OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: joetestahushmail.com
Date: Sun Dec 02 2001 - 17:15:44 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

    Vulnerability in SETIhome

        Overview

    SETIhome (http://setiathome.berkeley.edu/) is a distributed project that
    allows ordinary citizens participate in the search for extraterrestrial
    intelligence using their computer's idle time. A buffer overflow exists
    in the UNIX client software.

    NOTE: this vulnerability is NOT exploitable in the default installation.

        Details

    The "i386-pc-linux-gnu-gnulibc2.1" version of the setiathome client (and
    possibly others) is vulnerable to buffer overflow. Example:

    # ./setiathome -version
    SETIhome client.
    Platform: i386-pc-linux-gnu-gnulibc2.1
    Version: 3.03

    ...
    ...

    # ./setiathome -socks_server `perl -e 'print "A" x 5604;'`
    Segmentation fault
    # ./setiathome -socks_user `perl -e 'print "A" x 5344;'`
    Segmentation fault
    # ./setiathome -socks_passwd `perl -e 'print "A" x 5280;'`
    Segmentation fault
    #

    [rootseti /home/setiathome]# gdb setiathome
    GNU gdb 5.0rh-5 Red Hat Linux 7.1
    Copyright 2001 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and you are
    welcome to change it and/or distribute copies of it under certain conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB. Type "show warranty" for details.
    This GDB was configured as "i386-redhat-linux"...
    (no debugging symbols found)...
    (gdb) r -socks_server `perl -e 'print "A" x 5604;'`
    Starting program: /home/setiathome/setiathome -socks_server `perl -e 'print "A" x 5604;'`

    Program received signal SIGSEGV, Segmentation fault.
    0x2ab4d409 in strcpy () from /lib/libc.so.6
    (gdb) info registers
    eax 0x0 0
    ecx 0x40404040 1077952576
    edx 0x41414141 1094795585
    ebx 0xfefefeff -16843009
    esp 0x7fffe664 0x7fffe664
    ebp 0x7fffe6bc 0x7fffe6bc
    esi 0x7ffffe28 2147483176
    edi 0x807bffd 134725629
    eip 0x2ab4d409 0x2ab4d409
    eflags 0x10246 66118
    cs 0x23 35
    ss 0x2b 43
    ds 0x2b 43
    es 0x2b 43
    fs 0x0 0
    gs 0x0 0
    fctrl 0x37f 895
    fstat 0x0 0
    ftag 0xffff 65535
    fiseg 0x0 0
    fioff 0x0 0
    foseg 0x0 0
    fooff 0x0 0
    fop 0x0 0

        Solution

    The SETIhome UNIX client is not installed with a setuid bit by default.
    If one was added to it -- perhaps to run it under a 'setiathome' account --
    remove it immediately.

        Vendor Status

    The project directory, Dr. Dave P. Anderson, was contacted via
    <daveassl.berkeley.edu> on Monday, Nov 5th. He promptly replied that
    this problem will be fixed in the next release.

        - Joe Testa

    e-mail: joetestahushmail.com
    web page: http://hogs.rit.edu/~joet/
    AIM: LordSpankatron

    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.1
    Note: This signature can be verified at https://www.hushtools.com

    wl0EARECAB0FAjwKtmIWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNGeO
    AJ9lCce/+Xb91i7BzpWvEiGfnUmBTgCginYcBQJ1WcuQeBC/RDyELpNvKIQ=
    =M4UW
    -----END PGP SIGNATURE-----