Malicious Blender model files deliver StealC infostealing malware

Shouldn’t be news to most people, that the auto-execute scripts option is an convenient, yet unsafe thing to activate.

That’s all the advice on that topic, usually. But - what if you don’t check that option? Download your model, and then manually activate the script execution? Exactly, nothing, is different. Except if you are skilled enough at python and check through all the python code. For an object that you most likely bought to save time.

Tricky problem. Feels like Blender should do “something” about that.

By default, blender is set to not auto-execute scripts on loading files. Opening a file with a script that is set to auto-execute and blender will prompt you for permission to execute the script. It’s up to the user then as to what happens next.

What would you like them to do?

Educate users on topics like internet safety? Don’t open files from unknown sources. Don’t install unknown software. etc, etc…

If you download a model and it want’s to execute a script, don’t allow it.

Just my thoughts,
Randy

5 Likes

Wait until you find out what JPEGs and PDFs can do, or TXT files, or ZIP files. Every file type is a proven attack vector. At least with Blender, you can choose not to run scripts.

Seriously, though, if you download a file from the Internet and it asks to run scripts, it’s almost certainly safe to assume you shouldn’t let it. This is like computer safety 101.

I have ransomware protection enabled on my computer, so any time a program tries to modify any file anywhere on the computer without my permission, it gets blocked at the OS level until I review it and choose whether to allow access. I would recommend doing the same

10 Likes

You can instead append the parts of the file you want without appending the scripts, no?

3 Likes

Also… there is almost no website using not ECMAscript ( Javascript… called for reasons :stuck_out_tongue_winking_eye: )

So there might be an even bigger “security problem” in anybodies daily use. :wink:

I feel like any fool could see how the result is the same whether you automatically or manually execute a script. If you execute the script…well, it executes.

Moral of the story, though: Use your own files, or know who you’re getting your files from. Downloading random stuff from a vast public market just sounds like a bad idea.

3 Likes

Sites like CGtrader are not really “unknown”, the best thing to do in this case would be to inform Cgtrader of the offense.

I think that executing python scripts from any external source could be potentially risky.

1 Like

Yes, you are correct, CG Trader is a well know source for 3D models. I thought of this after I made my post and yes, CG Trader should be informed of the issue. I would think they might be interested in looking into this issue. After all, if it becomes widely known that their product is infected with malware, it would probably wreck their business.

This issue has probably spread to (or will shorty) to any site hosting 3D models.

Thanks @riidom for bringing this to our attention!

Randy

2 Likes

this feature in Blender is implemented very lazily and as the result is not very usable. the proposal above asks for some improvements at least. vote please.

auto-run is useful, but by only allowing a directory blacklist we expose users to accidental security incidents.

for example, i only want to execute scripts from my own files. individual files even, not directories.

3 Likes

To be fair on CGTrader it does say in the article;

malicious Blender files uploaded to 3D model marketplaces like CGTrader.

So it is a potential hazard for any site that hosts Blend files including Turbosquid, BlenderMarket and others. (also files uploaded here in Blender Artists).

Rule of thumb, be very careful when alowing autorun of Python Scripts.

1 Like

We have a lot of report of “users” who downloaded iffy free version of paid plugins on google as well. Be carreful out there, only trust direct sources from trusted creators and website for blender plugins as well.

1 Like

seeing as this problem installs MS Windows binaries …
i have been running Linux OS’s for 20+ years now
and currently ( finally on SUSE) set up the NSA’s ( yes our nsa) SElinux kernel software

Linux is just as vulnerable to malicious intrusion as any other OS. Just because this specific exploit wouldn’t harm you doesn’t mean there aren’t other exploits you could put in a Blender file, or JPG, that would ruin your computer. An OS doesn’t protect you from exploits- you protect yourself

6 Likes