Last week, I decided to see how far I could push Python nodes in Dynamo in terms of files external of Revit and I believe I have discovered a vulnerability in which an attacker can use a Python node within a Dynamo graph to gain access to your desktop. There have been some similar discussions on the Dynamo forums earlier this year, however the discussion revolved around the possibility of malicious custom packages: https://forum.dynamobim.com/t/custom-packages-virus-and-malicous-code-risk/8764
The frightening part about the vulnerability that I’ve uncovered is you do not need to download a custom package to your hard drive to be exposed to this hack.
If you would like to see an example of how this works, download this graph and open it in Dynamo. It is a simple graph with a Python Node. You do not need to be knowledgeable in Python to understand this example.Dynamal (11 downloads)
How it works
If you opened the Dynamo graph, you will notice that it was set to automatically run. This means the graph has already executed all it needs to add the malware to your hard drive. With around 30 lines of code, this graph created a folder on your C-drive disguised as a system folder, downloaded a file from the internet without your permission, and saved this file to your hard drive.
For the sake of this example, I’ve added a dialog window that pops up once the script has been run. An attacker would not have the courtesy to give you this notification as their intention is to save malware to your PC without you knowing.
What’s the harm in downloading a file without permission?
Most harmful files need to be executed in order for an attack to be successful and Windows will most likely prompt you before running any executable. However, are you paying attention when you run software updates?
A prime example of malware disguised as a software updater is the well-documented Placeholder Trojan. This simple script can give an attacker access to every keystroke you press as well as the ability to send screenshots of your PC to a remote server. This Trojan can be easily disguised as a Java updater as described in “Placeholder Trojan: Writing a Malware Software” by Garrett Bourg, Matt Bullock, and Robert Miller (A paper written under the guidance of Prof. Raj Jain).
Creating folders and downloading files is only one example of the vulnerability tha Python exposes. Python essentially exposes your files and folders and has the ability to delete, upload, and execute files without your consent.
Let this serve as warning to all of my fellow Dynamo users out there. Be cautious of opening Dynamo graphs from sources that you do not trust. Malicious code can be hidden deep within complex graphs and custom packages.