Vulnerability Development mailing list archives
Re: distributed.net and seti@home
From: mpemble () ISINTEGRATION CO UK (Matthew Pemble)
Date: Sun, 30 Jan 2000 18:56:17 -0000
Folks, Sorry, not a d.net participant but seti uses DNS - it looks for "shserver.ssl.berkeley.edu", which is actually an alias for "sagan.ssl.berkeley.edu". I have had a careful look at seti@home client (as a security consultant) and I run it on my home computers and on the standard HD of my work laptop. If some-one could subvert the UCB computers, they could trojan your machines (it will download updates to the client program, as well as new data.) Me, I am personally prepared to take the risk. Matthew Pemble, Senior Consultant, IS Integration, Preston Technology Management Centre, Marsh Lane, PRESTON, Lancashire, PR1 8UD Tel: +44 (0)1772 885850 Fax: +44 (0)1772 558881 Mob: +44 (0) 7050 128620 Disclaimer: My boss does not understand what I am talking about. He cannot be held responsible for my opinions, even when they are accurate. Mailto:mpemble () isintegration co uk Web: http://www.isintegration.co.uk This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify your system manager or IS Integration Limited on +44 (0) 1772 885850 Any Views expressed in this e-mail message are those of the individual sending the message, except where the sender specifically states them to be the views of IS Integration Limited. -----Original Message----- From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Shashi Dookhee Sent: 30 January 2000 17:17 To: VULN-DEV () SECURITYFOCUS COM Subject: Re: distributed.net and seti@home Doesnt Seti@home and rc5/etc use IP addresses, and not hostnames? That would make changing the DNS recordz futile, as they wouldnt need to resolve anything ;) Mr Shashi Dookhee Senior Systems Administrator Traffic Interactive Ltd Tel: (020) 7616 9039 Fax: (020) 7616 9030 ISDN: (020) 7616 9002 Mobile: 07803 760 315 Email: shashi () traffic co uk Web: http://www.traffic.co.uk -----Original Message----- From: Robert Wojciechowski Jr. <robertw () WOJO COM> To: VULN-DEV () SECURITYFOCUS COM <VULN-DEV () SECURITYFOCUS COM> Date: 30 January 2000 18:15 Subject: Re: distributed.net and seti@home
If the clients contact the server, the only way to exploit the clients is
to
make the client contact your own server I suppose. This could be done via changing DNS records manually on a upstream DNS server, a hacked client, an entry in the hosts file, etc. The all require pretty much elevated access to the network (admin status) or the computer, in which case you don't have to use the distributed clients to hack into
the
machine. I think it is possible in some cases to insert a DNS cache entry into a DNS server manually, and you can fool all the clients that use that DNS server to contact your own server. Then you could send custom packets back to the client to overflow it, etc. That's about all I can think about right now. It's the weekend, and I am going to be lazy ;) - Robert----- Original Message ----- From: Seth R Arnold [SMTP:sarnold () willamette edu] Sent: Saturday, January 29, 2000, 5:14:58 To: Robert Wojciechowski Jr. Cc: 'VULN-DEV () SECURITYFOCUS COM' Subject: Re: distributed.net and seti@home Robert, (and list :) -- with distributed.net and seti@home, I am not so concerned with open ports -- the client goes to the trouble of
downloading
input data all on its own, so an open port would be superfluous. (sp?) I am thinking more along the lines of a buffer overflow, or "u17r4-s3cr3t-31337-b@ckd00r", or something like that. My personal guess is both distributed.net and seti@home are secure enough for most everyone's purposes. But, that is a guess, and I haven't seen anyone try to see if there is a way to get either of them to execute code through malformed (or perfectly-formed :) data downloads. It would make
me
feel a lot better if someone out there (whitehat :) would take the
trouble
to try to find holes to be exploited -- because I know of a LOT ofmachinesthat could be compromised in extremely vulnerable positions -- all withtheblessings of system administrators trying to be politically active or
just
hoping to find aliens. :) Wouldn't it be annoying to wake up one day to find your whole
organization
has been 0wned as a result of running rc5 from distributed.net? I am not saying it would be easy, or even practical, but it might be
worth
checking into. :)Robert S. Wojciechowski Jr. robertw () wojo com
Current thread:
- distributed.net and seti@home Seth R Arnold (Jan 28)
- Re: distributed.net and seti@home Justin Lintz (Jan 28)
- Re: distributed.net and seti@home CyberPsychotic (Jan 30)
- <Possible follow-ups>
- Re: distributed.net and seti@home Robert Wojciechowski Jr. (Jan 28)
- Re: distributed.net and seti@home Seth R Arnold (Jan 29)
- Re: distributed.net and seti@home Robert Wojciechowski Jr. (Jan 29)
- Re: distributed.net and seti@home Blue Boar (Jan 30)
- Re: distributed.net and seti@home Shashi Dookhee (Jan 30)
- Re: distributed.net and seti@home Matthew Pemble (Jan 30)
- Re: distributed.net and seti@home hypnos (Jan 30)
- Oracle liberal world (Jan 30)
- Re: distributed.net and seti@home Bryce Walter (Jan 30)