugger likes to use their system and their land to terrorize anyone who disagrees with them. I think these little systems are fantastic for proving who among us has a power trip. IRC operators or moderators that work to try to censor what people say really just wind up with egg on their face later. I still think Nobody Fugazi is dumb.

  24. Sinden Lucks

    Sep 27th, 2009

    This is why I have little to do with SL anymore. I’ve said it for years, there are far too many children in SL. Either that, or SL harbors the most seriously mentally retarded people I’ve ever witnessed. Just read the posts in this thread. And I have news for you, either Linden continues to love to play games, or they are seriously hacked as well. My guess is both.

  25. Bell Clanger

    Sep 29th, 2009

    Well, looks like http://slbanlink.com/ is down, which is unfortunate, but the BanLink boxes are still sending avatars home despite this. If they have taken their site down for maintenance, shouldn’t they also deactivate the banning system? As it is now, one has no appeals process – hardly democratic.

  26. Alyx Stoklitsky

    Sep 29th, 2009

    “To protect privacy, you may only view records for your own avatar”

    To protect privacy my ass. This feature of banlink was added in to stop griefing groups sharing their banlink records to prove to eachother how many landowners they’d pissed off before the lindens caught them. It’s not to protect privacy atall – it’s to try and deprive griefers of using banlink as a scoreboard.

  27. Up4 Dawes

    Oct 5th, 2009

    Well it’s been almost 2 yesrs for me since I was banned from NCI beach, which was managed or owned by Carl Metropolitan well I was banned for using a swear word as I was defending a newbie by a attack from one of that places
    inner circle of kiss asses so I was banned by Mr. Metropolitan as of last week he is not associated with NCI anymore and told me he can’t help me..and I still banned from certain sims that used SLBanlink how id this if their servers are down?? SLBanlink appears to have met it’s long overdue fate…so why dosn’t Linden free all us political prisoners? and break the trusts manually themselves?

  28. Isabel Wulluf

    Oct 24th, 2009

    I was put on banlinks and not notified. I TP’d to a sandbox and was sent home. I IM’d the Sandbox’s owner who gave me access. Havne’t been able to view why I was banned. That is wrong in my book.

  29. deadlycodec

    Jan 16th, 2010

    “After the initial amusement wore off, I asked the source – who refers to himself as “a man with a lion face” – how simple URLs could reveal so much information. He replied, “poor coding, seems like. they don’t even take the quotes out of input or escape them. basically, you can inject your own queries into the database calls and have it return whatever data you want. a more malicious person might use it to get passwords, emails, or IPs of banlink administrators”.”

    Just wanted to point out that it’s a common myth that all you have to do to mitigate SQL injection attacks is filter out single quotes, or escape them. Coldfusion 8 automatically escapes single quotes and I could still perform SQL injection by using the CHAR() function. There are other ways to get passed weak filtering that relies only on removing single quotes too. And SQL injection vulnerabilities are still among the most common – and devastating – on the web. They’re going to be even more common with the advent of PHP 6, since programmers will now have to sanitize input on their own. No more magic quotes xD

  30. deadlycodec

    Jan 16th, 2010

    @All Seeing Eye

    Guess you should read this:
    “Another solution commonly proposed for dealing with SQL injection attacks is to use stored procedures. Although stored procedures prevent some types of SQL injection attacks, they fail to protect against many others. For example, the following PL/SQL procedure is vulnerable to the same SQL injection attack shown in the first example.

    procedure get_item (
    itm_cv IN OUT ItmCurTyp,
    usr in varchar2,
    itm in varchar2)
    is
    open itm_cv for ‘ SELECT * FROM items WHERE ‘ ||
    ‘owner = ”’|| usr ||
    ‘ AND itemname = ”’ || itm || ””;
    end get_item;

    Stored procedures typically help prevent SQL injection attacks by limiting the types of statements that can be passed to their parameters. However, there are many ways around the limitations and many interesting statements that can still be passed to stored procedures. Again, stored procedures can prevent some exploits, but they will not make your application secure against SQL injection attacks. ”

    -Quoted from OWASP @ http://www.owasp.org/index.php/SQL_Injection

  31. jj

    Jan 28th, 2010

    *** Anyone that has been around the world of web programming long enough to be respectable in the business knows you have to use stored procedures to isolate the database. Better yet use a middle tier and the middle tier uses stored procedure calls further isolating the db. ***

    Ugh, no actually you most certainly don’t. And I’ve been doing web apps since 1995. No reason to do that whatsoever. Just properly escape user-entered text.

Leave a Reply