8 replies to this topic

[pbat]

I'm a bit concerned about the security of LDD and its LXF files. Although I assume that the Eurobricks community consists mostly of friendly and honourable people, I noticed that the 'About' dialog of LDD 4.3.5 states that LDD currently uses libpng 1.2.8 and zlib 1.2.2. Both are from 2004 and are thus quite old. And as old software tends to be insecure software I dug a bit further and voilà: both are known to expose security holes.

Libpng 1.2.8 suffers from various issues like CVE-2006-3334, CVE-2006-5793,  CVE-2007-2445, CVE-2007-5266, CVE-2007-5268, CVE-2007-5269, CVE-2008-1382, CVE-2009-0040, CVE-2010-1205, CVE-2011-2690, CVE-2011-2692, CVE-2011-3026, CVE-2011-3048, CVE-2012-3386. These issues were fixed peu à peu between 2006 and 2012 (http://www.libpng.or...png/libpng.html).

For zlib 1.2.2 its website (http://www.zlib.net/) says: "Version 1.2.3 (July 2005) eliminates potential security vulnerabilities in zlib 1.2.1 and 1.2.2, so all users of those versions should upgrade immediately."

I'm unfortunately no expert in evaluating the practical severeness of such holes and I lack in any criminal intent, but as LXF files are simply renamed ZIP files containing a PNG thumbnail of the model, I wonder how easily a malicious LXF file might be crafted to exploit one or more of these holes. Especially when http://www.kb.cert.org/vuls/id/680620 states "This vulnerability only affects zlib versions 1.2.1 and 1.2.2. [...] A remote attacker be able to exploit this vulnerability by supplying the inflate() routine with specially crafted compressed data. [...] According to public reports, this vulnerability can be exploited to execute arbitrary code [...]" I get slightly nervous.

Do I have to omit any LXF file from an untrusted online source like Eurobricks or Brickshelf for security reasons? How serious are those threats? Is this an attractive attack vector for malware currently used? Is there any official statement from TLG about this issue that Google doesn't find? Or do I panic with no cause?

I would, however, feel more secure if the next update of LDD incorporates the latest releases of the respective third party libraries used.

[Calabar]

Interesting point.
I think LDD is a "niche" software, and it is very difficult tha someone will use it for malicious purpose.
Anyway the security of a software is never a problem to be reckoned with, so you could add a request in the "LDD 5, what do YOU want?" topic.

[pbat]

Calabar, on 03 January 2013 - 09:44 AM, said:

I think LDD is a "niche" software, and it is very difficult tha someone will use it for malicious purpose.

LDD itself might be niche software, but it relies on commonly used open source libraries. An attacker having already crafted exploits for these widely spread libraries might use LXF files as an additional attack vector with no extra effort. I'll betcha there are already tons of exploits for those libraries, so it won't be difficult at all to adjust them for LXF files as well. I mean, LXF files are nothing but ZIP files with the suffix '.LXF'; fixes for those zlib holes exist for more than seven years. Just do google for 'zlib exploit' or 'libpng exploit' and you'll see that it is not too difficult to use it for malicious purposes at all. 'Arbitrary Code Execution' means that an attacker can do everything with your computer you are allowed to, too: Send spam on your behalf, install keyloggers and backdoors sniffing your online banking accounts, place bogus ebay offers with your account, control a botnet (with your IP address appearing in log files) and so on and so on.

I do not understand why a company which is dedicated to quality like TLG does use such insecure libraries for such a long time when bugfixed versions already exist. We are not talking about a week or a month, but about more than 3/4 of a decade.

How do I escalate this to TLG directly? The support center says they are crowded with christmas emails and have half of their staff on vacation, so I don't think this is an appropriate channel. Can anyone cut through the red tape and contact the right people informally?

[Calabar]

I know what you are speaking about, but I think that it is very difficult (but not certainly impossible) that the lxf file will be chosen as vehicle of infection.
Anyway you are surely right, TLG should fix this problem.

I think the best way to contact TLG is the customer care. If now they are busy, wait some week: if LDD has survived until now (for years) without this fix, it should survive some weeks more.
Maybe someone in this forum that have privileged contacts with TLG could bring the message for you too.

[hrontos]

I would also say, that this is not that urgent. First of all, LXF is not very commonly used and exchanged file format. So to get a file from an untrusted source is quite unlikely. There is a lot of software using zlib versions having these problems, so it is more likely to get infected by a standard zip file. Moreover, you can always open the LXF with a zip software or to use LXFML format.

[pbat]

Calabar, on 03 January 2013 - 07:54 PM, said:

Maybe someone in this forum that have privileged contacts with TLG could bring the message for you too.

Yep, I would appreciate that. As a newbie I'm not yet allowed to browse the member list for TLG representatives myself or send PMs to Superkalle or whoever is in charge.

The customer care is at the moment way too busy and must first care for the customers who actually paid something: I got LDD for free, so I shut up, queue up and wait until the others got serviced. I guess I'll manage to avoid suspicious LXF files for a while and hope the next LDD update comes soon. By the way, will there be a January update this year too, or was 2012 an exception?

Anyway, for my part someone with the appropriate privileges may close this thread and may merge it with the "LDD 5, what do YOU want" or the "LDD 4.3.5 bugs" topic.

[Calabar]

I think this topic is too verbose to be merged, it would better if you post there the request in few easily readable sentences, if you want.

About the update, LDD 4.3.5 was out few months ago, but maybe Superkalle or some other user is best informed than me.

[AndyC]

Theoretically, yes it's probably vulnerable (although it's equally possible the version of the library being used has been updated and the about box is out-of-date too). LXF is, however, probably a bit on the obscure side and so probably unlikely to be targeted since malware is usually aiming to hit large numbers of users and "people with LDD installed" probably isn't that great. Although it's yet another example of how easy it is to be running potentially vulnerable software regardless of platform and a good reason to make sure you're always running up to date anti-malware software, just in case.

[pbat]

Today I got an e-mail reply from Claus Stilborg from TLG. He confirms that LDD currently uses outdated libs and points out that it's hard to assess how exploitable these libraries actually are. So I guess there's no imminent danger. To be on the safe side, however, these libs will be updated with the next regular maintenance release due "this winter".

It's probably time to sound the all-clear.