Malicious maxscript

ivanisavich · 2018-04-14 19:26:15 UTC

Imagine a scenario where someone sends you a .max file and asks you to take a look at it. You load the file, but unbeknownst to you, a script controller has been placed on one of the objects in the file and inside the script controller is a maxscript command to delete some sensitive files from your computer.

In this hypothetical scenario, is there a way to open the .max file without the script executing its malicious code?

Now imagine a malicious payload like this being included in a popular Turbosquid asset or something…that seems like a pretty big security flaw, no?

denisT · 2018-04-14 21:22:53 UTC

there are another ways - CA, persistent script, etc.

ivanisavich · 2018-04-14 21:24:50 UTC

I’m not saying a script controller is the only way, I’m just using it as an example.

My question is more general: is there any way to prevent malicious maxscript?

DaveWortley · 2018-04-14 23:39:40 UTC

UAC is probably the best way to stop maxscript from being able to delete anything important.

Serejah · 2018-04-15 00:25:54 UTC

There’s already an ‘anti-virus’
http://3dground.net/article/attention-alc-and-crp-viruses-in-3ds-max-

Is it possible to prevent any maxscript execution at all? I mean disable it completely.
Max prefs have some settings regarding startup scripts and persistent globals but it can’t help with CA so it seems pointless.

The only way to be safe I see is to open a scene in a VirtualBox with no internet connection. Wonder how renderfarms cope with this sort of thing.

Gravey · 2018-04-15 20:21:40 UTC

you would probably have to use something like Sandboxie when opening a file from an unknown or untrusted source.

Archangel35757 · 2018-05-05 12:03:14 UTC

What if you created a utility tool like the MAX File Reader and had it read and spit out all CA defs, Script controller, expression controller contents? Of course then you have to manually comb thru that… but at least it would be human readable? And it wouldn’t actually be loading the file, right?

benmack180 · 2018-09-27 15:34:17 UTC

Would love to know if there is some way to prevent this, as it’s very important but often overlooked.
I think most of 3ds Max users doesn’t even know that Max file can contains malicious script !

miauu · 2018-09-27 23:03:21 UTC

What about never to open max files from untrusted users, but to ask them to send files as .obj. I don’t know if FBX files can contain CA, scripted controllers and all other stuff that can be used to deliver malicious payload.

I think that virtual machine(I use VMWare player) is the best options, evenbetter than sandboxie.

benmack180 · 2018-09-28 09:58:57 UTC

I’m wondering how cloud render farm services solve this.

If we seperate 1 Physical Machine to 4 VM, so we have to buy software license for each VM right?
I’m imagining software license costs gonna be a bigger problem…

miauu · 2018-09-28 18:41:04 UTC

You will use the VM just to check the max file. If it is safe then open in real PC and use it.