The browser loads the target user’s email list (about 12 kB) and posts it back to the attacker. After the application is loaded and the plugin has checked for updates, it accesses a URL on the “attacker site” and gets a 301 redirection to. The screencap below shows Firefox’s Network Monitor when running our demo exploit. However, Unity Web Player allows the redirect because it erroneously bases its evaluation on the user:password part of the URL which is identical in both URLs (“x:y”). which could return a HTTP redirect status code (301, 302, 307) and a Location: header pointing at redirect should be denied as it points to a different domain. A malicious app loaded from could access a URL from e.g. These policies can be extended with crossdomain.xml files.Ī specially formatted URL in a HTTP redirection can be used to bypass these restrictions. The Unity Web Player plugin implements the normal cross-domain policies: an application running on a website can only access resources (URLs) on the same website, not other websites nor the local file system. However on Chrome, NPAPI plugins have been disabled by default since version 42 (April 2015). We’ve constructed a Facebook branded Unity Web Player installation flow, showing potential players that Unity Web Player is endorsed by Facebook, a brand they know and trust.Īs an NPAPI plugin, Unity Web Player has been available for all major browsers. One of the initial barriers to entry when using Unity is the installation of the browser Unity Web Player plug-in. Facebook “endorses” the plugin and has an API for embedding Facebook features in games: In 2013 the company estimated the number of installs as over 200 million. Unity Web Player is a fairly popular plugin. Depending on the web browser and its version, the plugin may or may not start directly without confirmation. The attack can be carried out when the target user views a web page containing the attacker-crafted Unity app. When running on Internet Explorer, it’s also possible to read local files from the target user’s hard disk. For example, the application could download the target user’s private messages from Gmail or Facebook and quietly pass them to the attacker. The Unity Web Player plugin has a vulnerability which allows a malicious Unity application to bypass normal cross-domain policies and access any website with credentials of the current user. One of the target platforms is Unity Web Player, a web browser plugin for Windows and OS X. Update 09 June, 2015: There is a new version of the Unity Web Player fixing the issue. If the app is loaded from a URL containing the user:password part, the dotless decimal trick is not required. If 64-bit browsers become more common on Windows in the future, we will change this and release it as a fully supported product.Update 05 June, 2015: added some details and an online vulnerability test. It is not yet available on our our main Web Player download page and the default JavaScript we supply for embedding Unity content will not link to it, so you have to manually download the installer. For that reason, we have decided to make this plugin available on an experimental basis for anyone who wishes to test or run Unity content in a 64-bit Windows browser. Since 64-bit browsers are not yet very widespread on Windows, the 64-bit web plugin has received limited testing coverage during our 3.4 beta. Content built with Unity 2.x will not work, as the 2.x runtime has not been ported to x86_64! Any Unity web content built with Unity 3.x should play in the 64-bit plugin. This allows you to play Unity content in Microsoft Internet Explorer 64-bit or in 64-bit builds of Mozilla Firefox. We have also ported the Unity Web Player to Windows 64-bit. You may have noticed that the Unity 3.4 editor allows "Windows 64-bit" as a new build option in the Standalone build. While we have been developing Unity 3.4, we have ported the Unity runtime to the x86_64 architecture on Windows. 4 2012: The unsupported 64-bit Windows web player is not currently in working state in Unity 4.0.
0 Comments
Leave a Reply. |