Trou grave de securite dans le client seti@home

  • Auteur de la discussion Nesskiel
  • Date de début

Nesskiel

Expert
Infos obtenues sur une des differentes mailing list de securite informatique a laquelle je participe.


Information leakage and remotely
exploitable buffer overflow in various
seti@home clients and the main server.

Confirmed information leaking:
This issue affects all clients.

Confirmed remote exploitable:
setiathome-3.03.i386-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i686-pc-linux-gnu-gnulibc2.1
setiathome-3.03.i386-pc-linux-gnulibc1-static
setiathome-3.03.i686-pc-linux-gnulibc1-static
setiathome-3.03.i386-winnt-cmdline.exe
i386-unknown-freebsd2.2.8 (Special thanks to Niels Heinen)
SETI@home.exe (v3.07 Screensaver)

Confirmed DoS-able using buffer overflow:
The main seti@home server at shserver2.ssl.berkeley.edu

Presumed vulnerable to buffer overflow:
All other clients.

BACKGROUND INFORMATION-----------------------------------------------------

From "http://setiathome.berkeley.edu/" :
"SETI@home is a scientific experiment that uses Internet-connected
computers in the Search for Extraterrestrial Intelligence (SETI). You
can participate by running a free program that downloads and analyzes
radio telescope data. "
"The SETI@home program is a special kind of screensaver. Like other
screensavers it starts up when you leave your computer unattended, and
it shuts down as soon as you return to work. What it does in the interim
is unique. While you are getting coffee, or having lunch or sleeping,
your computer will be helping the Search for Extraterrestrial
Intelligence by analyzing data specially captured by the world's largest
radio telescope. "
"The client/screensaver is available for download only from this web page
- we do not support SETI@home software obtained elsewhere. This software
will upload and download data only from our data server here at Berkeley.
The data server doesn't download any executable code to your computer.
All in all, the screensaver is much safer than the browser you're running
right now!"

There are currently over four million registered users of seti@home. Over half a million of these users are "active"; they have returned at least one result within the last four weeks.

THE VULNERABILITIES--------------------------------------------------------

The seti@home clients use the HTTP protocol to download new workunits, user information and to register new users. The implementation leaves two security vulnerabilities:

1) All information is send in plaintext across the network. This information includes the processor type and the operating system of the machine seti@home is running on.

2) There is a bufferoverflow in the server responds handler. Sending an overly large string followed by a newline ('\n') character to the client will trigger this overflow. This has been tested with various versions of the client. All versions are presumed to have this flaw in some form.

3) A similar buffer overflow seems to affect the main seti@home server at shserver2.ssl.berkeley.edu. It closes the connection after receiving a too large string of bytes followed by a '\n'.

THE TECHNIQUE--------------------------------------------------------------

1) Sniffing the information exposed by the seti@home client is trivial and very usefull to a malicious person planning an attack on a network. A passive scan of machines on a network can be made using any packetsniffer to grab the information from the network.

2) All tested clients have similar buffer overflows, which allowed setting eip to an arbitrairy value which can lead to arbitrairy code execution. An attacker would have to reroute the connection the client tries to make to the seti@home webserver to a machine he or she controls. This can be done using various widely available spoofing tools. Seti@home also has the ability to use a HTTP-proxy, an attacker could also use the machine the PROXY runs on as a base for this attack. Routers can also be used as a base for this attack.

3) Exploitation of the bug in the server has offcourse not been tested. Do understand that successfull exploitation of the bug in the server would offer a platform from which ALL seti@home clients can be exploited.

THE EXPLOITS---------------------------------------------------------------

Attached to this mail you will find a sample exploit running on linux that will supply a remote shell to an attacker for various linux clients. It will crash the *BSD client, the windows commandline client and windows screensaver.

TIMELINE-------------------------------------------------------------------

2002/12/05 Information leakage discovered.
2002/12/14 Bufferoverflow in client discovered.
2002/12/31 Seti@home team contacted through their website
http://setiathome.berkeley.edu/help.html.
2003/01/07 Seti@home team contacted again.
2003/01/14 Bufferoverflow in server discovered.
2003/01/21 Seti@home team contacted again, this time through email. 2003/01/21 Seti@home team confirmed the problem. 2003/01/25 Seti@home team promissed fixed version are being build. 2003/02/03 Seti@home team informed me about problems with the fixes for the win32 version.

In more then three months, the seti@home has been unable to produce a patched version of the clients.

 

patry

Expert
Faut pas rêver, faire un patch alors que le produit n'a plus que quelques semaines à vivre c'est pas malin. Par contre ne pas en prendre compte pour BOINC serait une regrettable erreur !
On dirait un "dommage collatéral" dans le dialect actuel.
 

Nesskiel

Expert
c'est juste pour votre information,je ne l'utilise plus depuis pas mal de temps ;)
 

Ministry

Expert
Nouvelle version graphique 3.08 e qui doit corriger ce blem



idem client texte pour win32 et i686-pc-linux-gnu est dispo en 3.08



 

patry

Expert
[citation=319,1][nom]Ministry a écrit[/nom]Nouvelle version graphique 3.08 e qui doit corriger ce blem



idem client texte pour win32 et i686-pc-linux-gnu est dispo en 3.08




[/citation]

Comme quoi j'avais tort ! Bravo berkley (si seulement ils allaient aussi vite pour les stats !!!).
 

patry

Expert
[citation=321,1][nom]Ministry a écrit[/nom]ça doit être fait on a enfin :sarcastic: perdu nos 27000wu :o
[/citation]

Bin non, toujours pas ... "A qui profite le crime ?"
 

grapinou

Expert
le vrai total, celui des results des inscrits il est à combien ?
 
Vous devez vous inscrire ou vous connecter pour répondre ici.
Derniers messages publiés
Statistiques globales
Discussions
730 098
Messages
6 717 065
Membres
1 586 286
Dernier membre
petitangebleu1977
Partager cette page
Haut