Full Disclosure mailing list archives
SA Security Bulletin: Zorch Vulnerability in Rhino Snarf Java Interpretor
From: apexpoizen () Safe-mail net
Date: Fri, 30 Sep 2005 11:38:41 -0400
_________________________________________________________________ Sexy Action Security Bulletin SASB-2005-09-30-GR8-2B-EL8 Zorch Vulnerability in Rhino Snarf Java Interpreter _________________________________________________________________ Platform: GibsonOS CPU Type: Any Package: Rhino Snarf Pharynx Affected Versions: 2.1 (current) and earlier Vulnerability Type: c|n>k, wirewater overflow, death Severity (1-10): 10 Author: @pex p01zen Executive Summary: Rhino Snarf is a popular peer-to-peer client used for packet sniffing, wirewater communication, and downloading non-physical data over a wide area network such as the internet. This vulnerability affects versions 2.1 (current) and earlier, running on any GibsonOS system. A Zorch Vulnerability that exists in the Snarf Protocol is capable of rendering any unprotected CPU useless via a wirewater buffer overflow through Pharynx, which is packaged with Rhino Snarf by default. Several workarounds are suggested at the end of this document. Problem Statement: When Rhino Snarf uses the Wirewater Protocol to communicate over WAN, it normally only calls on Pharynx to send overflow data to the keyboard or monitor. Pharynx buffer overflows (outgoing) are by no means a new concept; since Rhino Snarf only allows Wirewater data to flow -out- of Pharynx, the attack is single and limited to the size of the buffer. However a system glitch can cause Rhino Snarf and Pharynx to sniff Java packets without any means of processing them. This in turn causes the user to send -and- receive Java packets over an insecure protocol not designed to handling incoming connections. Miscommunication of data type results in an autosomal dominant compelling helio-ophthalmic outburst from Pharynx. When used in conjunction with Wirewater this can return a c|n>k type attack on your computer. However, if the system's CPU is unprotected, Java data flowing from Pharynx can cause a Zorch attack on your CPU. This renders the CPU useless through overheating. Exploit Method: On our test systems, we tricked Rhino Snarf into receiving Java packets through Pharynx. This intake caused Rhino Snarf to choke on its own data. As expected, a high level of system instability was experienced before the helio-opthalmic outburst was detected. At a low data level this resulted in the predicted c|n>k attack. However, if Pharynx is also receiving Java packets at the time of the outburst, the overflow from Rhino Snarf is much greater (since outflow is no longer limited to the size of the buffer). To test this, Java packets were received through two open Pharynx ports at once. Rhino Snarf, unable to process the information, not only caused a autosomal dominant compelling helio-ophthalmic outburst, but the direction, velocity, and size of the attack saw data sent directly to the CPU. Excess Java packets caused the CPU fan to short-circuit and die. The CPU Heatsink was then next as it conducted the excessive heat towards the CPU. Overwhelming amounts of data spilled out onto the Motherboard at which point it became impossible to monitor the system due to a total CPU Zorch. System Death was recorded at approximately 5.3 seconds after the miscommunication began. Fix: There are number of methods for preventing this attack, however once 2 port miscommunication to Pharynx has occurred, very little can be done to stop the attack in progress. Based on research by our team of security professionals, it is suggested that users block all incoming Java connections on the Rhino Snarf port and ensure their computer case is properly constructed. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SA Security Bulletin: Zorch Vulnerability in Rhino Snarf Java Interpretor apexpoizen (Sep 30)