[Bf-committers] Blender security: any Onload functions?
Roger Wickes
rogerwickes at yahoo.com
Thu May 6 21:25:14 CEST 2010
Well, since it's open source, why not just change the source and compile?
Given the amount of Security! discussion, it must be relatively simple to
somehow force Blender to execute a script.
Perhaps you could create a dos shortcut such as blender -b myfile.blend -p myvirus.py
and then over-ride scripts at startup as if you were a trusting soul. It's what we do
when we make an RPC call to the cloud to make a render...so if that script was
malicious, it should work. How malicious depends on what Python allows you to do.
At a minimum, you could write garbage out to 50 files; demonstrating that in theory you
could keep going until the disk filled up, which would be a real pain in the butt for windoze.
In 2.5, in Python, you could create a panel and a button that, when clicked,
runs a script. Call the button "Make Awesome Movie" in a Presets panel
or "Make Awesome MMORPG" and everyone is sure to click it.
--Roger
Check out my website at www.rogerwickes.com for a good deal on my book and
training course, as well as information about my latest activities. Use coupon
Papasmurf for $15 off!
________________________________
From: Shaul Kedem <shaul.kedem at gmail.com>
To: bf-blender developers <bf-committers at blender.org>
Sent: Thu, May 6, 2010 3:08:04 PM
Subject: Re: [Bf-committers] Blender security: any Onload functions?
Hi Taro,
A quick tip: do not show security flaws in a software which was not
released yet. even if it is an open source project.
Regarding your question, this is not possible unless the user
explicitly permit the script to run,
Regards,
shul
On Thu, May 6, 2010 at 12:04 PM, Taro Omiya <japtar10101 at gmail.com> wrote:
> Hello everyone. I wanted to comment that Blender 2.5.2 is easily the
> best change on the project since...ever.
>
> In any case, I'm working on a presentation for a course in computer
> security, and I chose Blender 2.5.2 as "my victim." To demonstrate an
> attack, I wanted to create a script that would load automatically on
> file open. Is there a function to do that? I found the "addScriptLink"
> in the old API, and wondered if there was an equivalent to it.
>
> Note that I personally am not a malicious person. I don't consider
> myself that great of a programmer, let alone a hacker. I merely do this
> because it is a major part of my grade.
>
> Thanks for the help!
>
> --
> Taro Omiya
> B.S. Computer Science '10
> Rensselaer Polytechnic Institute
>
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>
_______________________________________________
Bf-committers mailing list
Bf-committers at blender.org
http://lists.blender.org/mailman/listinfo/bf-committers
More information about the Bf-committers
mailing list