search

unitystation / unitystation

The original unitystation
https://unitystation.org
GNU Affero General Public License v3.0
711 stars 636 forks source link

malicious unity events/Visual scripting systems #7160

Open Bod9001 opened 3 years ago

Bod9001 commented 3 years ago

https://blog.includesecurity.com/2021/06/hacking-unity-games-malicious-unity-game-objects/

from what I've researched unity is not going to do anything about this at all... Since Unity doesn't seem to be fixing this in anyway,

the suggested solution inside of the post, seems like a good compromise tho however it will break UI components since they use Unity events, could be expanded to check the events and see if there bad or good

the same for the Visual scripting language, checking for bad components in the future we might want to implement a visual scripting language with the Unity addressables for basic client Modding

This function for cleaning up the spawned addressable content would be part of the clean Dlls

the real problem is these can be included in built clients, is built in prefabs, continues in #7158

Bod9001 commented 3 years ago 
private static void SanitizePrefab(GameObject prefab)
{
    System.Type[] badComponents = new System.Type[] {
        typeof(UnityEngine.EventSystems.EventTrigger),
        typeof(Bolt.FlowMachine),
        typeof(Bolt.StateMachine),
        typeof(UnityEngine.EventSystems.UIBehaviour)
    };
    foreach (var componentType in badComponents) {
        foreach (var component in prefab.GetComponentsInChildren(componentType, true)) {
            DestroyImmediate(component, true);
        }
    }
}
public static Object SafeInstantiate(GameObject prefab)
{
    SanitizePrefab(prefab);
    return Instantiate(prefab);
}
public void Load()
{
    AssetBundle ab = AssetBundle.LoadFromFile(Path.Combine(Application.streamingAssetsPath, "evilassets"));
    GameObject evilGO = ab.LoadAsset<GameObject>("EvilGameObject");
    GameObject evilBolt = ab.LoadAsset<GameObject>("EvilBoltObject");
    GameObject evilUI = ab.LoadAsset<GameObject>("EvilUI");
    SafeInstantiate(evilGO);
    SafeInstantiate(evilBolt);
    SafeInstantiate(evilUI);
    ab.Unload(false);
}
Bod9001 commented 3 years ago

update I did some testing and I can't seem to get the, download portion to work though it still allows the downloaded game object to run any executable on persons computer that unity has permission to run,

suggested best course of action is just patch the https://github.com/Unity-Technologies/UnityCsReference/blob/master/Runtime/Export/UnityEvent/UnityEvent.cs#L882

in it's DLL to not be dumb and not access static instances/require a game object as well making it so it has to be nonstatic is a good first step