*** Attention *** Security exploit found in SETI@Home
- Thread starter Mucman
- Start date
- Dec 11, 1999
- 16,703
- 4,661
- 75
Here's the text.
Advisories/Seti@home
Information leakage and remotely exploitable buffer overflow in various seti@home clients and the main server.
Affected versions
Confirmed information leaking:
This issue affects all clients.
Confirmed remote exploitable:
setiathome-3.03.i386-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i686-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i386-pc-linux-gnulibc1-static
setiathome-3.03.i686-pc-linux-gnulibc1-static
setiathome-3.03.i386-winnt-cmdline.exe
i386-unknown-freebsd2.2.8 (Special thanks to Niels Heinen)
SETI@home.exe (v3.07 Screensaver)
Confirmed DoS-able using buffer overflow:
The main seti@home server at shserver2.ssl.berkeley.edu
Presumed vulnerable to buffer overflow:
All other clients.
PATCHED VERSION
Are available
BACKGROUND INFORMATION
From "http://setiathome.berkeley.edu/" :
"SETI@home is a scientific experiment that uses Internet-connected computers in the Search for Extraterrestrial Intelligence (SETI). You can participate by running a free program that downloads and analyzes radio telescope data. "
"The SETI@home program is a special kind of screensaver. Like other screensavers it starts up when you leave your computer unattended, and it shuts down as soon as you return to work. What it does in the interim is unique. While you are getting coffee, or having lunch or sleeping, your computer will be helping the Search for Extraterrestrial Intelligence by analyzing data specially captured by the world's largest radio telescope. "
"The client/screensaver is available for download only from this web page - we do not support SETI@home software obtained elsewhere. This software will upload and download data only from our data server here at Berkeley. The data server doesn't download any executable code to your computer. All in all, the screensaver is much safer than the browser you're running right now!"
There are currently over four million registered users of seti@home. Over half a million of these users are "active"; they have returned at least one result within the last four weeks.
THE VULNERABILITIES
The seti@home clients use the HTTP protocol to download new workunits, user information and to register new users. The implementation leaves two security vulnerabilities:
1) All information is send in plaintext across the network. This information includes the processor type and the operating system of the machine seti@home is running on.
2) There is a bufferoverflow in the server responds handler. Sending an overly large string followed by a newline ('\n') character to the client will trigger this overflow. This has been tested with various versions of the client. All versions are presumed to have this flaw in some form.
3) A similar buffer overflow seems to affect the main seti@home server at shserver2.ssl.berkeley.edu. It closes the connection after receiving a too large string of bytes followed by a '\n'.
THE TECHNIQUE
1) Sniffing the information exposed by the seti@home client is trivial and very usefull to a malicious person planning an attack on a network. A passive scan of machines on a network can be made using any packetsniffer to grab the information from the network.
2) All tested clients have similar buffer overflows, which allowed setting eip to an arbitrairy value which can lead to arbitrairy code execution. An attacker would have to reroute the connection the client tries to make to the seti@home webserver to a machine he or she controls. This can be done using various widely available spoofing tools. Seti@home also has the ability to use a HTTP-proxy, an attacker could also use the machine the PROXY runs on as a base for this attack. Routers can also be used as a base for this attack.
3) Exploitation of the bug in the server has offcourse not been tested. Do understand that successfull exploitation of the bug in the server would offer a platform from which ALL seti@home clients can be exploited.
THE EXPLOITS
Is available for linux
TIMELINE
2002/12/05 Information leakage discovered.
2002/12/14 Bufferoverflow in client discovered.
2002/12/31 Seti@home team contacted through their website
http://setiathome.berkeley.edu/help.html.
2003/01/07 Seti@home team contacted again.
2003/01/14 Bufferoverflow in server discovered.
2003/01/21 Seti@home team contacted again, this time through email.
2003/01/21 Seti@home team confirmed the problem.
2003/01/25 Seti@home team promissed fixed version are being build.
2003/02/03 Seti@home team informed me about problems with the fixes for the win32 version.
2003/04/06 New Seti@home clients available, advisory released.
THANKS
Special thanks go out to:
- Aleph1 for "Smashing the Stack for Fun and Profit".
- Niels Heinen for his work on exploiting seti@home on FreeBSD.
- Blazde and the other 0dd folks for help with the win32 shellcode.
Advisories/Seti@home
Information leakage and remotely exploitable buffer overflow in various seti@home clients and the main server.
Affected versions
Confirmed information leaking:
This issue affects all clients.
Confirmed remote exploitable:
setiathome-3.03.i386-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i686-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i386-pc-linux-gnulibc1-static
setiathome-3.03.i686-pc-linux-gnulibc1-static
setiathome-3.03.i386-winnt-cmdline.exe
i386-unknown-freebsd2.2.8 (Special thanks to Niels Heinen)
SETI@home.exe (v3.07 Screensaver)
Confirmed DoS-able using buffer overflow:
The main seti@home server at shserver2.ssl.berkeley.edu
Presumed vulnerable to buffer overflow:
All other clients.
PATCHED VERSION
Are available
BACKGROUND INFORMATION
From "http://setiathome.berkeley.edu/" :
"SETI@home is a scientific experiment that uses Internet-connected computers in the Search for Extraterrestrial Intelligence (SETI). You can participate by running a free program that downloads and analyzes radio telescope data. "
"The SETI@home program is a special kind of screensaver. Like other screensavers it starts up when you leave your computer unattended, and it shuts down as soon as you return to work. What it does in the interim is unique. While you are getting coffee, or having lunch or sleeping, your computer will be helping the Search for Extraterrestrial Intelligence by analyzing data specially captured by the world's largest radio telescope. "
"The client/screensaver is available for download only from this web page - we do not support SETI@home software obtained elsewhere. This software will upload and download data only from our data server here at Berkeley. The data server doesn't download any executable code to your computer. All in all, the screensaver is much safer than the browser you're running right now!"
There are currently over four million registered users of seti@home. Over half a million of these users are "active"; they have returned at least one result within the last four weeks.
THE VULNERABILITIES
The seti@home clients use the HTTP protocol to download new workunits, user information and to register new users. The implementation leaves two security vulnerabilities:
1) All information is send in plaintext across the network. This information includes the processor type and the operating system of the machine seti@home is running on.
2) There is a bufferoverflow in the server responds handler. Sending an overly large string followed by a newline ('\n') character to the client will trigger this overflow. This has been tested with various versions of the client. All versions are presumed to have this flaw in some form.
3) A similar buffer overflow seems to affect the main seti@home server at shserver2.ssl.berkeley.edu. It closes the connection after receiving a too large string of bytes followed by a '\n'.
THE TECHNIQUE
1) Sniffing the information exposed by the seti@home client is trivial and very usefull to a malicious person planning an attack on a network. A passive scan of machines on a network can be made using any packetsniffer to grab the information from the network.
2) All tested clients have similar buffer overflows, which allowed setting eip to an arbitrairy value which can lead to arbitrairy code execution. An attacker would have to reroute the connection the client tries to make to the seti@home webserver to a machine he or she controls. This can be done using various widely available spoofing tools. Seti@home also has the ability to use a HTTP-proxy, an attacker could also use the machine the PROXY runs on as a base for this attack. Routers can also be used as a base for this attack.
3) Exploitation of the bug in the server has offcourse not been tested. Do understand that successfull exploitation of the bug in the server would offer a platform from which ALL seti@home clients can be exploited.
THE EXPLOITS
Is available for linux
TIMELINE
2002/12/05 Information leakage discovered.
2002/12/14 Bufferoverflow in client discovered.
2002/12/31 Seti@home team contacted through their website
http://setiathome.berkeley.edu/help.html.
2003/01/07 Seti@home team contacted again.
2003/01/14 Bufferoverflow in server discovered.
2003/01/21 Seti@home team contacted again, this time through email.
2003/01/21 Seti@home team confirmed the problem.
2003/01/25 Seti@home team promissed fixed version are being build.
2003/02/03 Seti@home team informed me about problems with the fixes for the win32 version.
2003/04/06 New Seti@home clients available, advisory released.
THANKS
Special thanks go out to:
- Aleph1 for "Smashing the Stack for Fun and Profit".
- Niels Heinen for his work on exploiting seti@home on FreeBSD.
- Blazde and the other 0dd folks for help with the win32 shellcode.
Repost - TheNorse reported here already.
Also anyone signed up for S@H's email newsletters heard about this already.
This is not a big thing - besides any modern webserver is set to close connection on long string buffer overflow attempts, that is extremely old news (years old) - the response to the BO attack by the seti servers is as expected.
Different web servers respond to this kind of attack in various ways, but this kind of attack is well known and most servers are very well prepared for it.
The client side is potentially a problem mainly if your personal security is lax and you are enough of a target to get some diaper wearing hackjob's attention.
Just my personal opinion
Also anyone signed up for S@H's email newsletters heard about this already.
This is not a big thing - besides any modern webserver is set to close connection on long string buffer overflow attempts, that is extremely old news (years old) - the response to the BO attack by the seti servers is as expected.
Different web servers respond to this kind of attack in various ways, but this kind of attack is well known and most servers are very well prepared for it.
The client side is potentially a problem mainly if your personal security is lax and you are enough of a target to get some diaper wearing hackjob's attention.
Just my personal opinion
Thanks Rick (Wiz) . . .
funny how most people have trouble *Reading* Posts
btw - when i first Posted - there was (no) upgrade for CLI -
guess they just put that up eh?
see Smoke's response on my Post for INFO RE
Smoke's Post Note . . .
<edit>
norse
funny how most people have trouble *Reading* Posts
btw - when i first Posted - there was (no) upgrade for CLI -
guess they just put that up eh?
see Smoke's
response on my Post for INFO RESmoke's Post Note . . .
<edit>
norse
Assimilator1
Elite Member
- Nov 4, 1999
- 24,165
- 524
- 126
There's 2 cli-versions awailable for download...
setiathome-3.08.sparc-sun-solaris2.6.tar
setiathome-3.08.i686-pc-linux-gnu.tar
I'm not running any of these os...
edit to fix links...
setiathome-3.08.sparc-sun-solaris2.6.tar
setiathome-3.08.i686-pc-linux-gnu.tar
I'm not running any of these os...
edit to fix links...
Ok, so I'm not really understanding what is going on, but is this exploit to explain why i see the following msg in my SetiQueue?
>Message from Seti WARNING: Platform i386-winnt-cmdline not found; continuing in test mode.
>Message time Sun 2003 Apr 06 7:11:00am (12 hr 33 min ago)
And if I read this thread correctly, there is nothing I can or should be doing about this right now, and it won't affect my SetiQueue?
>Message from Seti WARNING: Platform i386-winnt-cmdline not found; continuing in test mode.
>Message time Sun 2003 Apr 06 7:11:00am (12 hr 33 min ago)
And if I read this thread correctly, there is nothing I can or should be doing about this right now, and it won't affect my SetiQueue?
Yes, Smokeball mentioned that too in the other thread.
Nothing to do if you are running Cli on Windows - update not available yet.
Don't get freaked out about this, it's highly unlikely anyone will see any hacking of their systems from this. Seti says there have been none as of yet.
Nothing to do if you are running Cli on Windows - update not available yet.
Don't get freaked out about this, it's highly unlikely anyone will see any hacking of their systems from this. Seti says there have been none as of yet.
Okay so from what I understand the exploit is old and not anything to worry about. Is there going to be a new Windows CL client released and if so is it going to be manditory? If so that will present a problem for me as well. I've probably got nearly 50 CL clients at the moment.
Robor, they are putting out a few new Cli but not Win yet - maybe taking a little time for testing one would hope?
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 23K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter