LittleBigPlanet & Security | Bonsai Documentation

What is 'scripting'?

As the scripting portion of LittleBigPlanet has been cracked open, there have been many vulnerabilities discovered in relation to multiplayer.

Scripting is a feature of the engine that allows you to run random code at runtime. This is most commonly used in-game for UI; presumably developers needed to quickly iterate on the layout in the pod computer or the popit. They can be attached to objects in levels (and by extension, planet decorations, as they are technically levels)

However, due to the nature of the scripting language being open, meaning scripts can be shared across the server and in P2P multiplayer, scripts can be used for naughty things.

These naughty things could be as innocent as moving all your levels to the top of your earth, or things like deleting all the levels off of your moon. These attacks have already been done to people on the official servers.

More recently, it was discovered that it's possible to execute arbitrary system calls under certain conditions, meaning scripts could potentially affect things outside of LittleBigPlanet.

Can we prevent scripting?

Thankfully, uploaded scripts are blocked by most custom servers. Any server worth their salt (e.g. Beacon or Bonsai) will deny people from uploading custom scripts unless manually approved beforehand.

However, this does not exclude scripts from being sent over P2P multiplayer. If someone is playing with you online, they have the capability to perform an attack with scripting.

As P2P multiplayer is uncontrolled by the server, the server can't enforce its protections on scripts like it can with scripts attached to levels and player earths.

An attacker can spawn an object in your session with a script attached. That script will not pass through the content filters imposed by the server, and will go directly to your game and be executed.

Auto-Join

So, by now you're probably thinking to yourself, 'Okay, I'll just play my friends with who I trust and deny anyone else.' Unfortunately, using another exploit, it's possible for attackers to fake an in-game invite and join your session without any consent on your end.

Your IP is exposed because of P2P

The LittleBigPlanet games use a multiplayer scheme called peer-to-peer (P2P). This means each player connects directly to a host - another player.

Because each player needs to know the host's IP to play multiplayer with them, your IP is shared with anyone who connects to you on RPCN or PSN.

An attacker could use your IP to perform a DDoS attack (or "boot" you offline), or to discover your general location. In rare cases, they might also mess with services you've port forwarded, though most home networks don't have ports forwarded unless you've done so yourself.

To hide your IP and protect against these types of attacks, you can use a VPN to route all traffic through a secure server. In the case of PS3, there is no explicit mechanism for VPNs, so you'll have to figure out how to proxy connections through your computer.

Protecting Yourself

A workaround has been developed by Zaprit called Patchwork that newer versions of Refresher will automatically deploy for you.

Patchwork currently works by changing the encryption key used for P2P multiplayer, effectively preventing connections from people who don't know the key.

The downside is that this still doesn't block scripts from being shared over P2P, nor does it make it as easy to play with your friends. By default, keys are randomized, and you'll have to share your own 'password' with friends to play with them.

Servers like Bonsai and Beacon will block connections that don't use the latest versions of these patches, effectively requiring you to use these patches before you can play.

Join our Discord and be the first to get notified when more patches are developed.