lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <002f01c2fc24$b3ee8250$0100a8c0@grotedoos>
Date: Sun, 6 Apr 2003 12:10:08 +0200
From: "Berend-Jan Wever" <SkyLined@...p.tudelft.nl>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>,
   <vulndiscuss@...nwatch.org>,
   "Windows NTBugtraq Mailing List" <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>
Subject: Seti@...e information leakage and remote compromise


        Information leakage and remotely  __________________________________
  exploitable buffer overflow in various  SETI@...e                   ..cc.
  seti@...e clients and the main server.                       ..--''' $$$$
                                                           ,CCcc,   .-' "":
    Januari 15, 2002 by Berend-Jan Wever                  $$$CCCCCCb    ; :
         _______________________________                  $$$$bbCCCCCCc;  '.
        (_____ |                                          Y$$$$$$bCCCCCCc  :
 _____________)|<\/                                        Y$$$$$$$$$bCCCCc:
            Lined/                                          "$$$$$$$$$$$bCCc
     The homepage for absolutly nothing!                      "Y$$$$$$$$$$$"
                                                                 ``"**""'`
          http://spoor12.edup.tudelft.nl  http://setiathome.berkeley.edu

Confirmed information leaking:
  This issue affects all clients.

Confirmed remote exploitable:
  setiathome-3.03.i386-pc-linux-gnu-gnulibc2.1
  setiathome-3.03.i686-pc-linux-gnu-gnulibc2.1
  setiathome-3.03.i386-pc-linux-gnulibc1-static
  setiathome-3.03.i686-pc-linux-gnulibc1-static
  setiathome-3.03.i386-winnt-cmdline.exe
  i386-unknown-freebsd2.2.8 (Special thanks to Niels Heinen)
  SETI@...e.exe (v3.07 Screensaver)

Confirmed DoS-able using buffer overflow:
  The main seti@...e server at shserver2.ssl.berkeley.edu

Presumed vulnerable to buffer overflow:
  All other clients.

BACKGROUND INFORMATION-----------------------------------------------------

>From "http://setiathome.berkeley.edu/" :
  "SETI@...e is a scientific experiment that uses Internet-connected
  computers in the Search for Extraterrestrial Intelligence (SETI). You
  can participate by running a free program that downloads and analyzes
  radio telescope data. "
  "The SETI@...e program is a special kind of screensaver. Like other
  screensavers it starts up when you leave your computer unattended, and
  it shuts down as soon as you return to work. What it does in the interim
  is unique. While you are getting coffee, or having lunch or sleeping,
  your computer will be helping the Search for Extraterrestrial
  Intelligence by analyzing data specially captured by the world's largest
  radio telescope. "
  "The client/screensaver is available for download only from this web page
  - we do not support SETI@...e software obtained elsewhere. This software
  will upload and download data only from our data server here at Berkeley.
  The data server doesn't download any executable code to your computer.
  All in all, the screensaver is much safer than the browser you're running
  right now!"

There are currently over four million registered users of seti@...e. Over
half a million of these users are "active"; they have returned at least one
result within the last four weeks.

THE VULNERABILITIES--------------------------------------------------------

The seti@...e clients use the HTTP protocol to download new workunits, user
information and to register new users. The implementation leaves two
security vulnerabilities:

1) All information is send in plaintext across the network. This
information includes the processor type and the operating system of the
machine seti@...e is running on.

2) There is a bufferoverflow in the server responds handler. Sending an
overly large string followed by a newline ('\n') character to the client
will trigger this overflow. This has been tested with various versions of
the client. All versions are presumed to have this flaw in some form.

3) A similar buffer overflow seems to affect the main seti@...e server at
shserver2.ssl.berkeley.edu. It closes the connection after receiving a
too large string of bytes followed by a '\n'.

THE TECHNIQUE--------------------------------------------------------------

1) Sniffing the information exposed by the seti@...e client is trivial and
very usefull to a malicious person planning an attack on a network. A
passive scan of machines on a network can be made using any packetsniffer
to grab the information from the network.

2) All tested clients have similar buffer overflows, which allowed
setting eip to an arbitrairy value which can lead to arbitrairy code
execution. An attacker would have to reroute the connection the client
tries to make to the seti@...e webserver to a machine he or she controls.
This can be done using various widely available spoofing tools. Seti@...e
also has the ability to use a HTTP-proxy, an attacker could also use the
machine the PROXY runs on as a base for this attack. Routers can also be
used as a base for this attack.

3) Exploitation of the bug in the server has offcourse not been tested.
Do understand that successfull exploitation of the bug in the server would
offer a platform from which ALL seti@...e clients can be exploited.

THE EXPLOITS---------------------------------------------------------------

Attached to this mail you will find a sample exploit running on linux that
will supply a remote shell to an attacker for various linux clients. It
will crash the *BSD client, the windows commandline client and windows
screensaver.

TIMELINE-------------------------------------------------------------------

2002/12/05 Information leakage discovered.
2002/12/14 Bufferoverflow in client discovered.
2002/12/31 Seti@...e team contacted through their website
             http://setiathome.berkeley.edu/help.html.
2003/01/07 Seti@...e team contacted again.
2003/01/14 Bufferoverflow in server discovered.
2003/01/21 Seti@...e team contacted again, this time through email.
2003/01/21 Seti@...e team confirmed the problem.
2003/01/25 Seti@...e team promissed fixed version are being build.
2003/02/03 Seti@...e team informed me about problems with the fixes for the
win32 version.

In more then three months, the seti@...e has been unable to produce a
patched version of the clients.

THANKS---------------------------------------------------------------------

Special thanks go out to:
- Aleph1 for "Smashing the Stack for Fun and Profit".
- Niels Heinen for his work on exploiting seti@...e on FreeBSD.
- Blazde and the other 0dd folks for help with the win32 shellcode.

UNRELATED REQUEST----------------------------------------------------------

I'd like to take this opportunity to inform everybody who's interested that
I am looking for a place to do an internship from august 2003 untill
januari 2004. I am looking for a company where I can do some security
related programming. I am a 26 year old student of Infomation Technology at
the TH Rijswijk in the Netherlands. I have experience with various
programming and scripting languages, operating systems and protocols. If you
know of a company who would be interested or if you need more details like
my C.V., please contact me through email at the address below.

Best regards,

Berend-Jan Wever
  SkyLined@...p.tudelft.nl
  http://Spoor12.EduP.TUDelft.nl

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ