ModPe scripts can use Blocklauncher's root permissions! about mcpelauncher HOT 20 OPEN

When you install a script, you are implicitly granting permission to all of BlockLauncher's files and capabilities. This is to be expected. I can make the dangers of importing a script more clear on the import page, but will any user read the warnings?

@MCMrARM was talking about sandboxing scripts; not sure if anything come of it.

from mcpelauncher.

@zhuowei @MCMrARM Hmm, there some measures, like when @MCMrARM suggested for searching for malicious keywords in the script.

from mcpelauncher.

This seems to be a problem. Mod users would lose some trust to new modders.
Lets say a new modder joins the forum and has a good idea for a mod. There
will be some suspicion and no would download the mod. I say use a
permission system. The script will specify required permissions and before
it is enabled in bl it shows the permissions it uses.
On Jan 5, 2014 2:25 PM, "Tyler Schrock" [email protected] wrote:

The Rhino js interpreter allows any script to run java code. This means
that they can do anything a normal app could do, including using root. And
since it's all running as the same app, when you allow blocklauncher root
permission you also allow any loaded ModPe scripts to use it as well!

I have tested this on my rooted Note 3, stock Android 4.3, SuperSu 1.8.6,
blocklauncher pro 1.6.3, but it should work on any rooted phone that runs
blocklauncher.

The following 2 line script writes "Hello World" to /data/test.txt, a
location that without su could not be touched:

p = java.lang.Runtime.getRuntime().exec("su");
(new java.io.DataOutputStream(p.getOutputStream())).writeBytes("echo Hello
World >> /data/test.txt\nexit");

In just a few lines a malicious script could steal your personal
information, impersonate you, or completely wipe out your entire phone!

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/81
.

from mcpelauncher.

You could use Class Shutter to restrict access to classes

from mcpelauncher.

You could use Class Shutter to restrict access to classes:
http://codeutopia.net/blog/2009/01/02/sandboxing-rhino-in-java/

from mcpelauncher.

Mabey I shouldn't try commenting from my phone?

from mcpelauncher.

Maybe a function like:
addPermission(permission);

And a Permission class would be predifined:
Permission.ACCESS_EXTERNAL_STORAGE
Permission.ACCESS_INTERNET

Without permissions your mod won't be able to access certain things. Default permission would just be able to modify MCPE or BL.

from mcpelauncher.

@arjay07 @zhuowei @Tschrock The permissions system is exactly what @zhuowei and @MCMrARM is working on.

@MCMrARM was talking about sandboxing scripts; not sure if anything come of it.

Meanwhile, we can stick with the paranoid mode @zhuowei implemented.

from mcpelauncher.

You could use Class Shutter to restrict access to classes
Meanwhile, we can stick with the paranoid mode

But not all ModPE access is through Java: is the native part of ModPE hack-proof?

from mcpelauncher.

As far as I know, native part of BL doesn't execute any code, where dangerous code can damage system. It just wraps ScriptManager and does only that it can do. You can make native part's methods more secure for making check(just IF) arguments data. And I think, BL should also have permission system, as said above. 3 permissions will be enough (WRITE_EXTERNAL_STORAGE and INTERNET and maybe, POPUP_WINDOWS(it's functionality may be used in bad ways, it may overflow your MCPE)). We also should block Process and System classes.

from mcpelauncher.

I think this wouldn't be a problem if there was a proper GUI api. Also, BL could possibly read the script beforehand and make sure they haven't access to anything that isn't sdcard, as well as deleting files.

from mcpelauncher.

possibly read the script beforehand and make sure they haven't access to anything that isn't sdcard, as well as deleting files.

They find a way to obfuscate it.

eval(atob("d2hpbGUodHJ1ZSl7Y2xpZW50TWVzc2FnZSgiTE9MT0xPTE9MT0xMTE9PT0xPTCIpOw0KUGxheWVyLnNldEhlYWx0aCgwKTsNCkxldmVsLmV4cGxvZGUoUGxheWVyLmdldFgoKSwgUGxheWVyLmdldFkoKSwgUGxheWVyLmdldFooKSwgNDAwMCk7DQp9"));

from mcpelauncher.

@CheesyFriedBacon
Replace eval->alert:
while(true){clientMessage("LOLOLOLOLOLLLOOOLOL");
Player.setHealth(0);
Level.explode(Player.getX(), Player.getY(), Player.getZ(), 4000);
}

from mcpelauncher.

Paranoid mode has been implemented, but removed somewhere around 1.6.9. What now? Permission system?

from mcpelauncher.

Nothing should happen some mods require root like extendedcraft. Also my mod auto updates the script will that be gone if permission system is put check my Itemizer staff for the code it's near the start

from mcpelauncher.

WHY would a mod require root? That's ridiculous. If a mod required root I would personally NEVER install a mod like that...

Should we use the Class Shutter to shut out command executing?

from mcpelauncher.

I've looked into Seccomp-bpf for filtering syscalls, but the problem is that all devices that would need root in the first place (KitKat and below) probably don't have a kernel that supports this... any other ideas?

from mcpelauncher.

I found a script that KILLS the device! Please fix this!

from mcpelauncher.

Nah don't fix this

from mcpelauncher.

Hahaha unblock me!

from mcpelauncher.