RE: iDefense Security Advisory

["David Endler" <dendler () idefense com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

While it may seem rather obvious, this was not an iDEFENSE advisory. 
gobbles () husmail com is not an employee, contractor, contributor, nor
representative of iDEFENSE in any way.  All legitimate iDEFENSE
advisories are located at http://www.idefense.com/advisory and are
properly PGP signed when sent over email.

Thanks,

- -dave

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler () idefense com
www.idefense.com

> -----Original Message-----
> From: gobbles () hushmail com [mailto:gobbles () hushmail com]
> Sent: Thursday, December 12, 2002 6:27 PM
> To: full-disclosure () lists netsys com; bugtraq () securityfocus com;
> vulnwatch () vulnwatch org; submissions () packetstormsecurity org;
> str () cannibus dataforce net; vuln-dev () securityfocus com;
> shok () camel ethereal net
> Subject: iDefense Security Advisory
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> iDEFENSE Security Advisory 12.13.02:
> http://www.idefense.com/advisory/12.13.02.txt
> Bufferoverflow in 0verkill Server
> December 13, 2002
>
> I. BACKGROUND
>
> 0verkill is a client-server 2d deathmatch-like game in ASCII art. 
> It supports free connecting/disconnecting during the game, and 
> runs well on
> modem lines.  Graphics are in 16-color ASCII art with elaborate
> hero animations.  0verkill features 4 different weapons, grenades, 
> invisibility,
> and armor.  The package also contains reaperbot clients, a 
> simple graphics
> editor, and a level editor.  The server portion of 0verkill 
> listens on an
> UDP port (6666 by default).
>
>
> II. DESCRIPTION
>
> Remote explotation of a buffer overflow within the 0verkill 
> server source
> could allow a remote attacker to gain the privilages of 
> whichever user the
> process is running as.  Since there are no authentication 
> measures built
> into the game, this problem can be considered to be PREAUTH*. 
>  This is a
> very serious vulnerability and should be taken seriously.
>
> The following is a snapshot of the exploit in action.
>
> deraadt () zeus theos com:~$ ./0verkillflow -t 5 -h 192.168.0.1 
> -o l -p 6666
> Attacking host 192.168.0.1 (Linux 2.4.20-grsec).
> *GOBBLE*
> id; uname -a
> uid=0(root) gid=0(root) 
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> Linux spender 2.4.20 #1 Sat Dec 7 13:44:54 EST 2002 i686 unknown
> ^C
>
> deraadt () zeus theos com:~$ su -
> Password:
> root () zeus theos com:~# rm -rf /&
>
>
> III. ANALYSIS
>
> Remote attackers can use this exploit to gain unauthorized 
> access to your
> corporate network if you do not immediately upgrade to the 
> latest version of
> 0verkill.  We have seen evidence of this being exploited in 
> the wild, and
> suggest that ISS and Securityfocus increase the ARIS 
> Threatcon to at least 7.
>
> Most of our clients have probably already been compromised by 
> this exploit of
> ours, and those who were not running the daemon as root were 
> probably later
> rooted locally by bugs in **Abuse that the author refuses to patch.
>
> Since this exploit exists in the wild, we will soon send our 
> IDS signatures
> to Max Vision and Martin Roesch so that they may update their 
> IDS systems to
> detect this version of the attack, and this exploit 
> specifically.  Please
> keep in mind that these signatures will not be sufficient for 
> other versions
> of the exploit, and that you may need to upgrade your IDS to a
> better mechanism that is capable of detecting more than specific 
> versions of an
> attack.
>
>
> IV. DETECTION
>
> To detect whether or not you are running a vulnerable version 
> of the 0verkill
> server or not, we suggest that you take the md5sum of the 
> binary.  For example:
>
> root () zeus theos com:/usr/src/0verkill-0.16# md5sum server
> 0f210947eec2ead10e00069896d2f4bb  server
>
> If your server binary has the same checksum as our binary, 
> here at iDefense
> Labs, you are vulnerable to this attack and must immediately 
> upgrade your
> service to the latest version.  We're currently attempting to 
> devise a more
> reliable method to verify whether or not an executable is 
> vulnerable or not,
> but our research scientists are at this time stumped.
>
> The IDS experts from Sourcefire, ISS, and NFR are currently 
> studying this
> vulnerability and are developing exploits for it, so that 
> they might understand
> all possible methods of exploitation, and accordingly create 
> the proper dynamic
> rules to help you detect all variations of this bug being 
> exploited, instead of
> a single version which ultimately won't help anything.  Once 
> this has been done, you can replay your network traffic 
> through your sensors and watch to see if this has been 
> exploited on your network yet or not.
>
>
> V. VENDOR FIX
>
> We have not been able to contact any of the developers for 
> the software, and at this time there is no fix for the problem.
>
>
> VI. CVE INFORMATION
>
> We have received information from Brian McWilliams which 
> links MITRE to the
> Al Quada terrorist network, and for this reason we will no 
> longer participate
> in any MITRE sponsored programs.
>
>
> VII. DISCLOSURE TIMELINE
>
> 11/20/2002    Issue disclosed to iDEFENSE
> 12/08/2002    Maintainer, Brain (brain () artax karlin mff cuni cz),
>               and NetBSD Security Officer 
> (security-officer () netbsd org)
>               notified.
> 12/09/2002    Contacted CERT (cert () cert org) about the matter.
> 12/10/2002    Attempted to contact CERT again for assistance 
> with contacting
>               the authors of 0verkill.
> 12/11/2002    iDEFENSE clients notified
> 12/12/2002    Coordinated public disclosure
>
> VIII. CREDIT
>
> GOBBLES (GOBBLES () hushmail com) discovered this vulnerability.
>
> *By PREAUTH, we mean pre-authentication.
> **Please read our previous advisory on Abuse, which can be found
> here:          http://www.idefense.com/advisory/11.01.02.txt
>
> " Life without CERT is like the Chocolate Factory without 
> Charlie :-( "

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

iQA/AwUBPfkxxkrdNYRLCswqEQKEEwCg5SglpcAEpH8sWVV435jVWO1sqi0AoPRF
71oUnPD15dVap17hzCeHrQr3
=UGXc
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html