Confirmed information leaking:
This issue affects all clients.
Confirmed remote exploitable:
setiathome-3.03.i386-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i686-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i386-pc-linux-gnulibc1-static
setiathome-3.03.i686-pc-linux-gnulibc1-static
setiathome-3.03.i386-winnt-cmdline.exe
i386-unknown-freebsd2.2.8 (Special thanks to Niels Heinen)
[email protected] (v3.07 Screensaver)
Confirmed DoS-able using buffer overflow:
The main seti@home server at shserver2.ssl.berkeley.edu
Presumed vulnerable to buffer overflow:
All other clients.
BACKGROUND INFORMATION-----------------------------------------------------
>From "http://setiathome.berkeley.edu/" :
"SETI@home is a scientific experiment that uses Internet-connected
computers in the Search for Extraterrestrial Intelligence (SETI). You
can participate by running a free program that downloads and analyzes
radio telescope data. "
"The SETI@home program is a special kind of screensaver. Like other
screensavers it starts up when you leave your computer unattended, and
it shuts down as soon as you return to work. What it does in the interim
is unique. While you are getting coffee, or having lunch or sleeping,
your computer will be helping the Search for Extraterrestrial
Intelligence by analyzing data specially captured by the world's largest
radio telescope. "
"The client/screensaver is available for download only from this web page
- we do not support SETI@home software obtained elsewhere. This software
will upload and download data only from our data server here at Berkeley.
The data server doesn't download any executable code to your computer.
All in all, the screensaver is much safer than the browser you're running
right now!"
There are currently over four million registered users of seti@home. Over
half a million of these users are "active"; they have returned at least one
result within the last four weeks.
THE VULNERABILITIES--------------------------------------------------------
The seti@home clients use the HTTP protocol to download new workunits, user
information and to register new users. The implementation leaves two
security vulnerabilities:
1) All information is send in plaintext across the network. This
information includes the processor type and the operating system of the
machine seti@home is running on.
2) There is a bufferoverflow in the server responds handler. Sending an
overly large string followed by a newline ('\n') character to the client
will trigger this overflow. This has been tested with various versions of
the client. All versions are presumed to have this flaw in some form.
3) A similar buffer overflow seems to affect the main seti@home server at
shserver2.ssl.berkeley.edu. It closes the connection after receiving a
too large string of bytes followed by a '\n'.
TIMELINE-------------------------------------------------------------------
2002/12/05 Information leakage discovered.
2002/12/14 Bufferoverflow in client discovered.
2002/12/31 Seti@home team contacted through their website
http://setiathome.berkeley.edu/help.html.
2003/01/07 Seti@home team contacted again.
2003/01/14 Bufferoverflow in server discovered.
2003/01/21 Seti@home team contacted again, this time through email.
2003/01/21 Seti@home team confirmed the problem.
2003/01/25 Seti@home team promissed fixed version are being build.
2003/02/03 Seti@home team informed me about problems with the fixes for the
win32 version.
Reply With Quote
Re: Exploit Found in Seti@Home
