Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: iDefense Security Advisory
From: "David Endler" <dendler () idefense com>
Date: Thu, 12 Dec 2002 20:06:56 -0500

Hash: SHA1

While it may seem rather obvious, this was not an iDEFENSE advisory. 
gobbles () husmail com is not an employee, contractor, contributor, nor
representative of iDEFENSE in any way.  All legitimate iDEFENSE
advisories are located at http://www.idefense.com/advisory and are
properly PGP signed when sent over email.


- -dave

David Endler, CISSP
Director, Technical Intelligence
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler () idefense com

-----Original Message-----
From: gobbles () hushmail com [mailto:gobbles () hushmail com]
Sent: Thursday, December 12, 2002 6:27 PM
To: full-disclosure () lists netsys com; bugtraq () securityfocus com;
vulnwatch () vulnwatch org; submissions () packetstormsecurity org;
str () cannibus dataforce net; vuln-dev () securityfocus com;
shok () camel ethereal net
Subject: iDefense Security Advisory


iDEFENSE Security Advisory 12.13.02:
Bufferoverflow in 0verkill Server
December 13, 2002


0verkill is a client-server 2d deathmatch-like game in ASCII art. 
It supports free connecting/disconnecting during the game, and 
runs well on
modem lines.  Graphics are in 16-color ASCII art with elaborate
hero animations.  0verkill features 4 different weapons, grenades, 
and armor.  The package also contains reaperbot clients, a 
simple graphics
editor, and a level editor.  The server portion of 0verkill 
listens on an
UDP port (6666 by default).


Remote explotation of a buffer overflow within the 0verkill 
server source
could allow a remote attacker to gain the privilages of 
whichever user the
process is running as.  Since there are no authentication 
measures built
into the game, this problem can be considered to be PREAUTH*. 
 This is a
very serious vulnerability and should be taken seriously.

The following is a snapshot of the exploit in action.

deraadt () zeus theos com:~$ ./0verkillflow -t 5 -h 
-o l -p 6666
Attacking host (Linux 2.4.20-grsec).
id; uname -a
uid=0(root) gid=0(root) 
Linux spender 2.4.20 #1 Sat Dec 7 13:44:54 EST 2002 i686 unknown

deraadt () zeus theos com:~$ su -
root () zeus theos com:~# rm -rf /&


Remote attackers can use this exploit to gain unauthorized 
access to your
corporate network if you do not immediately upgrade to the 
latest version of
0verkill.  We have seen evidence of this being exploited in 
the wild, and
suggest that ISS and Securityfocus increase the ARIS 
Threatcon to at least 7.

Most of our clients have probably already been compromised by 
this exploit of
ours, and those who were not running the daemon as root were 
probably later
rooted locally by bugs in **Abuse that the author refuses to patch.

Since this exploit exists in the wild, we will soon send our 
IDS signatures
to Max Vision and Martin Roesch so that they may update their 
IDS systems to
detect this version of the attack, and this exploit 
specifically.  Please
keep in mind that these signatures will not be sufficient for 
other versions
of the exploit, and that you may need to upgrade your IDS to a
better mechanism that is capable of detecting more than specific 
versions of an


To detect whether or not you are running a vulnerable version 
of the 0verkill
server or not, we suggest that you take the md5sum of the 
binary.  For example:

root () zeus theos com:/usr/src/0verkill-0.16# md5sum server
0f210947eec2ead10e00069896d2f4bb  server

If your server binary has the same checksum as our binary, 
here at iDefense
Labs, you are vulnerable to this attack and must immediately 
upgrade your
service to the latest version.  We're currently attempting to 
devise a more
reliable method to verify whether or not an executable is 
vulnerable or not,
but our research scientists are at this time stumped.

The IDS experts from Sourcefire, ISS, and NFR are currently 
studying this
vulnerability and are developing exploits for it, so that 
they might understand
all possible methods of exploitation, and accordingly create 
the proper dynamic
rules to help you detect all variations of this bug being 
exploited, instead of
a single version which ultimately won't help anything.  Once 
this has been done, you can replay your network traffic 
through your sensors and watch to see if this has been 
exploited on your network yet or not.


We have not been able to contact any of the developers for 
the software, and at this time there is no fix for the problem.


We have received information from Brian McWilliams which 
links MITRE to the
Al Quada terrorist network, and for this reason we will no 
longer participate
in any MITRE sponsored programs.


11/20/2002    Issue disclosed to iDEFENSE
12/08/2002    Maintainer, Brain (brain () artax karlin mff cuni cz),
              and NetBSD Security Officer 
(security-officer () netbsd org)
12/09/2002    Contacted CERT (cert () cert org) about the matter.
12/10/2002    Attempted to contact CERT again for assistance 
with contacting
              the authors of 0verkill.
12/11/2002    iDEFENSE clients notified
12/12/2002    Coordinated public disclosure


GOBBLES (GOBBLES () hushmail com) discovered this vulnerability.

*By PREAUTH, we mean pre-authentication.
**Please read our previous advisory on Abuse, which can be found
here:          http://www.idefense.com/advisory/11.01.02.txt

" Life without CERT is like the Chocolate Factory without 
Charlie :-( "

Version: PGP 8.0
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]