Dynamo Security Vulnerability

Dynamo’s Security Vulnerability

Last week, I decided to see how far I could push Python nodes in Dynamo in terms of files external of Revit and I believe I have discovered a vulnerability in which an attacker can use a Python node within a Dynamo graph to gain access to your desktop. There have been some similar discussions on the Dynamo forums earlier this year, however the discussion revolved around the possibility of malicious custom packages. The difference (and frightening part) about this vulnerability is you do not need to download a custom package to your hard drive to be exposed to this hack.

Example

If you would like to see an example of how this works, download this graph and open it in Dynamo. It is a simple graph with a Python Node. You do not need to be knowledgeable in Python to understand this example.

Dynamal (31 downloads)

How it works

If you opened the Dynamo graph, you will notice that it was set to automatically run. This means the graph has already executed all it needs to add the malware to your hard drive. With around 30 lines of code, this graph created a folder on your C-drive disguised as a system folder, downloaded a file from the internet without your permission, and saved this file to your hard drive.

For the sake of this example, I’ve added a dialog window that pops up once the script has been run. An attacker would not have the courtesy to give you this notification as their intention is to save malware to your PC without you knowing.

What’s the harm in downloading a file without permission?

Most harmful files need to be executed in order for an attack to be successful and Windows will most likely prompt you before running any executable. However, are you paying attention when you run software updates?

A prime example of malware disguised as a software updater is the well-documented Placeholder Trojan. This simple script can give an attacker access to every keystroke you press as well as the ability to send screenshots of your PC to an attacker. This Trojan can be easily disguised as a Java updater as described in “Placeholder Trojan: Writing a Malware Software” by Garrett Bourg, Matt Bullock, and Robert Miller (A paper written under the guidance of Prof. Raj Jain).

Potential

Creating folders and downloading files is only one example of the vulnerability that Python exposes. Python essentially exposes your files and folders and has the ability to delete, upload, and execute files without your approval.

Conclusion

Let this serve as warning to all of my fellow Dynamo users out there. Be cautious of opening Dynamo graphs from sources that you do not trust. Malicious code can be hidden deep within complex graphs and custom packages.

  • Amy Williams

    Thanks for taking the time to write such an in depth explanation of this. I think your points are all valid and users should exercise caution; that being said I just wanted to include this image to show as an exercise of caution users should always have the “Open In Manual Execution Mode” option checked when opening a downloaded file.

    https://uploads.disquscdn.com/images/af83a3d73713dd93cc493d922936d5e083211b586adea2a0cad59c2607cce74a.png

    • BIM Extension, LLC

      Thanks, Amy. I actually did not know that setting existed. I will add that to my post. Thanks for the great tip!