OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: distributed.net and setihome
From: Seth R Arnold (sarnoldWILLAMETTE.EDU)
Date: Tue Feb 01 2000 - 00:21:22 CST

Ok, so this shows that getting custom data to the clients is possible --
which leaves the clients themselves open for buffer overflows, or new
program code (one fellow that was a starting force for distributed.net left
them to form a new startup [10 points to whoever can remember the name for
me :] with a client that includes the ability to download new modules. His
setup made it look difficult to insert malicious code into the system, but
that may have depended on the security of the master servers -- which could
be emulated with an arp poison attack..)

So, is anyone here good at figuring out if given binaries can be buffer
overflowed? (Brock Tellier, I am thinking in your direction. :)

On Mon, Jan 31, 2000 at 10:10:57AM -0500, Clifford, Shawn A wrote:
> If you are in the same broadcast domain as the client/target, might an ARP
> cache poison work?
>
> I've modified Mike Shiffman's 'poink' code so that you can specify
> target/dest Ethernet addresses for the purpose of ARP poisoning, rather than
> a DoS on Window$.
>
> Here's what you might do (on Solaris, anyway):
> 1) nslookup/ping the server (setiathome.ssl.berkley.edu ?) - save
> the IP address
> 2) ping <target>
> 3) arp <target> - save the ethernet address (for destination)
> 4) arp <my_host> - save the ethernet address (for target)
> 5) poink -s <my_ether> -d <target_ether> <server_ip>
>
> No you have 5 minutes (or ARP cache timeout) in which the SETI client should
> try to connect to a server on your machine to get data from SETI (or the
> specified IP address). Right?
>
> The get_arps.pl script below comes in the documentation for the LibPcap Perl
> module. You can verify your ARPs from poink are working with this script.
>
> Poink requires 'libnet' from the Packet Factory (www.packetfactory.net) and
> the LibPcap module from perl is from CPAN (www.cpan.org). Root is required
> to open the network interface.
>
> Incidentally, doing a broadcast ARP (dest ether addr = 00:00:00:00:00:00 or
> FF:FF:FF:FF:FF, is there a difference?), and specifying a bogus source ether
> for a given WinNT machine's IP address has the effect of a window dialogue
> on the victim's computer notifying him that his IP address is being used by
> someone else. So don't broadcast an ARP poison.
>
> I assume it would be possible to modify 'poink' so that a victim would
> receive a RARP reply storm (DoS attack) by broadcasting RARP requests with a
> spoofed source of the victim's ether? Well, that is getting off subject...
>
>
> Cheers,
> -- S
>
>
> > If the clients contact the server, the only way to exploit
> > the clients is to
> > make the client contact your own server I suppose.
> >
> > This could be done via changing DNS records manually on a upstream DNS
> > server, a hacked client, an entry in the hosts file, etc.
> > The all require
> > pretty much elevated access to the network (admin status) or
> > the computer,
> > in which case you don't have to use the distributed clients
> > to hack into the
> > machine.
> >
> > I think it is possible in some cases to insert a DNS cache
> > entry into a DNS
> > server manually, and you can fool all the clients that use
> > that DNS server
> > to contact your own server. Then you could send custom
> > packets back to the
> > client to overflow it, etc.
> >
> > That's about all I can think about right now. It's the
> > weekend, and I am
> > going to be lazy ;)
> 

--
Seth Arnold | http://www.willamette.edu/~sarnold/
Hate spam? See http://maps.vix.com/rbl/ for help
Hi! I'm a .signature virus! Copy me into
your ~/.signature to help me spread!