lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <N1-kN775OIYha@Safe-mail.net>
Date: Fri Sep 30 16:38:44 2005
From: apexpoizen at Safe-mail.net (apexpoizen@...e-mail.net)
Subject: SA Security Bulletin: Zorch Vulnerability in
	Rhino Snarf Java Interpretor

_________________________________________________________________

                  Sexy Action Security Bulletin
	
                    SASB-2005-09-30-GR8-2B-EL8

       Zorch Vulnerability in Rhino Snarf Java Interpreter

_________________________________________________________________


        Platform:               GibsonOS
        CPU Type:               Any
        Package:                Rhino Snarf Pharynx
        Affected Versions:      2.1 (current) and earlier
        Vulnerability Type:     c|n>k, wirewater overflow, death
        Severity (1-10):        10
        Author:                 @pex p01zen


Executive Summary:

Rhino Snarf is a popular peer-to-peer client used for packet
sniffing, wirewater communication, and downloading non-physical
data over a wide area network such as the internet.  This 
vulnerability affects versions 2.1 (current) and earlier, 
running on any GibsonOS system.

A Zorch Vulnerability that exists in the Snarf Protocol is
capable of rendering any unprotected CPU useless via a wirewater
buffer overflow through Pharynx, which is packaged with Rhino 
Snarf by default.

Several workarounds are suggested at the end of this document.


Problem Statement:

When Rhino Snarf uses the Wirewater Protocol to communicate over
WAN, it normally only calls on Pharynx to send overflow data to
the keyboard or monitor.  Pharynx buffer overflows (outgoing) are
by no means a new concept; since Rhino Snarf only allows
Wirewater data to flow -out- of Pharynx, the attack is single and
limited to the size of the buffer.

However a system glitch can cause Rhino Snarf and Pharynx to
sniff Java packets without any means of processing them.  This in
turn causes the user to send -and- receive Java packets over an
insecure protocol not designed to handling incoming connections.

Miscommunication of data type results in an autosomal dominant
compelling helio-ophthalmic outburst from Pharynx.  When used in
conjunction with Wirewater this can return a c|n>k type attack on
your computer.  However, if the system's CPU is unprotected, Java
data flowing from Pharynx can cause a Zorch attack on your CPU.
This renders the CPU useless through overheating.


Exploit Method:

On our test systems, we tricked Rhino Snarf into receiving Java
packets through Pharynx.  This intake caused Rhino Snarf to choke
on its own data.  As expected, a high level of system instability
was experienced before the helio-opthalmic outburst was detected.

At a low data level this resulted in the predicted c|n>k attack.

However, if Pharynx is also receiving Java packets at the time of
the outburst, the overflow from Rhino Snarf is much greater
(since outflow is no longer limited to the size of the buffer).

To test this, Java packets were received through two open Pharynx
ports at once.  Rhino Snarf, unable to process the information,
not only caused a autosomal dominant compelling helio-ophthalmic
outburst, but the direction, velocity, and size of the attack saw
data sent directly to the CPU.  Excess Java packets caused the
CPU fan to short-circuit and die.  The CPU Heatsink was then next
as it conducted the excessive heat towards the CPU.  Overwhelming
amounts of data spilled out onto the Motherboard at which point
it became impossible to monitor the system due to a total CPU
Zorch.

System Death was recorded at approximately 5.3 seconds after the
miscommunication began.


Fix:

There are number of methods for preventing this attack, however
once 2 port miscommunication to Pharynx has occurred, very little
can be done to stop the attack in progress.  Based on research by
our team of security professionals, it is suggested that users
block all incoming Java connections on the Rhino Snarf port and
ensure their computer case is properly constructed. 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ